qakbot | b431e56b69304dc1ad42e480222410ebf179c27ec2cc518ea113b7cbec9b7eb6

General

Target

9952f96c49160b9f0c578a8287e71849_JaffaCakes118.dll
Size

378KB
MD5

9952f96c49160b9f0c578a8287e71849
SHA1

de1b258d568aad3cc0339298c69f8fa8d4799a64
SHA256

b431e56b69304dc1ad42e480222410ebf179c27ec2cc518ea113b7cbec9b7eb6
SHA512

66cb7ab469a0bee9f135177d19a39dd5e3a858244ba5da7e806d5a5128de100e07c503e38221d8d5cf3534beb799b6c4107c145745ac6f9af4c88de6bab5ad55
SSDEEP

3072:Do6vBnby4Yx0XjFFzPQ0MslzERfQB24hLxBVi/b/9+PdpiWC35ol/uwfTuT2b2MD:vs6Xpq0H3Jhds/9+qC/zfTPLg6

Score

10^/10

qakbot obama104 1632729661 banker discovery evasion stealer trojan

Malware Config

Extracted

Family

qakbot

Version

402.343

Botnet

obama104

Campaign

1632729661

C2

95.77.223.148:443

47.22.148.6:443

89.101.97.139:443

27.223.92.142:995

120.151.47.189:443

136.232.34.70:443

120.150.218.241:995

185.250.148.74:443

181.118.183.94:443

140.82.49.12:443

67.165.206.193:993

103.148.120.144:443

71.74.12.34:443

76.25.142.196:443

73.151.236.31:443

173.21.10.71:2222

75.188.35.168:443

2.178.88.145:61202

71.80.168.245:443

45.46.53.140:2222

Attributes

salt
jHxastDcds)oMc=jvh7wdUhxcsdt2

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot

Windows security bypass 2 TTPs 4 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

reg.exereg.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\Microsoft\Yrrijrea = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Isymevyti = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe

Loads dropped DLL 1 IoCs

Processes:

regsvr32.exe

pid process

1892 regsvr32.exe

pid	process
1892	regsvr32.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

explorer.exerundll32.exeexplorer.exeschtasks.exeregsvr32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe

Modifies data under HKEY_USERS 10 IoCs

Processes:

explorer.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Ygyktmjhigicup\af95e6b3 = 93ca8b93f291d7adc1c0482d12a1	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Ygyktmjhigicup\6a21ce5c = 2c6122260fd6af592ebe3a08301b0d1cffdcc989450e33ec91fb56247f0ff1d541d2d7485e9eb272928594a6f2d19cef76cc9a290a3189e7dc7d34da5d14d2c0d91adc2bd8df19f89212deb1be360d6563f9c5d1c5a55c8e370d58b220abe83e87b59842	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Ygyktmjhigicup\e7027977 = ec66c10c85941a2d645b0efd9dd74ecbb4560ec5339ae8496c11224945462dae11c0efcbfacdea3364d93b18bc94f81cb799fd1d06d6533146a3	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Ygyktmjhigicup	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Ygyktmjhigicup\add4c6cf = 75a56d5d387199ece15e4b875b7e3a398217564ea49b3f8461c2739fcbe22901ef8f394f6776f6ba0fe5448482168f03b902fbc3d4d3fb8070a288bd1f8fc49307e5d4fd3935fd20361a5fc852aa3a7557fc9b23d5686653435f3cbe93f9496b403cf1e69fa35de4e4f0a59c4d6abe274d19727c61760969290fdabbb0220e041f6a522019e94339a720	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Ygyktmjhigicup\d29da939 = 6dcb66f05d87d0d8d3496a7dd07877fa4e578409a8298f9a9573cfbd4076e9c67f5ac8ce	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Ygyktmjhigicup\1568a1aa = fb275754348887624acf7d8d1556990f924d99a79085493d0fb66e4eadc6f2ed7defbafd86d9fb6a5eb0369e2aa8104fd4ee2846f373164defe625385657f95b4e5189b79a0a8ad84b406eebf7864f11ee94bbaa263b67b8	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Ygyktmjhigicup\984b1681 = 46e5c8e71e4a422fb2dc72f0216217bea9d307b10692e75e52a5d1d78acbe4b80793f395d72bd11edfc79d653b7166	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Ygyktmjhigicup\984b1681 = 46e5dfe71e4a7745a3a4765003916eb7debe77cd97a2afb63c27	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Ygyktmjhigicup\172981d6 = d03631c87efe49ffc5345341d441d0b16245cc6e	explorer.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exe

