qakbot | 35fb4c2fe21a9e724bc553b1c4deb9e097afa6410cb8c2d2fd8122ee504edf88

General

Target

41416d72124ab146a511c1cbf33f7204_JaffaCakes118.dll
Size

378KB
MD5

41416d72124ab146a511c1cbf33f7204
SHA1

3356d5f834de85a658d7119ce9cc3b5e77224831
SHA256

35fb4c2fe21a9e724bc553b1c4deb9e097afa6410cb8c2d2fd8122ee504edf88
SHA512

2cec968ac314c17f9db653518b6d1e0329a6068ebd1636e45035b5630d72a7a0033492475ee4ef798d3c469e79c16898c07c5a17ee289ffc8f1aa1da668e74cb
SSDEEP

3072:Do6vBnby4Yx0XjFFzPQ0MslzERfQB24hLxBVi/b/9+PdpiWC35ol/uwfTuT2b2Mz:vs6Xpq0H3Jhds/9+qC/zfTPLb9

Score

10^/10

qakbot obama104 1632729661 banker evasion stealer trojan

Malware Config

Extracted

Family

qakbot

Version

402.343

Botnet

obama104

Campaign

1632729661

C2

95.77.223.148:443

47.22.148.6:443

89.101.97.139:443

27.223.92.142:995

120.151.47.189:443

136.232.34.70:443

120.150.218.241:995

185.250.148.74:443

181.118.183.94:443

140.82.49.12:443

67.165.206.193:993

103.148.120.144:443

71.74.12.34:443

76.25.142.196:443

73.151.236.31:443

173.21.10.71:2222

75.188.35.168:443

2.178.88.145:61202

71.80.168.245:443

45.46.53.140:2222

Attributes

salt
jHxastDcds)oMc=jvh7wdUhxcsdt2

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot

Windows security bypass 2 TTPs 4 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

reg.exereg.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\Microsoft\Yaojayshilgo = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Oceyv = "0"	reg.exe

Loads dropped DLL 1 IoCs

Processes:

regsvr32.exe

pid process

1676 regsvr32.exe

pid	process
1676	regsvr32.exe

Modifies data under HKEY_USERS 10 IoCs

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Qiyeazuv	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Qiyeazuv\b1331365 = 66555e2abf3756c85f871d4673848c798d5f07eb6b2915cd5dc7e992e26e7997944de0b27e69ce530eecc60da40d11b6c9de6af9b861cbc3ae03b07c8b49e41ae3737dcf658f04967afd47041f86d2578f6ebedec66d23a767c165d9e8fa371e83f95ae94ac207dd2f4fb5512ce56d5aef94d947cbe573cf7359477eb7abd8100f8cddb59f4f6779f57663e47e9237857668de534b0b69b11677036cf30f7c65cb3a33e65cf2a829dc3940e270005664848701f8f88b2fab1d30ac35e450cc633e06c0e1169e434f2e	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Qiyeazuv\b3723319 = 34e0f9ce840eec1ad3f255cc4b7096cb37	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Qiyeazuv\98f7400 = 3d0deaa09b4d97f039aefb8919e26206be0fe9c50f695acb36420a0c4079934ab33482c0dbf09b114a84ba6bbf3b8550c6d12c8f2af089de1e642aee6ffb7ebb6829	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Qiyeazuv\84acc32b = e00ecaa95073de832f30744ab79944c3af0da9f1b9115287fb8d93d8dd6b419a3a54d334adb6630d8af3a87c71e3adfca2c1c71da5e15ccd96cfa7c9052d4d34a70d6680b92276919faf3fb706638dc51726cc8d	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Qiyeazuv\bce547c = ef08a43962218b47c9f14b8f2abbc7c97606d094fd1de30bb96a395a9e7ea35405defa5a995027cb12e985755291c276f8	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Qiyeazuv\76c61bf6 = 22c69a181cf4dc0e4705623be670412b91a29016c73a1b42e0c7086fb247b68e44096652cfcabb70e46436fc85d6df2a0192dcba85ba694d298018dd2ad732b4a5fec425e71ce82a04f9fffc652877cff8042572fb6edba1d69563f09566e1c4bb980a1a068ff13c753e46e01f3c	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Qiyeazuv\ce7a7c93 = 2f01bbc19161cd0d620cfdf00c0922b624c62397782c32ac40ec39c79cff52f639b22805f6011f0746e39054da20e44660b27229601e9d8b2e73cf835637db15fe60c1bc5afb66683f5fce7b809ad1f7830c7ce31d10ba7dcd5a13aee9	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Qiyeazuv\fbe5acdd = a10177291950b46f03dcf52cef8a511dc2f042f3409c8f4c287df8b9eaeb4de34713278fef0c456a78c401a8b7564ca30598bee41e118451bde938ccd4c103f0c272318a784c0fe97d316497ee491b9019e95a9e	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Qiyeazuv\84acc32b = e00edda95073eb3a4805611a8a30fa70f3510b77d04908ca6a32b84e03139f5647eae3f586ff140fe26e50a02c14cd34edc01bc19913dca89266aed388a07210ccc7d661dd5ec4953d957b920a68604101c1b903c6520ded95982432ca3881f07ffb8e8ad62c76b59d	explorer.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exe

pid process

4104 schtasks.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

rundll32.exeregsvr32.exe

pid process

4468 rundll32.exe
4468 rundll32.exe
1676 regsvr32.exe
1676 regsvr32.exe
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

rundll32.exeregsvr32.exe

pid process

4468 rundll32.exe
1676 regsvr32.exe

pid	process
4104	schtasks.exe

pid	process
4468	rundll32.exe
4468	rundll32.exe
1676	regsvr32.exe
1676	regsvr32.exe

pid	process
4468	rundll32.exe
1676	regsvr32.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

rundll32.exerundll32.exeexplorer.exeregsvr32.exeregsvr32.exeexplorer.exe

description	pid	process	target process
PID 4180 wrote to memory of 4468	4180	rundll32.exe	rundll32.exe
PID 4180 wrote to memory of 4468	4180	rundll32.exe	rundll32.exe
PID 4180 wrote to memory of 4468	4180	rundll32.exe	rundll32.exe
PID 4468 wrote to memory of 4744	4468	rundll32.exe	explorer.exe
PID 4468 wrote to memory of 4744	4468	rundll32.exe	explorer.exe
PID 4468 wrote to memory of 4744	4468	rundll32.exe	explorer.exe
PID 4468 wrote to memory of 4744	4468	rundll32.exe	explorer.exe
PID 4468 wrote to memory of 4744	4468	rundll32.exe	explorer.exe
PID 4744 wrote to memory of 4104	4744	explorer.exe	schtasks.exe
PID 4744 wrote to memory of 4104	4744	explorer.exe	schtasks.exe
PID 4744 wrote to memory of 4104	4744	explorer.exe	schtasks.exe
PID 584 wrote to memory of 1676	584	regsvr32.exe	regsvr32.exe
PID 584 wrote to memory of 1676	584	regsvr32.exe	regsvr32.exe
PID 584 wrote to memory of 1676	584	regsvr32.exe	regsvr32.exe
PID 1676 wrote to memory of 2228	1676	regsvr32.exe	explorer.exe
PID 1676 wrote to memory of 2228	1676	regsvr32.exe	explorer.exe
PID 1676 wrote to memory of 2228	1676	regsvr32.exe	explorer.exe
PID 1676 wrote to memory of 2228	1676	regsvr32.exe	explorer.exe
PID 1676 wrote to memory of 2228	1676	regsvr32.exe	explorer.exe
PID 2228 wrote to memory of 3012	2228	explorer.exe	reg.exe
PID 2228 wrote to memory of 3012	2228	explorer.exe	reg.exe
PID 2228 wrote to memory of 956	2228	explorer.exe	reg.exe
PID 2228 wrote to memory of 956	2228	explorer.exe	reg.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\41416d72124ab146a511c1cbf33f7204_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4180

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\41416d72124ab146a511c1cbf33f7204_JaffaCakes118.dll,#1
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4468

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:4744

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn vzxzjlnkgk /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Local\Temp\41416d72124ab146a511c1cbf33f7204_JaffaCakes118.dll\"" /SC ONCE /Z /ST 10:16 /ET 10:28
4⤵
- Scheduled Task/Job: Scheduled Task
PID:4104

C:\Windows\system32\regsvr32.exe
regsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\41416d72124ab146a511c1cbf33f7204_JaffaCakes118.dll"
1⤵
- Suspicious use of WriteProcessMemory
PID:584

C:\Windows\SysWOW64\regsvr32.exe
-s "C:\Users\Admin\AppData\Local\Temp\41416d72124ab146a511c1cbf33f7204_JaffaCakes118.dll"
2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1676

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
3⤵
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:2228

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\ProgramData\Microsoft\Yaojayshilgo" /d "0"
4⤵
- Windows security bypass
PID:3012

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Oceyv" /d "0"
4⤵
- Windows security bypass
PID:956

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Impair Defenses

1

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\41416d72124ab146a511c1cbf33f7204_JaffaCakes118.dll
Filesize
378KB

MD5
41416d72124ab146a511c1cbf33f7204

SHA1
3356d5f834de85a658d7119ce9cc3b5e77224831

SHA256
35fb4c2fe21a9e724bc553b1c4deb9e097afa6410cb8c2d2fd8122ee504edf88

SHA512
2cec968ac314c17f9db653518b6d1e0329a6068ebd1636e45035b5630d72a7a0033492475ee4ef798d3c469e79c16898c07c5a17ee289ffc8f1aa1da668e74cb

Download Submit
memory/1676-15-0x0000000010000000-0x0000000010062000-memory.dmp

Filesize
392KB

Download
memory/2228-18-0x0000000000930000-0x0000000000951000-memory.dmp

Filesize
132KB

Download
memory/2228-19-0x0000000000930000-0x0000000000951000-memory.dmp

Filesize
132KB

Download
memory/2228-17-0x0000000000930000-0x0000000000951000-memory.dmp

Filesize
132KB

Download
memory/4468-3-0x0000000010000000-0x0000000010062000-memory.dmp

Filesize
392KB

Download
memory/4468-4-0x0000000010000000-0x0000000010042000-memory.dmp

Filesize
264KB

Download
memory/4468-0-0x0000000002D00000-0x0000000002D42000-memory.dmp

Filesize
264KB

Download
memory/4468-1-0x0000000010000000-0x0000000010042000-memory.dmp

Filesize
264KB

Download
memory/4744-9-0x0000000000CB0000-0x0000000000CD1000-memory.dmp

Filesize
132KB

Download
memory/4744-8-0x0000000000CB0000-0x0000000000CD1000-memory.dmp

Filesize
132KB

Download
memory/4744-11-0x0000000000CB0000-0x0000000000CD1000-memory.dmp

Filesize
132KB

Download
memory/4744-7-0x0000000000CB0000-0x0000000000CD1000-memory.dmp

Filesize
132KB

Download
memory/4744-2-0x0000000000CB0000-0x0000000000CD1000-memory.dmp

Filesize
132KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads