qakbot | 0def0284732d41ec83ce66364d566b6aa3d914d5e0d7c4dff68eae15df5d557b

General

Target

fce20c78174b38ef7491e97461efce9e_JaffaCakes118.dll
Size

689KB
MD5

fce20c78174b38ef7491e97461efce9e
SHA1

594a74c8197228ac25eafd058ade9ec40533aad7
SHA256

0def0284732d41ec83ce66364d566b6aa3d914d5e0d7c4dff68eae15df5d557b
SHA512

84a1bcfad2fbac58d733cb43945309921e89272ea47030d9e9cc9b17813279e26e0410e65296065e3f825de3a47b7486cf65e07e62dfd1ccd63cede744b83833
SSDEEP

12288:BrI0bPKn8p/S0jXgfFWVkMXl2xAgwFX2ddG83tNzZ0XssC82H6/vLyWMAy:pI0bP1XWMXsAZX6JcTLdMN

Score

10^/10

qakbot obama117 1634545803 banker evasion stealer trojan

Malware Config

Extracted

Family

qakbot

Version

402.363

Botnet

obama117

Campaign

1634545803

C2

176.45.53.222:443

220.255.25.28:2222

91.178.126.51:995

2.222.167.138:443

65.100.174.110:995

105.198.236.99:995

115.96.64.9:995

196.207.140.40:995

24.231.209.2:2222

146.66.238.74:443

103.82.211.39:995

65.100.174.110:443

103.142.10.177:443

140.82.49.12:443

78.105.213.151:995

41.86.42.158:995

89.101.97.139:443

120.150.218.241:995

24.119.214.7:443

103.143.8.71:443

Attributes

salt
jHxastDcds)oMc=jvh7wdUhxcsdt2

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot

Windows security bypass 2 TTPs 4 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

reg.exereg.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\Microsoft\Vuljoglc = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Agaulahcmh = "0"	reg.exe

Loads dropped DLL 1 IoCs

Processes:

regsvr32.exe

pid process

2704 regsvr32.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2636 schtasks.exe

pid	process
2704	regsvr32.exe

pid	process
2636	schtasks.exe

Modifies data under HKEY_USERS 10 IoCs

Processes:

explorer.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Rxivnfy\8884d2b3 = be75d63f37e39792b53247ab6c363a9c834a9c7b604425a8b7d3fa4d541e079fd3ea3bcd69b2cf7769af2015a4d564d34c04fff5fd3e295eebbd46bc5518bfaf40cf49fea85ab1939d459956aed93e3562b8524779f54756cf90faf4	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Rxivnfy\bd1b02fd = 623eac83354c8f724df1c9670b47358decd925abeb38114e3c9ecea17b73dc7c625b961a96e8e259177051b538d6815bc049f4410ed519038ffd14cfac1b3236ead9c670eef4a8130513d83bb22bb10cfa27797b3f398c9db19e3768dcdccc5edc7e0ba3faf65396d738cb83ad10ff31e4ba804191b26c5c9ed135b163b458d108a23392	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Rxivnfy\7e645e4 = 1d518f99252bb7173170d68b0ddfcb900013b4531b2082c3ead94c9689f4dfc8b29630f47618238a	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Rxivnfy\8884d2b3 = be75c13f37e3a2feb5835a0497d60435e04230c5ca63516c6752d366cbafc70df77c0d9453c256d637db6de110a771cb934a3a0619841b4c0d3e893ec32de7b2ff46e23251206e18e43fd34da8309fd8a9585fa62b85c0f1110b227e13622c1ef671e04050fe00be12e7bc48608b51db30	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Rxivnfy\5a76598 = 3d14465162081c9fa47b5e65e67db299bd979607d77012d55e43606a0155c01dee298a4c0efcc552fc68f05640167cea9d90d4b9d3c317763978e949afef7be7848bec08856596e777ab47a6a95053297484465d	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Rxivnfy\f7cdbd45 = 2397d85dc77fd26d0dbd8f448637c6daad42c926972cabfb133d798950e40f83b1296edb2fbd04e19d6985619a87553cf6f64c166101be9647cdbc3361ec2a3611ad418a5295	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Rxivnfy	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Rxivnfy\bf5a2281 = f4ccc1f0017b89a3d1a87646a14ce5c6840627e1d5	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Rxivnfy\7aee0a6e = 28c31fd57f3300bc2592ce39a41cc1bda5822348968cbf96	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Rxivnfy\c2526d0b = 17ff5348b64b77dd86ac5f59813fc5f6b4eeb543c0090f1b8fe1c8c1851df6c9894d5f569d59e78925	explorer.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

rundll32.exeregsvr32.exe

pid process

2220 rundll32.exe
2704 regsvr32.exe
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

rundll32.exeregsvr32.exe

pid process

2220 rundll32.exe
2704 regsvr32.exe

pid	process
2220	rundll32.exe
2704	regsvr32.exe

pid	process
2220	rundll32.exe
2704	regsvr32.exe

Suspicious use of WriteProcessMemory 43 IoCs

Processes:

rundll32.exerundll32.exeexplorer.exetaskeng.exeregsvr32.exeregsvr32.exeexplorer.exe

description	pid	process	target process
PID 2236 wrote to memory of 2220	2236	rundll32.exe	rundll32.exe
PID 2236 wrote to memory of 2220	2236	rundll32.exe	rundll32.exe
PID 2236 wrote to memory of 2220	2236	rundll32.exe	rundll32.exe
PID 2236 wrote to memory of 2220	2236	rundll32.exe	rundll32.exe
PID 2236 wrote to memory of 2220	2236	rundll32.exe	rundll32.exe
PID 2236 wrote to memory of 2220	2236	rundll32.exe	rundll32.exe
PID 2236 wrote to memory of 2220	2236	rundll32.exe	rundll32.exe
PID 2220 wrote to memory of 2144	2220	rundll32.exe	explorer.exe
PID 2220 wrote to memory of 2144	2220	rundll32.exe	explorer.exe
PID 2220 wrote to memory of 2144	2220	rundll32.exe	explorer.exe
PID 2220 wrote to memory of 2144	2220	rundll32.exe	explorer.exe
PID 2220 wrote to memory of 2144	2220	rundll32.exe	explorer.exe
PID 2220 wrote to memory of 2144	2220	rundll32.exe	explorer.exe
PID 2144 wrote to memory of 2636	2144	explorer.exe	schtasks.exe
PID 2144 wrote to memory of 2636	2144	explorer.exe	schtasks.exe
PID 2144 wrote to memory of 2636	2144	explorer.exe	schtasks.exe
PID 2144 wrote to memory of 2636	2144	explorer.exe	schtasks.exe
PID 2976 wrote to memory of 2060	2976	taskeng.exe	regsvr32.exe
PID 2976 wrote to memory of 2060	2976	taskeng.exe	regsvr32.exe
PID 2976 wrote to memory of 2060	2976	taskeng.exe	regsvr32.exe
PID 2976 wrote to memory of 2060	2976	taskeng.exe	regsvr32.exe
PID 2976 wrote to memory of 2060	2976	taskeng.exe	regsvr32.exe
PID 2060 wrote to memory of 2704	2060	regsvr32.exe	regsvr32.exe
PID 2060 wrote to memory of 2704	2060	regsvr32.exe	regsvr32.exe
PID 2060 wrote to memory of 2704	2060	regsvr32.exe	regsvr32.exe
PID 2060 wrote to memory of 2704	2060	regsvr32.exe	regsvr32.exe
PID 2060 wrote to memory of 2704	2060	regsvr32.exe	regsvr32.exe
PID 2060 wrote to memory of 2704	2060	regsvr32.exe	regsvr32.exe
PID 2060 wrote to memory of 2704	2060	regsvr32.exe	regsvr32.exe
PID 2704 wrote to memory of 1548	2704	regsvr32.exe	explorer.exe
PID 2704 wrote to memory of 1548	2704	regsvr32.exe	explorer.exe
PID 2704 wrote to memory of 1548	2704	regsvr32.exe	explorer.exe
PID 2704 wrote to memory of 1548	2704	regsvr32.exe	explorer.exe
PID 2704 wrote to memory of 1548	2704	regsvr32.exe	explorer.exe
PID 2704 wrote to memory of 1548	2704	regsvr32.exe	explorer.exe
PID 1548 wrote to memory of 2496	1548	explorer.exe	reg.exe
PID 1548 wrote to memory of 2496	1548	explorer.exe	reg.exe
PID 1548 wrote to memory of 2496	1548	explorer.exe	reg.exe
PID 1548 wrote to memory of 2496	1548	explorer.exe	reg.exe
PID 1548 wrote to memory of 392	1548	explorer.exe	reg.exe
PID 1548 wrote to memory of 392	1548	explorer.exe	reg.exe
PID 1548 wrote to memory of 392	1548	explorer.exe	reg.exe
PID 1548 wrote to memory of 392	1548	explorer.exe	reg.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\fce20c78174b38ef7491e97461efce9e_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2236

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\fce20c78174b38ef7491e97461efce9e_JaffaCakes118.dll,#1
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2220

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:2144

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn jzxsfhslp /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Local\Temp\fce20c78174b38ef7491e97461efce9e_JaffaCakes118.dll\"" /SC ONCE /Z /ST 13:40 /ET 13:52
4⤵
- Creates scheduled task(s)
PID:2636

C:\Windows\system32\taskeng.exe
taskeng.exe {1FD8446E-CD79-4EB2-ABC9-851A0D200C92} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:2976

C:\Windows\system32\regsvr32.exe
regsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\fce20c78174b38ef7491e97461efce9e_JaffaCakes118.dll"
2⤵
- Suspicious use of WriteProcessMemory
PID:2060

C:\Windows\SysWOW64\regsvr32.exe
-s "C:\Users\Admin\AppData\Local\Temp\fce20c78174b38ef7491e97461efce9e_JaffaCakes118.dll"
3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2704

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
4⤵
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:1548

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\ProgramData\Microsoft\Vuljoglc" /d "0"
5⤵
- Windows security bypass
PID:2496

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Agaulahcmh" /d "0"
5⤵
- Windows security bypass
PID:392

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Impair Defenses

1

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\fce20c78174b38ef7491e97461efce9e_JaffaCakes118.dll
Filesize
689KB

MD5
fce20c78174b38ef7491e97461efce9e

SHA1
594a74c8197228ac25eafd058ade9ec40533aad7

SHA256
0def0284732d41ec83ce66364d566b6aa3d914d5e0d7c4dff68eae15df5d557b

SHA512
84a1bcfad2fbac58d733cb43945309921e89272ea47030d9e9cc9b17813279e26e0410e65296065e3f825de3a47b7486cf65e07e62dfd1ccd63cede744b83833

Download Submit
\??\PIPE\wkssvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1548-33-0x0000000000080000-0x00000000000A1000-memory.dmp

Filesize
132KB

Download
memory/1548-31-0x0000000000080000-0x00000000000A1000-memory.dmp

Filesize
132KB

Download
memory/1548-30-0x0000000000080000-0x00000000000A1000-memory.dmp

Filesize
132KB

Download
memory/1548-29-0x0000000000080000-0x00000000000A1000-memory.dmp

Filesize
132KB

Download
memory/1548-26-0x0000000000080000-0x00000000000A1000-memory.dmp

Filesize
132KB

Download
memory/2144-8-0x00000000000E0000-0x0000000000101000-memory.dmp

Filesize
132KB

Download
memory/2144-6-0x0000000000080000-0x0000000000082000-memory.dmp

Filesize
8KB

Download
memory/2144-14-0x00000000000E0000-0x0000000000101000-memory.dmp

Filesize
132KB

Download
memory/2144-16-0x00000000000E0000-0x0000000000101000-memory.dmp

Filesize
132KB

Download
memory/2144-12-0x00000000000E0000-0x0000000000101000-memory.dmp

Filesize
132KB

Download
memory/2144-13-0x00000000000E0000-0x0000000000101000-memory.dmp

Filesize
132KB

Download
memory/2220-9-0x00000000752A0000-0x000000007535D000-memory.dmp

Filesize
756KB

Download
memory/2220-0-0x00000000752A0000-0x000000007535D000-memory.dmp

Filesize
756KB

Download
memory/2220-5-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/2220-4-0x00000000752A0000-0x000000007535D000-memory.dmp

Filesize
756KB

Download
memory/2220-1-0x00000000752A0000-0x000000007535D000-memory.dmp

Filesize
756KB

Download
memory/2704-22-0x0000000075290000-0x000000007534D000-memory.dmp

Filesize
756KB

Download
memory/2704-27-0x0000000075290000-0x000000007534D000-memory.dmp

Filesize
756KB

Download
memory/2704-21-0x0000000075290000-0x000000007534D000-memory.dmp

Filesize
756KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads