qakbot | b3781927bcf7932c336630f636f47cbdba47e2f5aa94039f87fbb15797455535

Analysis

max time kernel
141s
max time network
103s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
20-05-2024 22:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

611fb912ca0d8a8d6b57a5fe54c4b3ad_JaffaCakes118.exe
Size

221KB
MD5

611fb912ca0d8a8d6b57a5fe54c4b3ad
SHA1

d30d809df1e1f8db5511621c4869cf954d9ffe32
SHA256

b3781927bcf7932c336630f636f47cbdba47e2f5aa94039f87fbb15797455535
SHA512

812426a098f3d277e9d004e9fd288d2fe26ba410d4a79db1338c8f8faca03cb0f33da84f1f8575ab37dd554e26cff52428c3c10cc585d1c96df88e140ae056ef
SSDEEP

6144:9iCJP2aHc28pmBIUFqOkTo2/Pd7IYbUN0DQ2:9f82DICqJTo2tcqUN

Score

10^/10

qakbot banker stealer trojan

Malware Config

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	611fb912ca0d8a8d6b57a5fe54c4b3ad_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	611fb912ca0d8a8d6b57a5fe54c4b3ad_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\DeviceDesc	611fb912ca0d8a8d6b57a5fe54c4b3ad_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Service	611fb912ca0d8a8d6b57a5fe54c4b3ad_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	611fb912ca0d8a8d6b57a5fe54c4b3ad_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\DeviceDesc	611fb912ca0d8a8d6b57a5fe54c4b3ad_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Service	611fb912ca0d8a8d6b57a5fe54c4b3ad_JaffaCakes118.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1084	PING.EXE

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3092	611fb912ca0d8a8d6b57a5fe54c4b3ad_JaffaCakes118.exe
3092	611fb912ca0d8a8d6b57a5fe54c4b3ad_JaffaCakes118.exe
872	611fb912ca0d8a8d6b57a5fe54c4b3ad_JaffaCakes118.exe
872	611fb912ca0d8a8d6b57a5fe54c4b3ad_JaffaCakes118.exe
872	611fb912ca0d8a8d6b57a5fe54c4b3ad_JaffaCakes118.exe
872	611fb912ca0d8a8d6b57a5fe54c4b3ad_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3092 wrote to memory of 872	3092	611fb912ca0d8a8d6b57a5fe54c4b3ad_JaffaCakes118.exe	86
PID 3092 wrote to memory of 872	3092	611fb912ca0d8a8d6b57a5fe54c4b3ad_JaffaCakes118.exe	86
PID 3092 wrote to memory of 872	3092	611fb912ca0d8a8d6b57a5fe54c4b3ad_JaffaCakes118.exe	86
PID 3092 wrote to memory of 4712	3092	611fb912ca0d8a8d6b57a5fe54c4b3ad_JaffaCakes118.exe	89
PID 3092 wrote to memory of 4712	3092	611fb912ca0d8a8d6b57a5fe54c4b3ad_JaffaCakes118.exe	89
PID 3092 wrote to memory of 4712	3092	611fb912ca0d8a8d6b57a5fe54c4b3ad_JaffaCakes118.exe	89
PID 4712 wrote to memory of 1084	4712	cmd.exe	91
PID 4712 wrote to memory of 1084	4712	cmd.exe	91
PID 4712 wrote to memory of 1084	4712	cmd.exe	91

C:\Users\Admin\AppData\Local\Temp\611fb912ca0d8a8d6b57a5fe54c4b3ad_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\611fb912ca0d8a8d6b57a5fe54c4b3ad_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3092
- C:\Users\Admin\AppData\Local\Temp\611fb912ca0d8a8d6b57a5fe54c4b3ad_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\611fb912ca0d8a8d6b57a5fe54c4b3ad_JaffaCakes118.exe /C
  2⤵
  - Checks SCSI registry key(s)
  - Suspicious behavior: EnumeratesProcesses
  PID:872
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ping.exe -n 6 127.0.0.1 & type "C:\Windows\System32\calc.exe" > "C:\Users\Admin\AppData\Local\Temp\611fb912ca0d8a8d6b57a5fe54c4b3ad_JaffaCakes118.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4712
- - C:\Windows\SysWOW64\PING.EXE
    ping.exe -n 6 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:1084

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads