General

  • Target

    611fb912ca0d8a8d6b57a5fe54c4b3ad_JaffaCakes118

  • Size

    221KB

  • Sample

    240520-2dc9wshg22

  • MD5

    611fb912ca0d8a8d6b57a5fe54c4b3ad

  • SHA1

    d30d809df1e1f8db5511621c4869cf954d9ffe32

  • SHA256

    b3781927bcf7932c336630f636f47cbdba47e2f5aa94039f87fbb15797455535

  • SHA512

    812426a098f3d277e9d004e9fd288d2fe26ba410d4a79db1338c8f8faca03cb0f33da84f1f8575ab37dd554e26cff52428c3c10cc585d1c96df88e140ae056ef

  • SSDEEP

    6144:9iCJP2aHc28pmBIUFqOkTo2/Pd7IYbUN0DQ2:9f82DICqJTo2tcqUN

Malware Config

Extracted

Family

qakbot

Version

324.75

Botnet

spx88

Campaign

1585759147

C2

70.171.43.208:443

75.183.171.155:3389

68.49.120.179:443

189.160.175.134:443

24.168.237.215:443

5.14.217.101:443

47.40.244.237:443

71.77.252.14:2222

184.176.139.8:443

47.39.76.74:443

72.29.181.77:2222

208.101.148.129:995

100.40.48.96:443

5.233.232.81:61202

188.241.126.118:443

68.174.15.223:443

64.19.74.29:995

70.170.111.174:443

75.82.228.209:443

63.155.135.211:995

Targets

    • Target

      611fb912ca0d8a8d6b57a5fe54c4b3ad_JaffaCakes118

    • Size

      221KB

    • MD5

      611fb912ca0d8a8d6b57a5fe54c4b3ad

    • SHA1

      d30d809df1e1f8db5511621c4869cf954d9ffe32

    • SHA256

      b3781927bcf7932c336630f636f47cbdba47e2f5aa94039f87fbb15797455535

    • SHA512

      812426a098f3d277e9d004e9fd288d2fe26ba410d4a79db1338c8f8faca03cb0f33da84f1f8575ab37dd554e26cff52428c3c10cc585d1c96df88e140ae056ef

    • SSDEEP

      6144:9iCJP2aHc28pmBIUFqOkTo2/Pd7IYbUN0DQ2:9f82DICqJTo2tcqUN

    • Qakbot/Qbot

      Qbot or Qakbot is a sophisticated worm with banking capabilities.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

MITRE ATT&CK Matrix ATT&CK v13

Discovery

Query Registry

2
T1012

System Information Discovery

3
T1082

Peripheral Device Discovery

1
T1120

Remote System Discovery

1
T1018

Tasks