qakbot | 53a364103209fe91a9ae7ec56bc31906eb1c2e68902d6317bebdf8f183e0ac25

General

Target

861d09740e77deb97a5711179346a36f_JaffaCakes118.dll
Size

378KB
MD5

861d09740e77deb97a5711179346a36f
SHA1

3edb804ad464b649fe21e5da1f44ba7d9f2ecbb5
SHA256

53a364103209fe91a9ae7ec56bc31906eb1c2e68902d6317bebdf8f183e0ac25
SHA512

8f55ca87bbcecc77ad02f1610fdd2c36feeed2f2dfd1a25c2dee1db03d3a0fe92052c8255e18fc9fd52a9eff2363ec8510a369b87864b36ec439087366e67e13
SSDEEP

3072:Do6vBnby4Yx0XjFFzPQ0MslzERfQB24hLxBVi/b/9+PdpiWC35ol/uwfTuT2b2MT:vs6Xpq0H3Jhds/9+qC/zfTPLt

Score

10^/10

qakbot obama104 1632729661 banker discovery evasion stealer trojan

Malware Config

Extracted

Family

qakbot

Version

402.343

Botnet

obama104

Campaign

1632729661

C2

95.77.223.148:443

47.22.148.6:443

89.101.97.139:443

27.223.92.142:995

120.151.47.189:443

136.232.34.70:443

120.150.218.241:995

185.250.148.74:443

181.118.183.94:443

140.82.49.12:443

67.165.206.193:993

103.148.120.144:443

71.74.12.34:443

76.25.142.196:443

73.151.236.31:443

173.21.10.71:2222

75.188.35.168:443

2.178.88.145:61202

71.80.168.245:443

45.46.53.140:2222

Attributes

salt
jHxastDcds)oMc=jvh7wdUhxcsdt2

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot

Windows security bypass 2 TTPs 4 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

reg.exereg.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\Microsoft\Umuwfyqcuvp = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Avyjz = "0"	reg.exe

Loads dropped DLL 1 IoCs

Processes:

regsvr32.exe

pid process

2284 regsvr32.exe

pid	process
2284	regsvr32.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

explorer.exerundll32.exeexplorer.exeschtasks.exeregsvr32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe

Modifies data under HKEY_USERS 10 IoCs

Processes:

explorer.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Eleiazwei\57352aca = c4317c26be5abff528c19632306a365439526bf49a7549f6485389047b8cb021503b217cfa7071088e8107f20de17d7d14705a857f529887e0fc873d4355cec1e4be2030f62cc19b790502b23ea6faca1e9765da93	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Eleiazwei\2a3d6540 = ebbf25f0d68c56bd5dfbb601cd85b58d175e449b3c316d98c7b5bb1559f4d908f24d046055ddf9590e159bf7e5b60ba7c71425a6b1b503318fe95ebc809ca1bcb2db9421a6e4bdd7b091f281b5d9eef467	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Eleiazwei\92810225 = fd572a1307eeb3fa585ff388d306110eacb13f20e510436e9faf13edb2573aeaf13375d71a6c673f7100628d314213f67b72ff15314594a7dbcefe88a54b34b61b01c22b9cc938640e67d9df546ec4aac8b2cc834de855b2e20d0d27b5ec341c2d8c52bb47590cc195ada461	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Eleiazwei\a71ed26b = ba51f768c7938b24e521b0441f0d6ad30d246b065b	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Eleiazwei\d857bd9d = 881a56c2b4361be4251b2503a3a29a3590b7dad64f910448d7c015c2fa4dfef9a0c3bb616441ae4e737cd86a005d9316deda66098938c8d942cc8775069b4e4b9dec7c88e57a8c8769e8993c4c7c89bdba865651e20f5a836d7d3e950b83aa59d013d3deaaf50a960b293ee92a72c019d44136bc90fbe786433f914c	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Eleiazwei	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Eleiazwei\d857bd9d = 881a41c2b4362ecf4609b16142f36d0d083bdae1c882339e26a3c895983bd36b539b1ec3359c639b3adebfe82d5f98ac1c3755af15b3cdec2cc53006059750414be4ee0e939e667a970eaf5155aa9b71d54ef52dbdafdae1e020fba519876aa3467be6f1e4d6e5	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Eleiazwei\edc86dd3 = cf15222b908f74dc55d9d394bbf0bd458a825e55c247deaa89cfebe083655b743e873c470e416e655d7a338196ef8ad99a122fa7a2d72e4ef9a3ba5ba9314c87f0ec30a0e487564177a10fa407711bc4a56621e5dd08ddf7372c30f753f80afa449a7b95926117f1888699b540fde3a0391dd8021578c293796961dd68cf5d0aa4fdb9ee69e0ca152ce8c9f08a94c8667def63eee2f55b9d03e9eb1cd9728a9e41	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Eleiazwei\ef894daf = a8102a8d1fbc5889980e2296ff503a93ae0bf61a2991e91a13dc6d70476eba4630ce077ec22d050e2db6a3648eee6b9f759712f77aa81f0fe64ab443b196a0b8d4e4a573ba9f1ebe0d03cb580eb0cde0c882bf4a8c430cdb63effcffae559894f50e88a0ef0ff7d72ad125d2	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Eleiazwei\55740ab6 = e7e672444fabf05af45c7f5d3bfecc010d6a9e72b8dc090b94ae3aafc568a47866d98fca8c8dc8e8a5ccc5bc4f71dcf97cde1100127f8fd7370fae6e4d9f218755c6284215c79208480767336166f1efc3b90e36a043ffc1467d9027011b81715e8a600ac3fdf03a87ad	explorer.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exe

pid process

2264 schtasks.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

rundll32.exeregsvr32.exe

pid process

2980 rundll32.exe
2284 regsvr32.exe
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

rundll32.exeregsvr32.exe

pid process

2980 rundll32.exe
2284 regsvr32.exe

pid	process
2264	schtasks.exe

pid	process
2980	rundll32.exe
2284	regsvr32.exe

pid	process
2980	rundll32.exe
2284	regsvr32.exe

Suspicious use of WriteProcessMemory 43 IoCs

Processes:

rundll32.exerundll32.exeexplorer.exetaskeng.exeregsvr32.exeregsvr32.exeexplorer.exe

description	pid	process	target process
PID 2332 wrote to memory of 2980	2332	rundll32.exe	rundll32.exe
PID 2332 wrote to memory of 2980	2332	rundll32.exe	rundll32.exe
PID 2332 wrote to memory of 2980	2332	rundll32.exe	rundll32.exe
PID 2332 wrote to memory of 2980	2332	rundll32.exe	rundll32.exe
PID 2332 wrote to memory of 2980	2332	rundll32.exe	rundll32.exe
PID 2332 wrote to memory of 2980	2332	rundll32.exe	rundll32.exe
PID 2332 wrote to memory of 2980	2332	rundll32.exe	rundll32.exe
PID 2980 wrote to memory of 2340	2980	rundll32.exe	explorer.exe
PID 2980 wrote to memory of 2340	2980	rundll32.exe	explorer.exe
PID 2980 wrote to memory of 2340	2980	rundll32.exe	explorer.exe
PID 2980 wrote to memory of 2340	2980	rundll32.exe	explorer.exe
PID 2980 wrote to memory of 2340	2980	rundll32.exe	explorer.exe
PID 2980 wrote to memory of 2340	2980	rundll32.exe	explorer.exe
PID 2340 wrote to memory of 2264	2340	explorer.exe	schtasks.exe
PID 2340 wrote to memory of 2264	2340	explorer.exe	schtasks.exe
PID 2340 wrote to memory of 2264	2340	explorer.exe	schtasks.exe
PID 2340 wrote to memory of 2264	2340	explorer.exe	schtasks.exe
PID 1204 wrote to memory of 548	1204	taskeng.exe	regsvr32.exe
PID 1204 wrote to memory of 548	1204	taskeng.exe	regsvr32.exe
PID 1204 wrote to memory of 548	1204	taskeng.exe	regsvr32.exe
PID 1204 wrote to memory of 548	1204	taskeng.exe	regsvr32.exe
PID 1204 wrote to memory of 548	1204	taskeng.exe	regsvr32.exe
PID 548 wrote to memory of 2284	548	regsvr32.exe	regsvr32.exe
PID 548 wrote to memory of 2284	548	regsvr32.exe	regsvr32.exe
PID 548 wrote to memory of 2284	548	regsvr32.exe	regsvr32.exe
PID 548 wrote to memory of 2284	548	regsvr32.exe	regsvr32.exe
PID 548 wrote to memory of 2284	548	regsvr32.exe	regsvr32.exe
PID 548 wrote to memory of 2284	548	regsvr32.exe	regsvr32.exe
PID 548 wrote to memory of 2284	548	regsvr32.exe	regsvr32.exe
PID 2284 wrote to memory of 1064	2284	regsvr32.exe	explorer.exe
PID 2284 wrote to memory of 1064	2284	regsvr32.exe	explorer.exe
PID 2284 wrote to memory of 1064	2284	regsvr32.exe	explorer.exe
PID 2284 wrote to memory of 1064	2284	regsvr32.exe	explorer.exe
PID 2284 wrote to memory of 1064	2284	regsvr32.exe	explorer.exe
PID 2284 wrote to memory of 1064	2284	regsvr32.exe	explorer.exe
PID 1064 wrote to memory of 1672	1064	explorer.exe	reg.exe
PID 1064 wrote to memory of 1672	1064	explorer.exe	reg.exe
PID 1064 wrote to memory of 1672	1064	explorer.exe	reg.exe
PID 1064 wrote to memory of 1672	1064	explorer.exe	reg.exe
PID 1064 wrote to memory of 1604	1064	explorer.exe	reg.exe
PID 1064 wrote to memory of 1604	1064	explorer.exe	reg.exe
PID 1064 wrote to memory of 1604	1064	explorer.exe	reg.exe
PID 1064 wrote to memory of 1604	1064	explorer.exe	reg.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\861d09740e77deb97a5711179346a36f_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2332
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\861d09740e77deb97a5711179346a36f_JaffaCakes118.dll,#1
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:2980
- - C:\Windows\SysWOW64\explorer.exe
    C:\Windows\SysWOW64\explorer.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2340
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn xleqjkkjxz /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Local\Temp\861d09740e77deb97a5711179346a36f_JaffaCakes118.dll\"" /SC ONCE /Z /ST 12:51 /ET 13:03
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:2264

C:\Windows\system32\taskeng.exe
taskeng.exe {E8379AA1-A3C6-44C9-8E0E-E01CC960BDD7} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:1204
- C:\Windows\system32\regsvr32.exe
  regsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\861d09740e77deb97a5711179346a36f_JaffaCakes118.dll"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:548
- - C:\Windows\SysWOW64\regsvr32.exe
    -s "C:\Users\Admin\AppData\Local\Temp\861d09740e77deb97a5711179346a36f_JaffaCakes118.dll"
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:2284
  - - C:\Windows\SysWOW64\explorer.exe
      C:\Windows\SysWOW64\explorer.exe
      4⤵
      System Location Discovery: System Language Discovery
      Modifies data under HKEY_USERS
      Suspicious use of WriteProcessMemory
      PID:1064
    - - C:\Windows\system32\reg.exe
        
        C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\ProgramData\Microsoft\Umuwfyqcuvp" /d "0"
        5⤵
        Windows security bypass
        
        PID:1672
    - - C:\Windows\system32\reg.exe
        
        C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Avyjz" /d "0"
        5⤵
        Windows security bypass
        
        PID:1604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Impair Defenses

1

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\861d09740e77deb97a5711179346a36f_JaffaCakes118.dll

Filesize
378KB

MD5
861d09740e77deb97a5711179346a36f

SHA1
3edb804ad464b649fe21e5da1f44ba7d9f2ecbb5

SHA256
53a364103209fe91a9ae7ec56bc31906eb1c2e68902d6317bebdf8f183e0ac25

SHA512
8f55ca87bbcecc77ad02f1610fdd2c36feeed2f2dfd1a25c2dee1db03d3a0fe92052c8255e18fc9fd52a9eff2363ec8510a369b87864b36ec439087366e67e13

Download Submit
memory/1064-21-0x0000000000080000-0x00000000000A1000-memory.dmp

Filesize
132KB

Download
memory/1064-22-0x0000000000080000-0x00000000000A1000-memory.dmp

Filesize
132KB

Download
memory/1064-20-0x0000000000080000-0x00000000000A1000-memory.dmp

Filesize
132KB

Download
memory/2284-18-0x0000000010000000-0x0000000010062000-memory.dmp

Filesize
392KB

Download
memory/2340-12-0x00000000000C0000-0x00000000000E1000-memory.dmp

Filesize
132KB

Download
memory/2340-10-0x00000000000C0000-0x00000000000E1000-memory.dmp

Filesize
132KB

Download
memory/2340-9-0x00000000000C0000-0x00000000000E1000-memory.dmp

Filesize
132KB

Download
memory/2340-8-0x00000000000C0000-0x00000000000E1000-memory.dmp

Filesize
132KB

Download
memory/2340-4-0x00000000000C0000-0x00000000000E1000-memory.dmp

Filesize
132KB

Download
memory/2340-2-0x00000000000F0000-0x00000000000F2000-memory.dmp

Filesize
8KB

Download
memory/2980-0-0x00000000001A0000-0x00000000001E2000-memory.dmp

Filesize
264KB

Download
memory/2980-5-0x0000000010000000-0x0000000010042000-memory.dmp

Filesize
264KB

Download
memory/2980-3-0x0000000010000000-0x0000000010062000-memory.dmp

Filesize
392KB

Download
memory/2980-1-0x0000000010000000-0x0000000010042000-memory.dmp

Filesize
264KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads