qakbot | 9237e5cae5f698d5ad9f6c61af8bd866e599abb05f5bc49474d98e269a29a588

General

Target

94f6bcd1c6b35a1c5d55dd2dbe7211da_JaffaCakes118.dll
Size

1.3MB
MD5

94f6bcd1c6b35a1c5d55dd2dbe7211da
SHA1

4d6359c3e61f8d54863d183d38ddc548c2a8702b
SHA256

9237e5cae5f698d5ad9f6c61af8bd866e599abb05f5bc49474d98e269a29a588
SHA512

832cfab9ee1f813f2a9a2fa3afae32646a00c10c71930cd034efa2c07d588facb9d782deba930376a499f2e76f1177a4d3a39bd2ca8bbdc37586e092c72ef8b0
SSDEEP

24576:Mm4KIe7WgCBxOQyvlHxhXjqpdwWow1Rht956wCLVAWRCySnAZWX:14GQ9yvlHCdwSZT56wCL1bSn3

Score

10^/10

qakbot banker discovery evasion stealer themida trojan

Malware Config

Extracted

Family

qakbot

Attributes

salt
��G�6�P�<��U]��c)��z

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

regsvr32.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ regsvr32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	regsvr32.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

regsvr32.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	regsvr32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	regsvr32.exe

Themida packer 9 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral1/memory/1704-0-0x0000000010000000-0x0000000010429000-memory.dmp	themida
behavioral1/memory/1704-2-0x0000000010000000-0x0000000010429000-memory.dmp	themida
behavioral1/memory/1704-3-0x0000000010000000-0x0000000010429000-memory.dmp	themida
behavioral1/memory/2576-5-0x00000000001C0000-0x00000000005E9000-memory.dmp	themida
behavioral1/memory/1704-6-0x0000000010000000-0x0000000010429000-memory.dmp	themida
behavioral1/memory/1704-9-0x0000000010000000-0x0000000010429000-memory.dmp	themida
behavioral1/memory/1320-14-0x0000000000250000-0x0000000000679000-memory.dmp	themida
behavioral1/memory/1704-13-0x0000000010000000-0x0000000010429000-memory.dmp	themida
behavioral1/memory/1704-22-0x0000000010000000-0x0000000010429000-memory.dmp	themida

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

regsvr32.exe

pid process

1704 regsvr32.exe
Program crash 3 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exe

pid pid_target process target process

2640 2576 WerFault.exe explorer.exe
2708 1320 WerFault.exe
2948 1724 WerFault.exe mobsync.exe

pid	process
1704	regsvr32.exe

pid	pid_target	process	target process
2640	2576	WerFault.exe	explorer.exe
2708	1320	WerFault.exe
2948	1724	WerFault.exe	mobsync.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

regsvr32.exeexplorer.exeexplorer.exemobsync.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mobsync.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

regsvr32.exe

pid process

1704 regsvr32.exe
1704 regsvr32.exe
Suspicious behavior: MapViewOfSection 3 IoCs

Processes:

regsvr32.exe

pid process

1704 regsvr32.exe
1704 regsvr32.exe
1704 regsvr32.exe

pid	process
1704	regsvr32.exe
1704	regsvr32.exe

pid	process
1704	regsvr32.exe
1704	regsvr32.exe
1704	regsvr32.exe

Suspicious use of WriteProcessMemory 37 IoCs

Processes:

regsvr32.exeregsvr32.exeexplorer.exeexplorer.exemobsync.exe

description	pid	process	target process
PID 3032 wrote to memory of 1704	3032	regsvr32.exe	regsvr32.exe
PID 3032 wrote to memory of 1704	3032	regsvr32.exe	regsvr32.exe
PID 3032 wrote to memory of 1704	3032	regsvr32.exe	regsvr32.exe
PID 3032 wrote to memory of 1704	3032	regsvr32.exe	regsvr32.exe
PID 3032 wrote to memory of 1704	3032	regsvr32.exe	regsvr32.exe
PID 3032 wrote to memory of 1704	3032	regsvr32.exe	regsvr32.exe
PID 3032 wrote to memory of 1704	3032	regsvr32.exe	regsvr32.exe
PID 1704 wrote to memory of 2576	1704	regsvr32.exe	explorer.exe
PID 1704 wrote to memory of 2576	1704	regsvr32.exe	explorer.exe
PID 1704 wrote to memory of 2576	1704	regsvr32.exe	explorer.exe
PID 1704 wrote to memory of 2576	1704	regsvr32.exe	explorer.exe
PID 1704 wrote to memory of 2576	1704	regsvr32.exe	explorer.exe
PID 1704 wrote to memory of 2576	1704	regsvr32.exe	explorer.exe
PID 2576 wrote to memory of 2640	2576	explorer.exe	WerFault.exe
PID 2576 wrote to memory of 2640	2576	explorer.exe	WerFault.exe
PID 2576 wrote to memory of 2640	2576	explorer.exe	WerFault.exe
PID 2576 wrote to memory of 2640	2576	explorer.exe	WerFault.exe
PID 1704 wrote to memory of 1320	1704	regsvr32.exe	explorer.exe
PID 1704 wrote to memory of 1320	1704	regsvr32.exe	explorer.exe
PID 1704 wrote to memory of 1320	1704	regsvr32.exe	explorer.exe
PID 1704 wrote to memory of 1320	1704	regsvr32.exe	explorer.exe
PID 1704 wrote to memory of 1320	1704	regsvr32.exe	explorer.exe
PID 1704 wrote to memory of 1320	1704	regsvr32.exe	explorer.exe
PID 1320 wrote to memory of 2708	1320	explorer.exe	WerFault.exe
PID 1320 wrote to memory of 2708	1320	explorer.exe	WerFault.exe
PID 1320 wrote to memory of 2708	1320	explorer.exe	WerFault.exe
PID 1320 wrote to memory of 2708	1320	explorer.exe	WerFault.exe
PID 1704 wrote to memory of 1724	1704	regsvr32.exe	mobsync.exe
PID 1704 wrote to memory of 1724	1704	regsvr32.exe	mobsync.exe
PID 1704 wrote to memory of 1724	1704	regsvr32.exe	mobsync.exe
PID 1704 wrote to memory of 1724	1704	regsvr32.exe	mobsync.exe
PID 1704 wrote to memory of 1724	1704	regsvr32.exe	mobsync.exe
PID 1704 wrote to memory of 1724	1704	regsvr32.exe	mobsync.exe
PID 1724 wrote to memory of 2948	1724	mobsync.exe	WerFault.exe
PID 1724 wrote to memory of 2948	1724	mobsync.exe	WerFault.exe
PID 1724 wrote to memory of 2948	1724	mobsync.exe	WerFault.exe
PID 1724 wrote to memory of 2948	1724	mobsync.exe	WerFault.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\94f6bcd1c6b35a1c5d55dd2dbe7211da_JaffaCakes118.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:3032
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\94f6bcd1c6b35a1c5d55dd2dbe7211da_JaffaCakes118.dll
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:1704
- - C:\Windows\SysWOW64\explorer.exe
    C:\Windows\SysWOW64\explorer.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2576
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2576 -s 224
      4⤵
      Program crash
      PID:2640
- - C:\Windows\SysWOW64\explorer.exe
    C:\Windows\SysWOW64\explorer.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1320
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1320 -s 224
      4⤵
      Program crash
      PID:2708
- - C:\Windows\SysWOW64\mobsync.exe
    C:\Windows\SysWOW64\mobsync.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1724
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1724 -s 152
      4⤵
      Program crash
      PID:2948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Virtualization/Sandbox Evasion

1

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1320-14-0x0000000000250000-0x0000000000679000-memory.dmp

Filesize
4.2MB

Download
memory/1704-0-0x0000000010000000-0x0000000010429000-memory.dmp

Filesize
4.2MB

Download
memory/1704-1-0x0000000077BA0000-0x0000000077BA2000-memory.dmp

Filesize
8KB

Download
memory/1704-2-0x0000000010000000-0x0000000010429000-memory.dmp

Filesize
4.2MB

Download
memory/1704-3-0x0000000010000000-0x0000000010429000-memory.dmp

Filesize
4.2MB

Download
memory/1704-6-0x0000000010000000-0x0000000010429000-memory.dmp

Filesize
4.2MB

Download
memory/1704-9-0x0000000010000000-0x0000000010429000-memory.dmp

Filesize
4.2MB

Download
memory/1704-13-0x0000000010000000-0x0000000010429000-memory.dmp

Filesize
4.2MB

Download
memory/1704-22-0x0000000010000000-0x0000000010429000-memory.dmp

Filesize
4.2MB

Download
memory/2576-4-0x0000000000080000-0x0000000000082000-memory.dmp

Filesize
8KB

Download
memory/2576-5-0x00000000001C0000-0x00000000005E9000-memory.dmp

Filesize
4.2MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads