qakbot | 6d10ae2b310fc8d3b8a2690afb40ff153ffca5f320a08d07c7d8b5a05a9dcd2c

General

Target

2c2307bb3cacbca7f7ba9d7d76bb88ff_JaffaCakes118.dll
Size

337KB
MD5

2c2307bb3cacbca7f7ba9d7d76bb88ff
SHA1

c6deb5d3add0de6accd686ff654c32ac42d74bb9
SHA256

6d10ae2b310fc8d3b8a2690afb40ff153ffca5f320a08d07c7d8b5a05a9dcd2c
SHA512

e902afcc029459c6be6a5c92f8876d98189a3521996142551b9555ff995db42432a1e264d26a67e7d264527ba440998548902b2fc8f1e93fb2f8c48f8dd5aa97
SSDEEP

6144:1gOXktvhhOU35RJEesNr3wU7HuAmHKmlEwrPmRPWEpWFn2E6lyDO:XkvhhOKJETRByqTwr03pdfR

Score

10^/10

qakbot obama04 1613469138 banker stealer trojan

Malware Config

Extracted

Family

qakbot

Version

401.138

Botnet

obama04

Campaign

1613469138

C2

50.29.166.232:995

89.137.211.239:995

172.78.30.215:443

193.248.221.184:2222

80.227.5.69:443

216.201.162.158:443

75.67.192.125:443

105.96.8.96:443

77.211.30.202:995

136.232.34.70:443

87.202.87.210:2222

86.245.46.27:2222

90.101.117.122:2222

81.97.154.100:443

47.196.192.184:443

197.161.154.132:443

78.185.59.190:443

202.188.138.162:443

77.27.204.204:995

203.194.110.74:443

Attributes

salt
jHxastDcds)oMc=jvh7wdUhxcsdt2

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot
Loads dropped DLL 1 IoCs

Processes:

regsvr32.exe

pid process

264 regsvr32.exe
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exe

pid process

2224 schtasks.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

regsvr32.exe

pid process

1628 regsvr32.exe
1628 regsvr32.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

regsvr32.exe

pid process

1628 regsvr32.exe

pid	process
264	regsvr32.exe

pid	process
2224	schtasks.exe

pid	process
1628	regsvr32.exe
1628	regsvr32.exe

pid	process
1628	regsvr32.exe

Suspicious use of WriteProcessMemory 29 IoCs

Processes:

regsvr32.exeregsvr32.exeexplorer.exetaskeng.exeregsvr32.exe

description	pid	process	target process
PID 2664 wrote to memory of 1628	2664	regsvr32.exe	regsvr32.exe
PID 2664 wrote to memory of 1628	2664	regsvr32.exe	regsvr32.exe
PID 2664 wrote to memory of 1628	2664	regsvr32.exe	regsvr32.exe
PID 2664 wrote to memory of 1628	2664	regsvr32.exe	regsvr32.exe
PID 2664 wrote to memory of 1628	2664	regsvr32.exe	regsvr32.exe
PID 2664 wrote to memory of 1628	2664	regsvr32.exe	regsvr32.exe
PID 2664 wrote to memory of 1628	2664	regsvr32.exe	regsvr32.exe
PID 1628 wrote to memory of 2764	1628	regsvr32.exe	explorer.exe
PID 1628 wrote to memory of 2764	1628	regsvr32.exe	explorer.exe
PID 1628 wrote to memory of 2764	1628	regsvr32.exe	explorer.exe
PID 1628 wrote to memory of 2764	1628	regsvr32.exe	explorer.exe
PID 1628 wrote to memory of 2764	1628	regsvr32.exe	explorer.exe
PID 1628 wrote to memory of 2764	1628	regsvr32.exe	explorer.exe
PID 2764 wrote to memory of 2224	2764	explorer.exe	schtasks.exe
PID 2764 wrote to memory of 2224	2764	explorer.exe	schtasks.exe
PID 2764 wrote to memory of 2224	2764	explorer.exe	schtasks.exe
PID 2764 wrote to memory of 2224	2764	explorer.exe	schtasks.exe
PID 2792 wrote to memory of 1860	2792	taskeng.exe	regsvr32.exe
PID 2792 wrote to memory of 1860	2792	taskeng.exe	regsvr32.exe
PID 2792 wrote to memory of 1860	2792	taskeng.exe	regsvr32.exe
PID 2792 wrote to memory of 1860	2792	taskeng.exe	regsvr32.exe
PID 2792 wrote to memory of 1860	2792	taskeng.exe	regsvr32.exe
PID 1860 wrote to memory of 264	1860	regsvr32.exe	regsvr32.exe
PID 1860 wrote to memory of 264	1860	regsvr32.exe	regsvr32.exe
PID 1860 wrote to memory of 264	1860	regsvr32.exe	regsvr32.exe
PID 1860 wrote to memory of 264	1860	regsvr32.exe	regsvr32.exe
PID 1860 wrote to memory of 264	1860	regsvr32.exe	regsvr32.exe
PID 1860 wrote to memory of 264	1860	regsvr32.exe	regsvr32.exe
PID 1860 wrote to memory of 264	1860	regsvr32.exe	regsvr32.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\2c2307bb3cacbca7f7ba9d7d76bb88ff_JaffaCakes118.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:2664
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\2c2307bb3cacbca7f7ba9d7d76bb88ff_JaffaCakes118.dll
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:1628
- - C:\Windows\SysWOW64\explorer.exe
    C:\Windows\SysWOW64\explorer.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2764
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn vpxvuzy /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Local\Temp\2c2307bb3cacbca7f7ba9d7d76bb88ff_JaffaCakes118.dll\"" /SC ONCE /Z /ST 18:25 /ET 18:37
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:2224

C:\Windows\system32\taskeng.exe
taskeng.exe {F92139C7-6C97-4262-B382-5657A445E7C1} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:2792
- C:\Windows\system32\regsvr32.exe
  regsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\2c2307bb3cacbca7f7ba9d7d76bb88ff_JaffaCakes118.dll"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1860
- - C:\Windows\SysWOW64\regsvr32.exe
    -s "C:\Users\Admin\AppData\Local\Temp\2c2307bb3cacbca7f7ba9d7d76bb88ff_JaffaCakes118.dll"
    3⤵
    - Loads dropped DLL
    PID:264

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2c2307bb3cacbca7f7ba9d7d76bb88ff_JaffaCakes118.dll

Filesize
337KB

MD5
bfff14700df5a5c32943722dd49f1979

SHA1
c41cf689caafab4f586f5e52d75987514a37841b

SHA256
e501d913eca42cf49a4d5cacbe342370b47a3ef961b8488c861757184a15229d

SHA512
56ef361b1670cfa28d709d88fa95cfd2eff4201c15da5a2405a29bdff6ad06a21f06889f458c2330b2792cb518b95abaca708870a108ffb8e20c518e8b5f2d39

Download Submit
memory/1628-0-0x0000000010000000-0x0000000010056000-memory.dmp

Filesize
344KB

Download
memory/1628-2-0x0000000010000000-0x0000000010056000-memory.dmp

Filesize
344KB

Download
memory/1628-1-0x00000000002E0000-0x0000000000336000-memory.dmp

Filesize
344KB

Download
memory/2764-3-0x0000000000100000-0x0000000000102000-memory.dmp

Filesize
8KB

Download
memory/2764-6-0x00000000000C0000-0x00000000000F5000-memory.dmp

Filesize
212KB

Download
memory/2764-7-0x00000000000C0000-0x00000000000F5000-memory.dmp

Filesize
212KB

Download
memory/2764-9-0x00000000000C0000-0x00000000000F5000-memory.dmp

Filesize
212KB

Download
memory/2764-8-0x00000000000C0000-0x00000000000F5000-memory.dmp

Filesize
212KB

Download
memory/2764-11-0x00000000000C0000-0x00000000000F5000-memory.dmp

Filesize
212KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads