qakbot | b3781927bcf7932c336630f636f47cbdba47e2f5aa94039f87fbb15797455535

Analysis

max time kernel
121s
max time network
124s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
20-05-2024 22:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

611fb912ca0d8a8d6b57a5fe54c4b3ad_JaffaCakes118.exe
Size

221KB
MD5

611fb912ca0d8a8d6b57a5fe54c4b3ad
SHA1

d30d809df1e1f8db5511621c4869cf954d9ffe32
SHA256

b3781927bcf7932c336630f636f47cbdba47e2f5aa94039f87fbb15797455535
SHA512

812426a098f3d277e9d004e9fd288d2fe26ba410d4a79db1338c8f8faca03cb0f33da84f1f8575ab37dd554e26cff52428c3c10cc585d1c96df88e140ae056ef
SSDEEP

6144:9iCJP2aHc28pmBIUFqOkTo2/Pd7IYbUN0DQ2:9f82DICqJTo2tcqUN

Score

10^/10

qakbot banker stealer trojan

Malware Config

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2016 PING.EXE

pid	process
2016	PING.EXE

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

611fb912ca0d8a8d6b57a5fe54c4b3ad_JaffaCakes118.exe611fb912ca0d8a8d6b57a5fe54c4b3ad_JaffaCakes118.exe

pid	process
2180	611fb912ca0d8a8d6b57a5fe54c4b3ad_JaffaCakes118.exe
2192	611fb912ca0d8a8d6b57a5fe54c4b3ad_JaffaCakes118.exe
2192	611fb912ca0d8a8d6b57a5fe54c4b3ad_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

611fb912ca0d8a8d6b57a5fe54c4b3ad_JaffaCakes118.execmd.exe

description	pid	process	target process
PID 2180 wrote to memory of 2192	2180	611fb912ca0d8a8d6b57a5fe54c4b3ad_JaffaCakes118.exe	611fb912ca0d8a8d6b57a5fe54c4b3ad_JaffaCakes118.exe
PID 2180 wrote to memory of 2192	2180	611fb912ca0d8a8d6b57a5fe54c4b3ad_JaffaCakes118.exe	611fb912ca0d8a8d6b57a5fe54c4b3ad_JaffaCakes118.exe
PID 2180 wrote to memory of 2192	2180	611fb912ca0d8a8d6b57a5fe54c4b3ad_JaffaCakes118.exe	611fb912ca0d8a8d6b57a5fe54c4b3ad_JaffaCakes118.exe
PID 2180 wrote to memory of 2192	2180	611fb912ca0d8a8d6b57a5fe54c4b3ad_JaffaCakes118.exe	611fb912ca0d8a8d6b57a5fe54c4b3ad_JaffaCakes118.exe
PID 2180 wrote to memory of 3048	2180	611fb912ca0d8a8d6b57a5fe54c4b3ad_JaffaCakes118.exe	cmd.exe
PID 2180 wrote to memory of 3048	2180	611fb912ca0d8a8d6b57a5fe54c4b3ad_JaffaCakes118.exe	cmd.exe
PID 2180 wrote to memory of 3048	2180	611fb912ca0d8a8d6b57a5fe54c4b3ad_JaffaCakes118.exe	cmd.exe
PID 2180 wrote to memory of 3048	2180	611fb912ca0d8a8d6b57a5fe54c4b3ad_JaffaCakes118.exe	cmd.exe
PID 3048 wrote to memory of 2016	3048	cmd.exe	PING.EXE
PID 3048 wrote to memory of 2016	3048	cmd.exe	PING.EXE
PID 3048 wrote to memory of 2016	3048	cmd.exe	PING.EXE
PID 3048 wrote to memory of 2016	3048	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\611fb912ca0d8a8d6b57a5fe54c4b3ad_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\611fb912ca0d8a8d6b57a5fe54c4b3ad_JaffaCakes118.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2180
- C:\Users\Admin\AppData\Local\Temp\611fb912ca0d8a8d6b57a5fe54c4b3ad_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\611fb912ca0d8a8d6b57a5fe54c4b3ad_JaffaCakes118.exe /C
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2192
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ping.exe -n 6 127.0.0.1 & type "C:\Windows\System32\calc.exe" > "C:\Users\Admin\AppData\Local\Temp\611fb912ca0d8a8d6b57a5fe54c4b3ad_JaffaCakes118.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3048
- - C:\Windows\SysWOW64\PING.EXE
    ping.exe -n 6 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:2016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads