qakbot | 9321f7c0333333189cea832082c33d28e3d8c568762b085939aea86b1d407dca

General

Target

2359e5ff4ddb2431661a2575069b9228_JaffaCakes118.dll
Size

378KB
MD5

2359e5ff4ddb2431661a2575069b9228
SHA1

4ce3b3f36059e3d8fe2b2eff98096e325456ce7d
SHA256

9321f7c0333333189cea832082c33d28e3d8c568762b085939aea86b1d407dca
SHA512

7dd7c5384e45351472b52df65d1a46f92da49ee074e6b5447a567c3b5033b3c49f225a9c64610575cadfdd5372fc5b15e0ba2a435d1bd3684fe1108d9cb9b439
SSDEEP

3072:Do6vBnby4Yx0XjFFzPQ0MslzERfQB24hLxBVi/b/9+PdpiWC35ol/uwfTuT2b2MH:vs6Xpq0H3Jhds/9+qC/zfTPLl

Score

10^/10

qakbot obama104 1632729661 banker evasion stealer trojan

Malware Config

Extracted

Family

qakbot

Version

402.343

Botnet

obama104

Campaign

1632729661

C2

95.77.223.148:443

47.22.148.6:443

89.101.97.139:443

27.223.92.142:995

120.151.47.189:443

136.232.34.70:443

120.150.218.241:995

185.250.148.74:443

181.118.183.94:443

140.82.49.12:443

67.165.206.193:993

103.148.120.144:443

71.74.12.34:443

76.25.142.196:443

73.151.236.31:443

173.21.10.71:2222

75.188.35.168:443

2.178.88.145:61202

71.80.168.245:443

45.46.53.140:2222

Attributes

salt
jHxastDcds)oMc=jvh7wdUhxcsdt2

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot

Windows security bypass 2 TTPs 4 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

reg.exereg.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\Microsoft\Uewkvcu = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Scsster = "0"	reg.exe

Loads dropped DLL 1 IoCs

Processes:

regsvr32.exe

pid process

2496 regsvr32.exe

pid	process
2496	regsvr32.exe

Modifies data under HKEY_USERS 10 IoCs

Processes:

explorer.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Livnuou\b59c018d = e1f7ff996b214d66d1c01ace674beaa7055cd891ad5aaf8b13fc4595da89e61725e2d6002d00b61fc310d7b23b66fb33c3fd501d99ccc2aeafc21d7c4e27d798b95f3576	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Livnuou\fd0b9e49 = 58d1038715d055c5aa92d693483bd9a4076c6932d3b7acb57fed0f7eebecd435efbcaece19c0aeb7830d92df0ad9070eaf1d94e747690f5f808a8c22cd6774b3fb99a4e95909123f16aab1	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Livnuou	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Livnuou\8242f1bf = eb2c33aed456e9a9b0315e258dd58e70cc36bd34886cf2331e4338cce5c98438adda6d8c3de6563e9b8f2a9932ed77e87692df851169a27b4a23bd7bc79faa4966d5cac868d9c7510831a2d6b0f5	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Livnuou\b7dd21f1 = 9a7b782dfd8ff87803521c0ccab0056bc69ea7c440916e840a5a2929135c2d7ef25cc2c7404cb465c6e42835de1106d36a0431265d82814968b2cf1e6dacc2f72eb942422e7e20334dd4d44ac427df86b12ef0f029cc1f05ea71c1005edaffe8b04921d6b8fad57a27ca3525a56bac2e92129549a9fafe78b84a4cf2b4cac44d7b7aee4413bad74f8ee148a888554b62c59b56ca	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Livnuou\f614694 = 6322874d936251d861fa24524e89ca4eba048a74b477b868a71b260034ac93ed8f9292f400490530a1df0d0244b392b7a60964c398d835edaabc6dd0b8063936e8dbd9886788ec	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Livnuou\8242f1bf = eb2c24aed456dcc7362fbae673583024d1ea373227424149464b7583b6e62486265fcb997f8736967d09e33670fdc8a779dfc80e506c6590179c36a3c10b3acdf5a9424184ac5bae9f747e46d8132dfbc10aa6a10da226a6ce6673165953dcf8b4e8fa	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Livnuou\d2066e8 = c9ff13ecd86dc63cdbf8bc307e5bcd1f66b6b03223c30890d3eb1c7f6d6dc676a635266a906a80571ab6cff67ae1288d7a5ca8d0e9c0e60f5b19bc857166a0fb970660	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Livnuou\70282962 = fbd6b73c386e75f0bc5f3bc788d3b11a2561bb3455d40cde1c76	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Livnuou\c8944e07 = 51ffcdb161562ed6ac1bc9a1b257d7426b03f4eab9db	explorer.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exe

pid process

3068 schtasks.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

rundll32.exeregsvr32.exe

pid process

2152 rundll32.exe
2496 regsvr32.exe
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

rundll32.exeregsvr32.exe

pid process

2152 rundll32.exe
2496 regsvr32.exe

pid	process
3068	schtasks.exe

pid	process
2152	rundll32.exe
2496	regsvr32.exe

pid	process
2152	rundll32.exe
2496	regsvr32.exe

Suspicious use of WriteProcessMemory 43 IoCs

Processes:

rundll32.exerundll32.exeexplorer.exetaskeng.exeregsvr32.exeregsvr32.exeexplorer.exe

description	pid	process	target process
PID 2936 wrote to memory of 2152	2936	rundll32.exe	rundll32.exe
PID 2936 wrote to memory of 2152	2936	rundll32.exe	rundll32.exe
PID 2936 wrote to memory of 2152	2936	rundll32.exe	rundll32.exe
PID 2936 wrote to memory of 2152	2936	rundll32.exe	rundll32.exe
PID 2936 wrote to memory of 2152	2936	rundll32.exe	rundll32.exe
PID 2936 wrote to memory of 2152	2936	rundll32.exe	rundll32.exe
PID 2936 wrote to memory of 2152	2936	rundll32.exe	rundll32.exe
PID 2152 wrote to memory of 2956	2152	rundll32.exe	explorer.exe
PID 2152 wrote to memory of 2956	2152	rundll32.exe	explorer.exe
PID 2152 wrote to memory of 2956	2152	rundll32.exe	explorer.exe
PID 2152 wrote to memory of 2956	2152	rundll32.exe	explorer.exe
PID 2152 wrote to memory of 2956	2152	rundll32.exe	explorer.exe
PID 2152 wrote to memory of 2956	2152	rundll32.exe	explorer.exe
PID 2956 wrote to memory of 3068	2956	explorer.exe	schtasks.exe
PID 2956 wrote to memory of 3068	2956	explorer.exe	schtasks.exe
PID 2956 wrote to memory of 3068	2956	explorer.exe	schtasks.exe
PID 2956 wrote to memory of 3068	2956	explorer.exe	schtasks.exe
PID 1348 wrote to memory of 2332	1348	taskeng.exe	regsvr32.exe
PID 1348 wrote to memory of 2332	1348	taskeng.exe	regsvr32.exe
PID 1348 wrote to memory of 2332	1348	taskeng.exe	regsvr32.exe
PID 1348 wrote to memory of 2332	1348	taskeng.exe	regsvr32.exe
PID 1348 wrote to memory of 2332	1348	taskeng.exe	regsvr32.exe
PID 2332 wrote to memory of 2496	2332	regsvr32.exe	regsvr32.exe
PID 2332 wrote to memory of 2496	2332	regsvr32.exe	regsvr32.exe
PID 2332 wrote to memory of 2496	2332	regsvr32.exe	regsvr32.exe
PID 2332 wrote to memory of 2496	2332	regsvr32.exe	regsvr32.exe
PID 2332 wrote to memory of 2496	2332	regsvr32.exe	regsvr32.exe
PID 2332 wrote to memory of 2496	2332	regsvr32.exe	regsvr32.exe
PID 2332 wrote to memory of 2496	2332	regsvr32.exe	regsvr32.exe
PID 2496 wrote to memory of 3028	2496	regsvr32.exe	explorer.exe
PID 2496 wrote to memory of 3028	2496	regsvr32.exe	explorer.exe
PID 2496 wrote to memory of 3028	2496	regsvr32.exe	explorer.exe
PID 2496 wrote to memory of 3028	2496	regsvr32.exe	explorer.exe
PID 2496 wrote to memory of 3028	2496	regsvr32.exe	explorer.exe
PID 2496 wrote to memory of 3028	2496	regsvr32.exe	explorer.exe
PID 3028 wrote to memory of 2696	3028	explorer.exe	reg.exe
PID 3028 wrote to memory of 2696	3028	explorer.exe	reg.exe
PID 3028 wrote to memory of 2696	3028	explorer.exe	reg.exe
PID 3028 wrote to memory of 2696	3028	explorer.exe	reg.exe
PID 3028 wrote to memory of 2716	3028	explorer.exe	reg.exe
PID 3028 wrote to memory of 2716	3028	explorer.exe	reg.exe
PID 3028 wrote to memory of 2716	3028	explorer.exe	reg.exe
PID 3028 wrote to memory of 2716	3028	explorer.exe	reg.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\2359e5ff4ddb2431661a2575069b9228_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2936
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\2359e5ff4ddb2431661a2575069b9228_JaffaCakes118.dll,#1
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:2152
- - C:\Windows\SysWOW64\explorer.exe
    C:\Windows\SysWOW64\explorer.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2956
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn qqzvdtqd /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Local\Temp\2359e5ff4ddb2431661a2575069b9228_JaffaCakes118.dll\"" /SC ONCE /Z /ST 18:36 /ET 18:48
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:3068

C:\Windows\system32\taskeng.exe
taskeng.exe {92ABE1E6-9509-4B2C-BFF1-473E24860F7B} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:1348
- C:\Windows\system32\regsvr32.exe
  regsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\2359e5ff4ddb2431661a2575069b9228_JaffaCakes118.dll"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2332
- - C:\Windows\SysWOW64\regsvr32.exe
    -s "C:\Users\Admin\AppData\Local\Temp\2359e5ff4ddb2431661a2575069b9228_JaffaCakes118.dll"
    3⤵
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:2496
  - - C:\Windows\SysWOW64\explorer.exe
      C:\Windows\SysWOW64\explorer.exe
      4⤵
      Modifies data under HKEY_USERS
      Suspicious use of WriteProcessMemory
      PID:3028
    - - C:\Windows\system32\reg.exe
        
        C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\ProgramData\Microsoft\Uewkvcu" /d "0"
        5⤵
        Windows security bypass
        
        PID:2696
    - - C:\Windows\system32\reg.exe
        
        C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Scsster" /d "0"
        5⤵
        Windows security bypass
        
        PID:2716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Impair Defenses

1

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2359e5ff4ddb2431661a2575069b9228_JaffaCakes118.dll

Filesize
378KB

MD5
2359e5ff4ddb2431661a2575069b9228

SHA1
4ce3b3f36059e3d8fe2b2eff98096e325456ce7d

SHA256
9321f7c0333333189cea832082c33d28e3d8c568762b085939aea86b1d407dca

SHA512
7dd7c5384e45351472b52df65d1a46f92da49ee074e6b5447a567c3b5033b3c49f225a9c64610575cadfdd5372fc5b15e0ba2a435d1bd3684fe1108d9cb9b439

Download Submit
memory/2152-6-0x0000000010000000-0x0000000010042000-memory.dmp

Filesize
264KB

Download
memory/2152-0-0x00000000001B0000-0x00000000001F2000-memory.dmp

Filesize
264KB

Download
memory/2152-1-0x0000000010000000-0x0000000010042000-memory.dmp

Filesize
264KB

Download
memory/2152-5-0x0000000010000000-0x0000000010062000-memory.dmp

Filesize
392KB

Download
memory/2496-19-0x0000000010000000-0x0000000010062000-memory.dmp

Filesize
392KB

Download
memory/2956-9-0x0000000000080000-0x00000000000A1000-memory.dmp

Filesize
132KB

Download
memory/2956-12-0x0000000000080000-0x00000000000A1000-memory.dmp

Filesize
132KB

Download
memory/2956-11-0x0000000000080000-0x00000000000A1000-memory.dmp

Filesize
132KB

Download
memory/2956-10-0x0000000000080000-0x00000000000A1000-memory.dmp

Filesize
132KB

Download
memory/2956-13-0x0000000000080000-0x00000000000A1000-memory.dmp

Filesize
132KB

Download
memory/2956-4-0x0000000000080000-0x00000000000A1000-memory.dmp

Filesize
132KB

Download
memory/2956-2-0x00000000000B0000-0x00000000000B2000-memory.dmp

Filesize
8KB

Download
memory/3028-21-0x00000000000C0000-0x00000000000E1000-memory.dmp

Filesize
132KB

Download
memory/3028-23-0x00000000000C0000-0x00000000000E1000-memory.dmp

Filesize
132KB

Download
memory/3028-22-0x00000000000C0000-0x00000000000E1000-memory.dmp

Filesize
132KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads