qakbot | 7a36691e0d6e2c9fadfd858c43bdb69b92e902830244526682e27098933633d7

General

Target

01264f378629ee108736d8d641dddfbf_JaffaCakes118.exe
Size

4.2MB
MD5

01264f378629ee108736d8d641dddfbf
SHA1

5a7f5b12d8e2f84c8273630adfb928e08b7e48a2
SHA256

7a36691e0d6e2c9fadfd858c43bdb69b92e902830244526682e27098933633d7
SHA512

7e032ad9054a46d0672fc413554a1748e8a8709264d7014094e2c2e0b4bc2e2dadf057a4f4167b777a3d97118dc614da622f69e5911d94d7f16339e0cb177524
SSDEEP

6144:D0YmFNuwc2U+5SER2z4sMJzSoVgxs67kOksDO9lOuo+PpJ:D0NIwHUgR20sM8k24

Score

10^/10

qakbot abc009 1601288915 banker discovery stealer trojan

Malware Config

Extracted

Family

qakbot

Version

325.43

Botnet

abc009

Campaign

1601288915

C2

67.60.113.253:2222

93.149.253.201:2222

47.44.217.98:443

151.76.220.137:443

117.218.208.239:443

190.30.185.80:443

71.80.66.107:443

195.162.106.93:2222

80.14.209.42:2222

50.244.112.106:443

184.98.103.204:995

74.109.219.145:443

79.118.76.109:443

72.186.1.237:443

41.34.85.231:995

90.175.88.99:2222

84.232.238.30:443

45.32.155.12:443

73.104.218.229:0

98.26.50.62:995

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

01264f378629ee108736d8d641dddfbf_JaffaCakes118.exe01264f378629ee108736d8d641dddfbf_JaffaCakes118.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	01264f378629ee108736d8d641dddfbf_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	01264f378629ee108736d8d641dddfbf_JaffaCakes118.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
discovery

Internet Connection Discovery
T1016.001

Processes:

PING.EXEcmd.exe

pid process

1832 PING.EXE
4920 cmd.exe

pid	process
1832	PING.EXE
4920	cmd.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

01264f378629ee108736d8d641dddfbf_JaffaCakes118.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	01264f378629ee108736d8d641dddfbf_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\DeviceDesc	01264f378629ee108736d8d641dddfbf_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Service	01264f378629ee108736d8d641dddfbf_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	01264f378629ee108736d8d641dddfbf_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\DeviceDesc	01264f378629ee108736d8d641dddfbf_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Service	01264f378629ee108736d8d641dddfbf_JaffaCakes118.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1832 PING.EXE

pid	process
1832	PING.EXE

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

01264f378629ee108736d8d641dddfbf_JaffaCakes118.exe01264f378629ee108736d8d641dddfbf_JaffaCakes118.exe

pid	process
972	01264f378629ee108736d8d641dddfbf_JaffaCakes118.exe
972	01264f378629ee108736d8d641dddfbf_JaffaCakes118.exe
720	01264f378629ee108736d8d641dddfbf_JaffaCakes118.exe
720	01264f378629ee108736d8d641dddfbf_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

01264f378629ee108736d8d641dddfbf_JaffaCakes118.exe

description	pid	process	target process
PID 972 wrote to memory of 720	972	01264f378629ee108736d8d641dddfbf_JaffaCakes118.exe	01264f378629ee108736d8d641dddfbf_JaffaCakes118.exe
PID 972 wrote to memory of 720	972	01264f378629ee108736d8d641dddfbf_JaffaCakes118.exe	01264f378629ee108736d8d641dddfbf_JaffaCakes118.exe
PID 972 wrote to memory of 720	972	01264f378629ee108736d8d641dddfbf_JaffaCakes118.exe	01264f378629ee108736d8d641dddfbf_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\01264f378629ee108736d8d641dddfbf_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\01264f378629ee108736d8d641dddfbf_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:972

C:\Users\Admin\AppData\Local\Temp\01264f378629ee108736d8d641dddfbf_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\01264f378629ee108736d8d641dddfbf_JaffaCakes118.exe /C
2⤵
- System Location Discovery: System Language Discovery
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
PID:720

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping.exe -n 6 127.0.0.1 & type "C:\Windows\System32\calc.exe" > "C:\Users\Admin\AppData\Local\Temp\01264f378629ee108736d8d641dddfbf_JaffaCakes118.exe"
2⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:4920

C:\Windows\SysWOW64\PING.EXE
ping.exe -n 6 127.0.0.1
3⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1832

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

System Network Configuration Discovery

1

T1016

Internet Connection Discovery

1

T1016.001

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

1

T1082

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

memory/720-6-0x0000000000400000-0x000000000082C000-memory.dmp

Filesize
4.2MB

Download
memory/720-7-0x0000000000400000-0x000000000082C000-memory.dmp

Filesize
4.2MB

Download
memory/972-1-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/972-0-0x00000000009D0000-0x0000000000A4C000-memory.dmp

Filesize
496KB

Download
memory/972-2-0x0000000000400000-0x000000000082C000-memory.dmp

Filesize
4.2MB

Download
memory/972-4-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/972-8-0x0000000000400000-0x000000000082C000-memory.dmp

Filesize
4.2MB

Download
memory/972-9-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads