Overview

overview

10

Static

static

1

03b2d792db...18.exe

windows7-x64

10

03b2d792db...18.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    03b2d792db2e980074541cdab987796f_JaffaCakes118

  • Size

    4.2MB

  • Sample

    240728-avh3xsxcnk

  • MD5

    03b2d792db2e980074541cdab987796f

  • SHA1

    b6c5f8a7a519c17bf346795de0da3d7839e45dd7

  • SHA256

    cc520b6370f031e04970b527d7fcb85692e6882e2548787cb39281c0dc7cee47

  • SHA512

    1a3b994ab234d9270b2f13b412acaffda2d6e1c342c4d0f571135a62f76f4337f27111c0f4748ce32640ffdd03f30d7d46bab6f46b4dbcf4baedcef196fcbeec

  • SSDEEP

    6144:sGuALcHSh5D4hwxzOmHeYnQ4TXYJchTwAG5v1kPZudyAaXE+wnuo+PpN:fu4hxOmHeYnQ4TXdwMyyAaF

Score
10/10
qakbotnotset1596817234bankerdiscoverystealertrojan

Malware Config

Extracted

Family

qakbot

Version

325.42

Botnet

notset

Campaign

1596817234

Credentials

  • Protocol:     ftp
  • Host:
    192.185.5.208
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    NxdkxAp4dUsY

  • Protocol:     ftp
  • Host:
    162.241.218.118
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    EcOV0DyGVgVN

  • Protocol:     ftp
  • Host:
    69.89.31.139
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    fcR7OvyLrMW6!

  • Protocol:     ftp
  • Host:
    169.207.67.14
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    eQyicNLzzqPN
C2

47.44.217.98:443

86.97.146.204:2222

65.60.228.130:443

216.201.162.158:443

94.59.24.79:995

108.46.145.30:443

24.139.132.70:443

47.206.174.82:443

188.52.106.206:20

72.204.242.138:6881

173.173.72.199:443

71.163.224.206:443

63.155.9.141:995

100.34.195.237:443

47.39.177.171:2222

96.20.108.17:2222

115.21.224.117:443

70.164.39.91:443

45.47.65.191:443

207.155.107.111:443

Targets

    • Target

      03b2d792db2e980074541cdab987796f_JaffaCakes118

    • Size

      4.2MB

    • MD5

      03b2d792db2e980074541cdab987796f

    • SHA1

      b6c5f8a7a519c17bf346795de0da3d7839e45dd7

    • SHA256

      cc520b6370f031e04970b527d7fcb85692e6882e2548787cb39281c0dc7cee47

    • SHA512

      1a3b994ab234d9270b2f13b412acaffda2d6e1c342c4d0f571135a62f76f4337f27111c0f4748ce32640ffdd03f30d7d46bab6f46b4dbcf4baedcef196fcbeec

    • SSDEEP

      6144:sGuALcHSh5D4hwxzOmHeYnQ4TXYJchTwAG5v1kPZudyAaXE+wnuo+PpN:fu4hxOmHeYnQ4TXdwMyyAaF

    Score
    10/10
    qakbotnotset1596817234bankerdiscoverystealertrojan

    • Qakbot/Qbot

      Qbot or Qakbot is a sophisticated worm with banking capabilities.

      trojanbankerstealerqakbot

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

3
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

System Network Configuration Discovery

1
T1016

Internet Connection Discovery

1
T1016.001

Peripheral Device Discovery

1
T1120

Remote System Discovery

1
T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks