qakbot | 35fb4c2fe21a9e724bc553b1c4deb9e097afa6410cb8c2d2fd8122ee504edf88

General

Target

41416d72124ab146a511c1cbf33f7204_JaffaCakes118.dll
Size

378KB
MD5

41416d72124ab146a511c1cbf33f7204
SHA1

3356d5f834de85a658d7119ce9cc3b5e77224831
SHA256

35fb4c2fe21a9e724bc553b1c4deb9e097afa6410cb8c2d2fd8122ee504edf88
SHA512

2cec968ac314c17f9db653518b6d1e0329a6068ebd1636e45035b5630d72a7a0033492475ee4ef798d3c469e79c16898c07c5a17ee289ffc8f1aa1da668e74cb
SSDEEP

3072:Do6vBnby4Yx0XjFFzPQ0MslzERfQB24hLxBVi/b/9+PdpiWC35ol/uwfTuT2b2Mz:vs6Xpq0H3Jhds/9+qC/zfTPLb9

Score

10^/10

qakbot obama104 1632729661 banker evasion stealer trojan

Malware Config

Extracted

Family

qakbot

Version

402.343

Botnet

obama104

Campaign

1632729661

C2

95.77.223.148:443

47.22.148.6:443

89.101.97.139:443

27.223.92.142:995

120.151.47.189:443

136.232.34.70:443

120.150.218.241:995

185.250.148.74:443

181.118.183.94:443

140.82.49.12:443

67.165.206.193:993

103.148.120.144:443

71.74.12.34:443

76.25.142.196:443

73.151.236.31:443

173.21.10.71:2222

75.188.35.168:443

2.178.88.145:61202

71.80.168.245:443

45.46.53.140:2222

Attributes

salt
jHxastDcds)oMc=jvh7wdUhxcsdt2

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot

Windows security bypass 2 TTPs 4 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

reg.exereg.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\Microsoft\Ajluhlyht = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Eebgyni = "0"	reg.exe

Loads dropped DLL 1 IoCs

Processes:

regsvr32.exe

pid process

532 regsvr32.exe

pid	process
532	regsvr32.exe

Modifies data under HKEY_USERS 10 IoCs

Processes:

explorer.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Iaolayzfqutzut\22b4d742 = e4c72f06b3c4d6e42ed6acadd60bbd2481461008f19fa2c300a8f18db3bace047377f4e3c58e8a73e7937f63a60314a7011d9c1041805c3b9befd73397056258f516909a56765551acf96edbe08a846bb48726aba9837901c1175d1b140f140dbb4837	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Iaolayzfqutzut\add64015 = e43d6108a18ae634a7c79015a5bdbc173ae3e068fa93751413df9cd58df1ad892b6224b6acae6604b8061fec2845943e2644	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Iaolayzfqutzut\d0de0f9f = 1ac8ecb2dc28c0f7e7ade017bbe72b61eb3031d74fa99d7006d1a99893b37b054a44806e68c4898d6461eb28c431410b71389a190de9d8b52548efa5716551a4f18b12baba4ca2c48cc83a7027099b1c50c4b662d9e290bf7b05343459	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Iaolayzfqutzut	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Iaolayzfqutzut\172b070c = 50e5e39a4fe5fbf6827eb4a820f501db23846798e8fcdb940a21b8cb6d5187339af4d93ac7425d40cccc9bf89ee70fd14859aa43bd678fc257ff84555ac1aa16a1ba312585f6b0c779d9ac1448e4a87defce9b60b9e6720a0040f4416826cee9bae5f6509a679c16ad9a384d93d93e1e6c06	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Iaolayzfqutzut\156a2770 = 80432bb6f5dcc89f927bf985afb58593320e891ccee9446e50b07d135fb61316f1f9d23a1bc1a889061710ab0aebd13e3b3bae2260b5465000c2b9881389634010557c4b2c9b1353dc36cbde2ac9	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Iaolayzfqutzut\686268fa = c2a549187c310b1d5ba331ed933dd0a27b87c87ee879eecfced622d514f36839bb94660c2dd5dc2ceaf990369041eb960c9576e7b564c561a1fd788956853246e820d79e82767963bdf84086583c32df6cdb58ffaaec4469fa4f6308a4c97f589691e9	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Iaolayzfqutzut\af976069 = b17f56e84d63a2e5c7cba22fb7845d2263f05e204953a21b424080523d6fa936e3cd113bf316a34e396c4533d56ed2818ff37a7e7d099dca74	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Iaolayzfqutzut\5dfdb8b4 = 6a9289ffc1775c1ed221a4145f3e56f598203377e05a04d104dd71fa3fc23143825ea2c170bf0dc809444f3866ce74aa470fe3166540451d94cf1882345bec7376e56a1bf19d99f780a952e2f4a15b0d4a0bf1cf89fc9f0c9fe921b90dcc11f6	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Iaolayzfqutzut\22b4d742 = e4c73806b3c4e3c814e04c78c843b79e01b66ee3c55269b07d5a45202e75e52cb029aea7aaab29b569bce22c6485ee0eb25761682acbbe3d3a04ba2dfe657aacc90625f60b1b3c36e3b7b10766076f89ba863552e9b144a92b36577e72e3c383fc41c8240ab24afa761c49bf4f5d18df1bbc664d6eaf4692	explorer.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exe

pid process

2488 schtasks.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

rundll32.exeregsvr32.exe

pid process

2028 rundll32.exe
532 regsvr32.exe
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

rundll32.exeregsvr32.exe

pid process

2028 rundll32.exe
532 regsvr32.exe

pid	process
2488	schtasks.exe

pid	process
2028	rundll32.exe
532	regsvr32.exe

pid	process
2028	rundll32.exe
532	regsvr32.exe

Suspicious use of WriteProcessMemory 43 IoCs

Processes:

rundll32.exerundll32.exeexplorer.exetaskeng.exeregsvr32.exeregsvr32.exeexplorer.exe

description	pid	process	target process
PID 2052 wrote to memory of 2028	2052	rundll32.exe	rundll32.exe
PID 2052 wrote to memory of 2028	2052	rundll32.exe	rundll32.exe
PID 2052 wrote to memory of 2028	2052	rundll32.exe	rundll32.exe
PID 2052 wrote to memory of 2028	2052	rundll32.exe	rundll32.exe
PID 2052 wrote to memory of 2028	2052	rundll32.exe	rundll32.exe
PID 2052 wrote to memory of 2028	2052	rundll32.exe	rundll32.exe
PID 2052 wrote to memory of 2028	2052	rundll32.exe	rundll32.exe
PID 2028 wrote to memory of 1320	2028	rundll32.exe	explorer.exe
PID 2028 wrote to memory of 1320	2028	rundll32.exe	explorer.exe
PID 2028 wrote to memory of 1320	2028	rundll32.exe	explorer.exe
PID 2028 wrote to memory of 1320	2028	rundll32.exe	explorer.exe
PID 2028 wrote to memory of 1320	2028	rundll32.exe	explorer.exe
PID 2028 wrote to memory of 1320	2028	rundll32.exe	explorer.exe
PID 1320 wrote to memory of 2488	1320	explorer.exe	schtasks.exe
PID 1320 wrote to memory of 2488	1320	explorer.exe	schtasks.exe
PID 1320 wrote to memory of 2488	1320	explorer.exe	schtasks.exe
PID 1320 wrote to memory of 2488	1320	explorer.exe	schtasks.exe
PID 1824 wrote to memory of 2668	1824	taskeng.exe	regsvr32.exe
PID 1824 wrote to memory of 2668	1824	taskeng.exe	regsvr32.exe
PID 1824 wrote to memory of 2668	1824	taskeng.exe	regsvr32.exe
PID 1824 wrote to memory of 2668	1824	taskeng.exe	regsvr32.exe
PID 1824 wrote to memory of 2668	1824	taskeng.exe	regsvr32.exe
PID 2668 wrote to memory of 532	2668	regsvr32.exe	regsvr32.exe
PID 2668 wrote to memory of 532	2668	regsvr32.exe	regsvr32.exe
PID 2668 wrote to memory of 532	2668	regsvr32.exe	regsvr32.exe
PID 2668 wrote to memory of 532	2668	regsvr32.exe	regsvr32.exe
PID 2668 wrote to memory of 532	2668	regsvr32.exe	regsvr32.exe
PID 2668 wrote to memory of 532	2668	regsvr32.exe	regsvr32.exe
PID 2668 wrote to memory of 532	2668	regsvr32.exe	regsvr32.exe
PID 532 wrote to memory of 1724	532	regsvr32.exe	explorer.exe
PID 532 wrote to memory of 1724	532	regsvr32.exe	explorer.exe
PID 532 wrote to memory of 1724	532	regsvr32.exe	explorer.exe
PID 532 wrote to memory of 1724	532	regsvr32.exe	explorer.exe
PID 532 wrote to memory of 1724	532	regsvr32.exe	explorer.exe
PID 532 wrote to memory of 1724	532	regsvr32.exe	explorer.exe
PID 1724 wrote to memory of 352	1724	explorer.exe	reg.exe
PID 1724 wrote to memory of 352	1724	explorer.exe	reg.exe
PID 1724 wrote to memory of 352	1724	explorer.exe	reg.exe
PID 1724 wrote to memory of 352	1724	explorer.exe	reg.exe
PID 1724 wrote to memory of 2016	1724	explorer.exe	reg.exe
PID 1724 wrote to memory of 2016	1724	explorer.exe	reg.exe
PID 1724 wrote to memory of 2016	1724	explorer.exe	reg.exe
PID 1724 wrote to memory of 2016	1724	explorer.exe	reg.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\41416d72124ab146a511c1cbf33f7204_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2052
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\41416d72124ab146a511c1cbf33f7204_JaffaCakes118.dll,#1
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:2028
- - C:\Windows\SysWOW64\explorer.exe
    C:\Windows\SysWOW64\explorer.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1320
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn jlgzpom /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Local\Temp\41416d72124ab146a511c1cbf33f7204_JaffaCakes118.dll\"" /SC ONCE /Z /ST 10:16 /ET 10:28
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:2488

C:\Windows\system32\taskeng.exe
taskeng.exe {5E2632D9-5C34-43D4-82D0-30ADF6A2D8A7} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:1824
- C:\Windows\system32\regsvr32.exe
  regsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\41416d72124ab146a511c1cbf33f7204_JaffaCakes118.dll"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2668
- - C:\Windows\SysWOW64\regsvr32.exe
    -s "C:\Users\Admin\AppData\Local\Temp\41416d72124ab146a511c1cbf33f7204_JaffaCakes118.dll"
    3⤵
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:532
  - - C:\Windows\SysWOW64\explorer.exe
      C:\Windows\SysWOW64\explorer.exe
      4⤵
      Modifies data under HKEY_USERS
      Suspicious use of WriteProcessMemory
      PID:1724
    - - C:\Windows\system32\reg.exe
        
        C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\ProgramData\Microsoft\Ajluhlyht" /d "0"
        5⤵
        Windows security bypass
        
        PID:352
    - - C:\Windows\system32\reg.exe
        
        C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Eebgyni" /d "0"
        5⤵
        Windows security bypass
        
        PID:2016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Impair Defenses

1

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\41416d72124ab146a511c1cbf33f7204_JaffaCakes118.dll

Filesize
378KB

MD5
41416d72124ab146a511c1cbf33f7204

SHA1
3356d5f834de85a658d7119ce9cc3b5e77224831

SHA256
35fb4c2fe21a9e724bc553b1c4deb9e097afa6410cb8c2d2fd8122ee504edf88

SHA512
2cec968ac314c17f9db653518b6d1e0329a6068ebd1636e45035b5630d72a7a0033492475ee4ef798d3c469e79c16898c07c5a17ee289ffc8f1aa1da668e74cb

Download Submit
\??\PIPE\wkssvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/532-21-0x0000000010000000-0x0000000010062000-memory.dmp

Filesize
392KB

Download
memory/1320-7-0x0000000000080000-0x00000000000A1000-memory.dmp

Filesize
132KB

Download
memory/1320-11-0x0000000000080000-0x00000000000A1000-memory.dmp

Filesize
132KB

Download
memory/1320-2-0x00000000000B0000-0x00000000000B2000-memory.dmp

Filesize
8KB

Download
memory/1320-14-0x0000000000080000-0x00000000000A1000-memory.dmp

Filesize
132KB

Download
memory/1320-10-0x0000000000080000-0x00000000000A1000-memory.dmp

Filesize
132KB

Download
memory/1320-13-0x0000000000080000-0x00000000000A1000-memory.dmp

Filesize
132KB

Download
memory/1320-12-0x0000000000080000-0x00000000000A1000-memory.dmp

Filesize
132KB

Download
memory/1724-23-0x0000000000080000-0x00000000000A1000-memory.dmp

Filesize
132KB

Download
memory/1724-25-0x0000000000080000-0x00000000000A1000-memory.dmp

Filesize
132KB

Download
memory/1724-24-0x0000000000080000-0x00000000000A1000-memory.dmp

Filesize
132KB

Download
memory/2028-0-0x00000000006E0000-0x0000000000722000-memory.dmp

Filesize
264KB

Download
memory/2028-5-0x00000000006E0000-0x0000000000722000-memory.dmp

Filesize
264KB

Download
memory/2028-4-0x0000000010000000-0x0000000010062000-memory.dmp

Filesize
392KB

Download
memory/2028-6-0x0000000010000000-0x0000000010042000-memory.dmp

Filesize
264KB

Download
memory/2028-1-0x0000000010000000-0x0000000010042000-memory.dmp

Filesize
264KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads