Overview

overview

10

Static

static

3

fce20c7817...18.dll

windows7-x64

10

fce20c7817...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    139s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    20-04-2024 13:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fce20c78174b38ef7491e97461efce9e_JaffaCakes118.dll

  • Size

    689KB

  • MD5

    fce20c78174b38ef7491e97461efce9e

  • SHA1

    594a74c8197228ac25eafd058ade9ec40533aad7

  • SHA256

    0def0284732d41ec83ce66364d566b6aa3d914d5e0d7c4dff68eae15df5d557b

  • SHA512

    84a1bcfad2fbac58d733cb43945309921e89272ea47030d9e9cc9b17813279e26e0410e65296065e3f825de3a47b7486cf65e07e62dfd1ccd63cede744b83833

  • SSDEEP

    12288:BrI0bPKn8p/S0jXgfFWVkMXl2xAgwFX2ddG83tNzZ0XssC82H6/vLyWMAy:pI0bP1XWMXsAZX6JcTLdMN

Score
10/10
qakbotobama1171634545803bankerevasionstealertrojan

Malware Config

Extracted

Family

qakbot

Version

402.363

Botnet

obama117

Campaign

1634545803

C2

176.45.53.222:443

220.255.25.28:2222

91.178.126.51:995

2.222.167.138:443

65.100.174.110:995

105.198.236.99:995

115.96.64.9:995

196.207.140.40:995

24.231.209.2:2222

146.66.238.74:443

103.82.211.39:995

65.100.174.110:443

103.142.10.177:443

140.82.49.12:443

78.105.213.151:995

41.86.42.158:995

89.101.97.139:443

120.150.218.241:995

24.119.214.7:443

103.143.8.71:443
Attributes
  • salt

    jHxastDcds)oMc=jvh7wdUhxcsdt2

Signatures

  • Qakbot/Qbot

    Qbot or Qakbot is a sophisticated worm with banking capabilities.

    trojanbankerstealerqakbot
  • Windows security bypass 2 TTPs 4 IoCs
    evasiontrojan
  • Loads dropped DLL 1 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies data under HKEY_USERS 10 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of WriteProcessMemory 43 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\fce20c78174b38ef7491e97461efce9e_JaffaCakes118.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2236
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\fce20c78174b38ef7491e97461efce9e_JaffaCakes118.dll,#1
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:2220
      • C:\Windows\SysWOW64\explorer.exe
        C:\Windows\SysWOW64\explorer.exe
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2144
        • C:\Windows\SysWOW64\schtasks.exe
          "C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn jzxsfhslp /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Local\Temp\fce20c78174b38ef7491e97461efce9e_JaffaCakes118.dll\"" /SC ONCE /Z /ST 13:40 /ET 13:52
          4⤵
          • Creates scheduled task(s)
          PID:2636
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {1FD8446E-CD79-4EB2-ABC9-851A0D200C92} S-1-5-18:NT AUTHORITY\System:Service:
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2976
    • C:\Windows\system32\regsvr32.exe
      regsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\fce20c78174b38ef7491e97461efce9e_JaffaCakes118.dll"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2060
      • C:\Windows\SysWOW64\regsvr32.exe
        -s "C:\Users\Admin\AppData\Local\Temp\fce20c78174b38ef7491e97461efce9e_JaffaCakes118.dll"
        3⤵
        • Loads dropped DLL
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of WriteProcessMemory
        PID:2704
        • C:\Windows\SysWOW64\explorer.exe
          C:\Windows\SysWOW64\explorer.exe
          4⤵
          • Modifies data under HKEY_USERS
          • Suspicious use of WriteProcessMemory
          PID:1548
          • C:\Windows\system32\reg.exe
            C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\ProgramData\Microsoft\Vuljoglc" /d "0"
            5⤵
            • Windows security bypass
            PID:2496
          • C:\Windows\system32\reg.exe
            C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Agaulahcmh" /d "0"
            5⤵
            • Windows security bypass
            PID:392

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\fce20c78174b38ef7491e97461efce9e_JaffaCakes118.dll
    Filesize

    689KB

    MD5

    fce20c78174b38ef7491e97461efce9e

    SHA1

    594a74c8197228ac25eafd058ade9ec40533aad7

    SHA256

    0def0284732d41ec83ce66364d566b6aa3d914d5e0d7c4dff68eae15df5d557b

    SHA512

    84a1bcfad2fbac58d733cb43945309921e89272ea47030d9e9cc9b17813279e26e0410e65296065e3f825de3a47b7486cf65e07e62dfd1ccd63cede744b83833

    Download Submit

  • memory/1548-33-0x0000000000080000-0x00000000000A1000-memory.dmp

    Filesize

    132KB

    Download

  • memory/1548-31-0x0000000000080000-0x00000000000A1000-memory.dmp

    Filesize

    132KB

    Download

  • memory/1548-30-0x0000000000080000-0x00000000000A1000-memory.dmp

    Filesize

    132KB

    Download

  • memory/1548-29-0x0000000000080000-0x00000000000A1000-memory.dmp

    Filesize

    132KB

    Download

  • memory/1548-26-0x0000000000080000-0x00000000000A1000-memory.dmp

    Filesize

    132KB

    Download

  • memory/2144-8-0x00000000000E0000-0x0000000000101000-memory.dmp

    Filesize

    132KB

    Download

  • memory/2144-6-0x0000000000080000-0x0000000000082000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2144-14-0x00000000000E0000-0x0000000000101000-memory.dmp

    Filesize

    132KB

    Download

  • memory/2144-16-0x00000000000E0000-0x0000000000101000-memory.dmp

    Filesize

    132KB

    Download

  • memory/2144-12-0x00000000000E0000-0x0000000000101000-memory.dmp

    Filesize

    132KB

    Download

  • memory/2144-13-0x00000000000E0000-0x0000000000101000-memory.dmp

    Filesize

    132KB

    Download

  • memory/2220-9-0x00000000752A0000-0x000000007535D000-memory.dmp

    Filesize

    756KB

    Download

  • memory/2220-0-0x00000000752A0000-0x000000007535D000-memory.dmp

    Filesize

    756KB

    Download

  • memory/2220-5-0x00000000001B0000-0x00000000001B1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2220-4-0x00000000752A0000-0x000000007535D000-memory.dmp

    Filesize

    756KB

    Download

  • memory/2220-1-0x00000000752A0000-0x000000007535D000-memory.dmp

    Filesize

    756KB

    Download

  • memory/2704-22-0x0000000075290000-0x000000007534D000-memory.dmp

    Filesize

    756KB

    Download

  • memory/2704-27-0x0000000075290000-0x000000007534D000-memory.dmp

    Filesize

    756KB

    Download

  • memory/2704-21-0x0000000075290000-0x000000007534D000-memory.dmp

    Filesize

    756KB

    Download