General

  • Target

    af285a3f91f3f9aac89875942c03771b_JaffaCakes118

  • Size

    1.0MB

  • Sample

    240615-s7hxsswckh

  • MD5

    af285a3f91f3f9aac89875942c03771b

  • SHA1

    3b1d28087fdb201c6b2191631c60f352c46c630f

  • SHA256

    fb26dc2598e18c8e9b95a4a3aace4f6c19dee93894eaab8d7d9d31f2b963f806

  • SHA512

    27c5ac2001812800d18d681c3f97a7d7617b1f6fb4886ac3e612ebca67f1be9684c9716457a2271cb437b492d96f8ec4035199f3d4441565d065a61d383234a0

  • SSDEEP

    24576:4/WmaxvuGNdBd0zcT7JOgygMLgkq8Kxp:K1gNDkcIgygQgwep

Malware Config

Extracted

Family

qakbot

Version

322.642

Botnet

xxx02

Campaign

1543704484

Credentials

  • Protocol:
    ftp
  • Host:
    192.185.5.208
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    NxdkxAp4dUsY

  • Protocol:
    ftp
  • Host:
    162.241.218.118
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    EcOV0DyGVgVN

  • Protocol:
    ftp
  • Host:
    69.89.31.139
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    fcR7OvyLrMW6!

  • Protocol:
    ftp
  • Host:
    192.185.73.101
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    XpHexorVzwIO
C2

72.220.211.207:443

174.48.72.160:443

142.197.246.64:443

207.178.109.161:443

69.30.241.245:443

76.124.56.184:443

185.219.83.73:443

184.180.157.203:2222

173.169.15.3:443

71.206.209.190:443

73.130.229.200:443

73.96.172.45:443

174.106.146.89:443

70.183.154.153:995

71.171.94.146:443

70.59.16.36:443

189.175.141.171:443

98.223.98.14:443

71.58.77.120:443

173.27.21.37:995

Targets

    • Target

      af285a3f91f3f9aac89875942c03771b_JaffaCakes118

    • Size

      1.0MB

    • MD5

      af285a3f91f3f9aac89875942c03771b

    • SHA1

      3b1d28087fdb201c6b2191631c60f352c46c630f

    • SHA256

      fb26dc2598e18c8e9b95a4a3aace4f6c19dee93894eaab8d7d9d31f2b963f806

    • SHA512

      27c5ac2001812800d18d681c3f97a7d7617b1f6fb4886ac3e612ebca67f1be9684c9716457a2271cb437b492d96f8ec4035199f3d4441565d065a61d383234a0

    • SSDEEP

      24576:4/WmaxvuGNdBd0zcT7JOgygMLgkq8Kxp:K1gNDkcIgygQgwep

    • Qakbot/Qbot

      Qbot or Qakbot is a sophisticated worm with banking capabilities.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

MITRE ATT&CK Enterprise v15

Tasks