pid process

2188 schtasks.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

rundll32.exeregsvr32.exe

pid process

2080 rundll32.exe
1892 regsvr32.exe
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

rundll32.exeregsvr32.exe

pid process

2080 rundll32.exe
1892 regsvr32.exe

pid	process
2188	schtasks.exe

pid	process
2080	rundll32.exe
1892	regsvr32.exe

pid	process
2080	rundll32.exe
1892	regsvr32.exe

Suspicious use of WriteProcessMemory 43 IoCs

Processes:

rundll32.exerundll32.exeexplorer.exetaskeng.exeregsvr32.exeregsvr32.exeexplorer.exe

description	pid	process	target process
PID 1820 wrote to memory of 2080	1820	rundll32.exe	rundll32.exe
PID 1820 wrote to memory of 2080	1820	rundll32.exe	rundll32.exe
PID 1820 wrote to memory of 2080	1820	rundll32.exe	rundll32.exe
PID 1820 wrote to memory of 2080	1820	rundll32.exe	rundll32.exe
PID 1820 wrote to memory of 2080	1820	rundll32.exe	rundll32.exe
PID 1820 wrote to memory of 2080	1820	rundll32.exe	rundll32.exe
PID 1820 wrote to memory of 2080	1820	rundll32.exe	rundll32.exe
PID 2080 wrote to memory of 2072	2080	rundll32.exe	explorer.exe
PID 2080 wrote to memory of 2072	2080	rundll32.exe	explorer.exe
PID 2080 wrote to memory of 2072	2080	rundll32.exe	explorer.exe
PID 2080 wrote to memory of 2072	2080	rundll32.exe	explorer.exe
PID 2080 wrote to memory of 2072	2080	rundll32.exe	explorer.exe
PID 2080 wrote to memory of 2072	2080	rundll32.exe	explorer.exe
PID 2072 wrote to memory of 2188	2072	explorer.exe	schtasks.exe
PID 2072 wrote to memory of 2188	2072	explorer.exe	schtasks.exe
PID 2072 wrote to memory of 2188	2072	explorer.exe	schtasks.exe
PID 2072 wrote to memory of 2188	2072	explorer.exe	schtasks.exe
PID 2420 wrote to memory of 2912	2420	taskeng.exe	regsvr32.exe
PID 2420 wrote to memory of 2912	2420	taskeng.exe	regsvr32.exe
PID 2420 wrote to memory of 2912	2420	taskeng.exe	regsvr32.exe
PID 2420 wrote to memory of 2912	2420	taskeng.exe	regsvr32.exe
PID 2420 wrote to memory of 2912	2420	taskeng.exe	regsvr32.exe
PID 2912 wrote to memory of 1892	2912	regsvr32.exe	regsvr32.exe
PID 2912 wrote to memory of 1892	2912	regsvr32.exe	regsvr32.exe
PID 2912 wrote to memory of 1892	2912	regsvr32.exe	regsvr32.exe
PID 2912 wrote to memory of 1892	2912	regsvr32.exe	regsvr32.exe
PID 2912 wrote to memory of 1892	2912	regsvr32.exe	regsvr32.exe
PID 2912 wrote to memory of 1892	2912	regsvr32.exe	regsvr32.exe
PID 2912 wrote to memory of 1892	2912	regsvr32.exe	regsvr32.exe
PID 1892 wrote to memory of 2456	1892	regsvr32.exe	explorer.exe
PID 1892 wrote to memory of 2456	1892	regsvr32.exe	explorer.exe
PID 1892 wrote to memory of 2456	1892	regsvr32.exe	explorer.exe
PID 1892 wrote to memory of 2456	1892	regsvr32.exe	explorer.exe
PID 1892 wrote to memory of 2456	1892	regsvr32.exe	explorer.exe
PID 1892 wrote to memory of 2456	1892	regsvr32.exe	explorer.exe
PID 2456 wrote to memory of 2400	2456	explorer.exe	reg.exe
PID 2456 wrote to memory of 2400	2456	explorer.exe	reg.exe
PID 2456 wrote to memory of 2400	2456	explorer.exe	reg.exe
PID 2456 wrote to memory of 2400	2456	explorer.exe	reg.exe
PID 2456 wrote to memory of 2392	2456	explorer.exe	reg.exe
PID 2456 wrote to memory of 2392	2456	explorer.exe	reg.exe
PID 2456 wrote to memory of 2392	2456	explorer.exe	reg.exe
PID 2456 wrote to memory of 2392	2456	explorer.exe	reg.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\9952f96c49160b9f0c578a8287e71849_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1820
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\9952f96c49160b9f0c578a8287e71849_JaffaCakes118.dll,#1
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:2080
- - C:\Windows\SysWOW64\explorer.exe
    C:\Windows\SysWOW64\explorer.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2072
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn acckpngq /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Local\Temp\9952f96c49160b9f0c578a8287e71849_JaffaCakes118.dll\"" /SC ONCE /Z /ST 07:06 /ET 07:18
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:2188

C:\Windows\system32\taskeng.exe
taskeng.exe {BE56192A-6C4A-454E-96FD-84197557ADBA} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:2420
- C:\Windows\system32\regsvr32.exe
  regsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\9952f96c49160b9f0c578a8287e71849_JaffaCakes118.dll"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2912
- - C:\Windows\SysWOW64\regsvr32.exe
    -s "C:\Users\Admin\AppData\Local\Temp\9952f96c49160b9f0c578a8287e71849_JaffaCakes118.dll"
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:1892
  - - C:\Windows\SysWOW64\explorer.exe
      C:\Windows\SysWOW64\explorer.exe
      4⤵
      System Location Discovery: System Language Discovery
      Modifies data under HKEY_USERS
      Suspicious use of WriteProcessMemory
      PID:2456
    - - C:\Windows\system32\reg.exe
        
        C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\ProgramData\Microsoft\Yrrijrea" /d "0"
        5⤵
        Windows security bypass
        
        PID:2400
    - - C:\Windows\system32\reg.exe
        
        C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Isymevyti" /d "0"
        5⤵
        Windows security bypass
        
        PID:2392

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Impair Defenses

1

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\9952f96c49160b9f0c578a8287e71849_JaffaCakes118.dll

Filesize
378KB

MD5
9952f96c49160b9f0c578a8287e71849

SHA1
de1b258d568aad3cc0339298c69f8fa8d4799a64

SHA256
b431e56b69304dc1ad42e480222410ebf179c27ec2cc518ea113b7cbec9b7eb6

SHA512
66cb7ab469a0bee9f135177d19a39dd5e3a858244ba5da7e806d5a5128de100e07c503e38221d8d5cf3534beb799b6c4107c145745ac6f9af4c88de6bab5ad55

Download Submit
memory/1892-20-0x0000000010000000-0x0000000010062000-memory.dmp

Filesize
392KB

Download
memory/2072-11-0x0000000000080000-0x00000000000A1000-memory.dmp

Filesize
132KB

Download
memory/2072-12-0x0000000000080000-0x00000000000A1000-memory.dmp

Filesize
132KB

Download
memory/2072-2-0x00000000000B0000-0x00000000000B2000-memory.dmp

Filesize
8KB

Download
memory/2072-7-0x0000000000080000-0x00000000000A1000-memory.dmp

Filesize
132KB

Download
memory/2072-14-0x0000000000080000-0x00000000000A1000-memory.dmp

Filesize
132KB

Download
memory/2072-10-0x0000000000080000-0x00000000000A1000-memory.dmp

Filesize
132KB

Download
memory/2080-6-0x0000000010000000-0x0000000010042000-memory.dmp

Filesize
264KB

Download
memory/2080-0-0x0000000000160000-0x00000000001A2000-memory.dmp

Filesize
264KB

Download
memory/2080-4-0x0000000010000000-0x0000000010062000-memory.dmp

Filesize
392KB

Download
memory/2080-5-0x0000000000160000-0x00000000001A2000-memory.dmp

Filesize
264KB

Download
memory/2080-1-0x0000000010000000-0x0000000010042000-memory.dmp

Filesize
264KB

Download
memory/2456-22-0x0000000000080000-0x00000000000A1000-memory.dmp

Filesize
132KB

Download
memory/2456-24-0x0000000000080000-0x00000000000A1000-memory.dmp

Filesize
132KB

Download
memory/2456-23-0x0000000000080000-0x00000000000A1000-memory.dmp

Filesize
132KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads