qakbot | 3a1ec5cfa213479f5f7fc25d46672b489ab64d50e687253f6f388991b0c50b43

General

Target

89cde7fa5c181f10cc9a21fb961f8de5_JaffaCakes118.vbs
Size

1.9MB
MD5

89cde7fa5c181f10cc9a21fb961f8de5
SHA1

a1449eef635ae525e6ba3167f4978bbfde9c73fc
SHA256

3a1ec5cfa213479f5f7fc25d46672b489ab64d50e687253f6f388991b0c50b43
SHA512

a44b5af5c92fdeebd25de21a08b1ff8138d3092a6131f750f1ba01717c80d729da020e5778419835d1014b29c29951cca4d69eaf0456640c759727a4f495e7d0
SSDEEP

49152:j6rXNinXYXKRat360hlkGHkUxyHUfCllJ04MGo2GriKPgOU1eODlB:F

Score

10^/10

qakbot spx02 1567678709 banker evasion persistence stealer trojan

Malware Config

Extracted

Family

qakbot

Version

323.79

Botnet

spx02

Campaign

1567678709

C2

50.78.93.74:995

50.46.131.145:443

98.236.87.243:443

72.179.13.59:443

73.226.220.56:443

75.177.172.209:6881

192.24.181.185:443

206.51.202.106:50002

108.184.57.213:443

67.10.18.112:993

162.244.225.30:443

47.23.101.26:993

47.136.226.219:443

96.20.238.2:2083

68.238.56.27:443

75.131.239.76:443

172.78.85.20:443

96.22.239.27:2222

76.71.76.131:32101

60.254.82.182:2078

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot
Turns off Windows Defender SpyNet reporting 2 TTPs
evasion

Disable or Modify Tools
T1562.001

Modify Registry
T1112

Windows security bypass 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Eohteaye = "0"	reg.exe

Executes dropped EXE 7 IoCs

Processes:

xgIWRvnF.exexgIWRvnF.exerumxswye.exerumxswye.exexgIWRvnF.exerumxswye.exerumxswye.exe

pid process

2920 xgIWRvnF.exe
2032 xgIWRvnF.exe
2460 rumxswye.exe
2468 rumxswye.exe
1984 xgIWRvnF.exe
1512 rumxswye.exe
1144 rumxswye.exe
Loads dropped DLL 2 IoCs

Processes:

xgIWRvnF.exe

pid process

2920 xgIWRvnF.exe
2920 xgIWRvnF.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\uqbjndly = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Eohteaye\\rumxswye.exe\""	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2724 schtasks.exe

pid	process
2724	schtasks.exe

Modifies data under HKEY_USERS 3 IoCs

Processes:

xgIWRvnF.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	xgIWRvnF.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	xgIWRvnF.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	xgIWRvnF.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1076 PING.EXE

pid	process
1076	PING.EXE

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

xgIWRvnF.exexgIWRvnF.exerumxswye.exerumxswye.exeexplorer.exexgIWRvnF.exerumxswye.exerumxswye.exe

pid	process
2920	xgIWRvnF.exe
2032	xgIWRvnF.exe
2032	xgIWRvnF.exe
2460	rumxswye.exe
2468	rumxswye.exe
2468	rumxswye.exe
3008	explorer.exe
3008	explorer.exe
1984	xgIWRvnF.exe
1512	rumxswye.exe
1144	rumxswye.exe
1144	rumxswye.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

rumxswye.exe

pid process

2460 rumxswye.exe

pid	process
2460	rumxswye.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

xgIWRvnF.exerumxswye.exetaskeng.exexgIWRvnF.exe

description	pid	process	target process
PID 2920 wrote to memory of 2032	2920	xgIWRvnF.exe	xgIWRvnF.exe
PID 2920 wrote to memory of 2032	2920	xgIWRvnF.exe	xgIWRvnF.exe
PID 2920 wrote to memory of 2032	2920	xgIWRvnF.exe	xgIWRvnF.exe
PID 2920 wrote to memory of 2032	2920	xgIWRvnF.exe	xgIWRvnF.exe
PID 2920 wrote to memory of 2460	2920	xgIWRvnF.exe	rumxswye.exe
PID 2920 wrote to memory of 2460	2920	xgIWRvnF.exe	rumxswye.exe
PID 2920 wrote to memory of 2460	2920	xgIWRvnF.exe	rumxswye.exe
PID 2920 wrote to memory of 2460	2920	xgIWRvnF.exe	rumxswye.exe
PID 2920 wrote to memory of 2724	2920	xgIWRvnF.exe	schtasks.exe
PID 2920 wrote to memory of 2724	2920	xgIWRvnF.exe	schtasks.exe
PID 2920 wrote to memory of 2724	2920	xgIWRvnF.exe	schtasks.exe
PID 2920 wrote to memory of 2724	2920	xgIWRvnF.exe	schtasks.exe
PID 2460 wrote to memory of 2468	2460	rumxswye.exe	rumxswye.exe
PID 2460 wrote to memory of 2468	2460	rumxswye.exe	rumxswye.exe
PID 2460 wrote to memory of 2468	2460	rumxswye.exe	rumxswye.exe
PID 2460 wrote to memory of 2468	2460	rumxswye.exe	rumxswye.exe
PID 2460 wrote to memory of 3008	2460	rumxswye.exe	explorer.exe
PID 2460 wrote to memory of 3008	2460	rumxswye.exe	explorer.exe
PID 2460 wrote to memory of 3008	2460	rumxswye.exe	explorer.exe
PID 2460 wrote to memory of 3008	2460	rumxswye.exe	explorer.exe
PID 2460 wrote to memory of 3008	2460	rumxswye.exe	explorer.exe
PID 1212 wrote to memory of 1984	1212	taskeng.exe	xgIWRvnF.exe
PID 1212 wrote to memory of 1984	1212	taskeng.exe	xgIWRvnF.exe
PID 1212 wrote to memory of 1984	1212	taskeng.exe	xgIWRvnF.exe
PID 1212 wrote to memory of 1984	1212	taskeng.exe	xgIWRvnF.exe
PID 1984 wrote to memory of 1728	1984	xgIWRvnF.exe	reg.exe
PID 1984 wrote to memory of 1728	1984	xgIWRvnF.exe	reg.exe
PID 1984 wrote to memory of 1728	1984	xgIWRvnF.exe	reg.exe
PID 1984 wrote to memory of 1728	1984	xgIWRvnF.exe	reg.exe
PID 1984 wrote to memory of 2940	1984	xgIWRvnF.exe	reg.exe
PID 1984 wrote to memory of 2940	1984	xgIWRvnF.exe	reg.exe
PID 1984 wrote to memory of 2940	1984	xgIWRvnF.exe	reg.exe
PID 1984 wrote to memory of 2940	1984	xgIWRvnF.exe	reg.exe
PID 1984 wrote to memory of 2076	1984	xgIWRvnF.exe	reg.exe
PID 1984 wrote to memory of 2076	1984	xgIWRvnF.exe	reg.exe
PID 1984 wrote to memory of 2076	1984	xgIWRvnF.exe	reg.exe
PID 1984 wrote to memory of 2076	1984	xgIWRvnF.exe	reg.exe
PID 1984 wrote to memory of 1964	1984	xgIWRvnF.exe	reg.exe
PID 1984 wrote to memory of 1964	1984	xgIWRvnF.exe	reg.exe
PID 1984 wrote to memory of 1964	1984	xgIWRvnF.exe	reg.exe
PID 1984 wrote to memory of 1964	1984	xgIWRvnF.exe	reg.exe
PID 1984 wrote to memory of 2368	1984	xgIWRvnF.exe	reg.exe
PID 1984 wrote to memory of 2368	1984	xgIWRvnF.exe	reg.exe
PID 1984 wrote to memory of 2368	1984	xgIWRvnF.exe	reg.exe
PID 1984 wrote to memory of 2368	1984	xgIWRvnF.exe	reg.exe
PID 1984 wrote to memory of 1300	1984	xgIWRvnF.exe	reg.exe
PID 1984 wrote to memory of 1300	1984	xgIWRvnF.exe	reg.exe
PID 1984 wrote to memory of 1300	1984	xgIWRvnF.exe	reg.exe
PID 1984 wrote to memory of 1300	1984	xgIWRvnF.exe	reg.exe
PID 1984 wrote to memory of 600	1984	xgIWRvnF.exe	reg.exe
PID 1984 wrote to memory of 600	1984	xgIWRvnF.exe	reg.exe
PID 1984 wrote to memory of 600	1984	xgIWRvnF.exe	reg.exe
PID 1984 wrote to memory of 600	1984	xgIWRvnF.exe	reg.exe
PID 1984 wrote to memory of 808	1984	xgIWRvnF.exe	reg.exe
PID 1984 wrote to memory of 808	1984	xgIWRvnF.exe	reg.exe
PID 1984 wrote to memory of 808	1984	xgIWRvnF.exe	reg.exe
PID 1984 wrote to memory of 808	1984	xgIWRvnF.exe	reg.exe
PID 1984 wrote to memory of 1096	1984	xgIWRvnF.exe	reg.exe
PID 1984 wrote to memory of 1096	1984	xgIWRvnF.exe	reg.exe
PID 1984 wrote to memory of 1096	1984	xgIWRvnF.exe	reg.exe
PID 1984 wrote to memory of 1096	1984	xgIWRvnF.exe	reg.exe
PID 1984 wrote to memory of 1512	1984	xgIWRvnF.exe	rumxswye.exe
PID 1984 wrote to memory of 1512	1984	xgIWRvnF.exe	rumxswye.exe
PID 1984 wrote to memory of 1512	1984	xgIWRvnF.exe	rumxswye.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\89cde7fa5c181f10cc9a21fb961f8de5_JaffaCakes118.vbs"
1⤵
PID:2956

C:\Users\Admin\AppData\Local\Temp\xgIWRvnF.exe
C:\Users\Admin\AppData\Local\Temp\xgIWRvnF.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2920
- C:\Users\Admin\AppData\Local\Temp\xgIWRvnF.exe
  C:\Users\Admin\AppData\Local\Temp\xgIWRvnF.exe /C
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2032
- C:\Users\Admin\AppData\Roaming\Microsoft\Eohteaye\rumxswye.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Eohteaye\rumxswye.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:2460
- - C:\Users\Admin\AppData\Roaming\Microsoft\Eohteaye\rumxswye.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Eohteaye\rumxswye.exe /C
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:2468
- - C:\Windows\SysWOW64\explorer.exe
    C:\Windows\SysWOW64\explorer.exe
    3⤵
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    PID:3008
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn nouukmstmr /tr "\"C:\Users\Admin\AppData\Local\Temp\xgIWRvnF.exe\" /I nouukmstmr" /SC ONCE /Z /ST 07:56 /ET 08:08
  2⤵
  - Creates scheduled task(s)
  PID:2724

C:\Windows\system32\taskeng.exe
taskeng.exe {46565815-66F6-44A0-9FA6-E465E39A6E80} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:1212
- C:\Users\Admin\AppData\Local\Temp\xgIWRvnF.exe
  C:\Users\Admin\AppData\Local\Temp\xgIWRvnF.exe /I nouukmstmr
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1984
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"
    3⤵
    PID:1728
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"
    3⤵
    PID:2940
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"
    3⤵
    PID:2076
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"
    3⤵
    PID:1964
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"
    3⤵
    PID:2368
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\SpyNet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"
    3⤵
    PID:1300
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"
    3⤵
    PID:600
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"
    3⤵
    PID:808
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Eohteaye" /d "0"
    3⤵
    - Windows security bypass
    PID:1096
- - C:\Users\Admin\AppData\Roaming\Microsoft\Eohteaye\rumxswye.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Eohteaye\rumxswye.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:1512
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Eohteaye\rumxswye.exe
      C:\Users\Admin\AppData\Roaming\Microsoft\Eohteaye\rumxswye.exe /C
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:1144
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c ping.exe -n 6 127.0.0.1 & type "C:\Windows\System32\calc.exe" > "C:\Users\Admin\AppData\Local\Temp\xgIWRvnF.exe"
    3⤵
    PID:2228
  - - C:\Windows\system32\PING.EXE
      ping.exe -n 6 127.0.0.1
      4⤵
      Runs ping.exe
      PID:1076
- - C:\Windows\system32\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /DELETE /F /TN nouukmstmr
    3⤵
    PID:1236

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Impair Defenses

2

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\xgIWRvnF.exe

Filesize
656KB

MD5
ee012e5a6dedbad726af12e7ba9374df

SHA1
1429e28e9c78294b6d1e96b9cb40da73ae51c23a

SHA256
259e8c4576444287f43218b2f6754da1d50339fdb4c4d8c9634ff72e6e2521f5

SHA512
5a82377e13242a7ab5d257a7f7f0c0856904591e5b583089999772742046b3d2857bb43f0937b4ad63cdc8e65e8519f0e6fd831b7c598b1ce13587934f9275d2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Eohteaye\rumxswye.dat

Filesize
63B

MD5
d91c6ddebbc18d5078e61aeb6e902e7b

SHA1
0398f498361cbb0ee1f0a5ff818ac6ef3ceeb6cf

SHA256
10e1b307af7341c799b27e4630ae5ca00639293d33cb92e69da291bdcb470fc6

SHA512
b3a126cd9e99dab80e78ceb205f1f10d6cc38b90a05003efeaa4fca13cc6d237c41ae4a598737c57327a8b2d131eab2c3fc59afe281bbafe0d0ad447a4f853e5

Download Submit
memory/1144-58-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1512-59-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1984-52-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1984-44-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2032-13-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2460-39-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2468-30-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2920-24-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2920-5-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2920-3-0x0000000000230000-0x0000000000237000-memory.dmp

Filesize
28KB

Download
memory/3008-34-0x00000000004F0000-0x0000000000531000-memory.dmp

Filesize
260KB

Download
memory/3008-37-0x00000000004F0000-0x0000000000531000-memory.dmp

Filesize
260KB

Download
memory/3008-36-0x00000000004F0000-0x0000000000531000-memory.dmp

Filesize
260KB

Download
memory/3008-40-0x00000000004F0000-0x0000000000531000-memory.dmp

Filesize
260KB

Download
memory/3008-35-0x00000000000D0000-0x0000000000162000-memory.dmp

Filesize
584KB

Download
memory/3008-33-0x00000000000D0000-0x0000000000162000-memory.dmp

Filesize
584KB

Download
memory/3008-31-0x00000000000D0000-0x0000000000162000-memory.dmp

Filesize
584KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads