qakbot | b431e56b69304dc1ad42e480222410ebf179c27ec2cc518ea113b7cbec9b7eb6

General

Target

9952f96c49160b9f0c578a8287e71849_JaffaCakes118.dll
Size

378KB
MD5

9952f96c49160b9f0c578a8287e71849
SHA1

de1b258d568aad3cc0339298c69f8fa8d4799a64
SHA256

b431e56b69304dc1ad42e480222410ebf179c27ec2cc518ea113b7cbec9b7eb6
SHA512

66cb7ab469a0bee9f135177d19a39dd5e3a858244ba5da7e806d5a5128de100e07c503e38221d8d5cf3534beb799b6c4107c145745ac6f9af4c88de6bab5ad55
SSDEEP

3072:Do6vBnby4Yx0XjFFzPQ0MslzERfQB24hLxBVi/b/9+PdpiWC35ol/uwfTuT2b2MD:vs6Xpq0H3Jhds/9+qC/zfTPLg6

Score

10^/10

qakbot obama104 1632729661 banker discovery evasion stealer trojan

Malware Config

Extracted

Family

qakbot

Version

402.343

Botnet

obama104

Campaign

1632729661

C2

95.77.223.148:443

47.22.148.6:443

89.101.97.139:443

27.223.92.142:995

120.151.47.189:443

136.232.34.70:443

120.150.218.241:995

185.250.148.74:443

181.118.183.94:443

140.82.49.12:443

67.165.206.193:993

103.148.120.144:443

71.74.12.34:443

76.25.142.196:443

73.151.236.31:443

173.21.10.71:2222

75.188.35.168:443

2.178.88.145:61202

71.80.168.245:443

45.46.53.140:2222

Attributes

salt
jHxastDcds)oMc=jvh7wdUhxcsdt2

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot

Windows security bypass 2 TTPs 4 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\Microsoft\Mmzxzrzlmghg = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Uyebeu = "0"	reg.exe

Loads dropped DLL 1 IoCs

pid	Process
5064	regsvr32.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe

Modifies data under HKEY_USERS 10 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Guujebpe\29814817 = 045bd31767a0d876c0cdefb3123231f9ec9be5400279a901963b32	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Guujebpe\dbeb90ca = 21b1138ffcf82787e2608497b4d4e8f2034c8180295e1aba9e6fc0ebc0e9ae979f89f239	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Guujebpe\a4a2ff3c = abb40beea020ec1efc90db6af67deca4df60d2b77e607512749097a1bb141a9b51e780662efa46c15f3542b78b2b9334b664f03f089d9c4261130891	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Guujebpe	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Guujebpe\2bc0686b = 65705a361b307072ad9cf750b020e9e77562180623e5355375255f6843b2d07896fa441d747853b01f0de3e67a0812aa7ad72e5bdbf5061327465a9da3a13132d1b0ade97a7e14795ce19470da5adf730fdc684ff45ee55c43576f8b5a1b014f80c23b457e17064751a6f46b	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Guujebpe\56c827e1 = 0140e8ed660b956133e3d0db3179a80c60add2b284d1bb12c52145b5db36b6d5290588fcd38c648793816ccc8c1d6c925b1a3206f6e83723077a6eda7451f35fe2ba271824a0b731b0d27061c89b3e42929d9f94f54ff5a8a6d79c	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Guujebpe\ee744084 = f7843949aa73de5abde24130a0d5d463929da4c1094ca76c9bb9dae7a6b76f426c378b9173b9643dad2dd52652644d946f9be0431f23fc40edf8b4aa50ebde120babf917f14ad974e979545b01777c19d6373f691cecb14faf9849a8f9afba693bdc6280d915aa6421db	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Guujebpe\a4a2ff3c = abb41ceea020d947b5ee74d87e479fcf0c9858d0af54c78dbf0ddd9cd38adbf29b52053b4db39e	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Guujebpe\913d2f72 = 9292a3594a795a174ccf8035cb5fdd241860d015abb34dd55ae1cb0d510ba9002ffd1dcd6c4ebba32981e918733bb13db429946a40254f75aa76be16f1b574d87f651b5ba25fab0a53ae4fa4b80069c4502056f6d26ba53f0138a886dd1b5537f340b4647e038bbb4600743336f64564a115373cf1ea49c523fc8eb6ecd49eb1cb420d55f11805b8fb2d935ba56dcc829d30a5b848476bfff2	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Guujebpe\937c0f0e = e2067893efbec9dc8aa1b6e5e30768d8c29ff5e3a021471647bca274a0e83e20cd10049a496453e21e8c7bc1e9c16e6280a325b35bc2fb61467064a9e510ddfc29fa588762fafba099363a	explorer.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
644	schtasks.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1672	rundll32.exe
1672	rundll32.exe
5064	regsvr32.exe
5064	regsvr32.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
1672	rundll32.exe
5064	regsvr32.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 884 wrote to memory of 1672	884	rundll32.exe	87
PID 884 wrote to memory of 1672	884	rundll32.exe	87
PID 884 wrote to memory of 1672	884	rundll32.exe	87
PID 1672 wrote to memory of 3816	1672	rundll32.exe	92
PID 1672 wrote to memory of 3816	1672	rundll32.exe	92
PID 1672 wrote to memory of 3816	1672	rundll32.exe	92
PID 1672 wrote to memory of 3816	1672	rundll32.exe	92
PID 1672 wrote to memory of 3816	1672	rundll32.exe	92
PID 3816 wrote to memory of 644	3816	explorer.exe	93
PID 3816 wrote to memory of 644	3816	explorer.exe	93
PID 3816 wrote to memory of 644	3816	explorer.exe	93
PID 4008 wrote to memory of 5064	4008	regsvr32.exe	108
PID 4008 wrote to memory of 5064	4008	regsvr32.exe	108
PID 4008 wrote to memory of 5064	4008	regsvr32.exe	108
PID 5064 wrote to memory of 1400	5064	regsvr32.exe	109
PID 5064 wrote to memory of 1400	5064	regsvr32.exe	109
PID 5064 wrote to memory of 1400	5064	regsvr32.exe	109
PID 5064 wrote to memory of 1400	5064	regsvr32.exe	109
PID 5064 wrote to memory of 1400	5064	regsvr32.exe	109
PID 1400 wrote to memory of 3872	1400	explorer.exe	110
PID 1400 wrote to memory of 3872	1400	explorer.exe	110
PID 1400 wrote to memory of 516	1400	explorer.exe	112
PID 1400 wrote to memory of 516	1400	explorer.exe	112

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\9952f96c49160b9f0c578a8287e71849_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:884
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\9952f96c49160b9f0c578a8287e71849_JaffaCakes118.dll,#1
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:1672
- - C:\Windows\SysWOW64\explorer.exe
    C:\Windows\SysWOW64\explorer.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3816
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn kjssrrofu /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Local\Temp\9952f96c49160b9f0c578a8287e71849_JaffaCakes118.dll\"" /SC ONCE /Z /ST 07:06 /ET 07:18
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:644

C:\Windows\system32\regsvr32.exe
regsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\9952f96c49160b9f0c578a8287e71849_JaffaCakes118.dll"
1⤵
- Suspicious use of WriteProcessMemory
PID:4008
- C:\Windows\SysWOW64\regsvr32.exe
  -s "C:\Users\Admin\AppData\Local\Temp\9952f96c49160b9f0c578a8287e71849_JaffaCakes118.dll"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:5064
- - C:\Windows\SysWOW64\explorer.exe
    C:\Windows\SysWOW64\explorer.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies data under HKEY_USERS
    - Suspicious use of WriteProcessMemory
    PID:1400
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\ProgramData\Microsoft\Mmzxzrzlmghg" /d "0"
      4⤵
      Windows security bypass
      PID:3872
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Uyebeu" /d "0"
      4⤵
      Windows security bypass
      PID:516

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Impair Defenses

1

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\9952f96c49160b9f0c578a8287e71849_JaffaCakes118.dll

Filesize
378KB

MD5
9952f96c49160b9f0c578a8287e71849

SHA1
de1b258d568aad3cc0339298c69f8fa8d4799a64

SHA256
b431e56b69304dc1ad42e480222410ebf179c27ec2cc518ea113b7cbec9b7eb6

SHA512
66cb7ab469a0bee9f135177d19a39dd5e3a858244ba5da7e806d5a5128de100e07c503e38221d8d5cf3534beb799b6c4107c145745ac6f9af4c88de6bab5ad55

Download Submit
memory/1400-20-0x00000000014A0000-0x00000000014C1000-memory.dmp

Filesize
132KB

Download
memory/1400-21-0x00000000014A0000-0x00000000014C1000-memory.dmp

Filesize
132KB

Download
memory/1400-19-0x00000000014A0000-0x00000000014C1000-memory.dmp

Filesize
132KB

Download
memory/1672-1-0x0000000010000000-0x0000000010042000-memory.dmp

Filesize
264KB

Download
memory/1672-3-0x0000000010000000-0x0000000010062000-memory.dmp

Filesize
392KB

Download
memory/1672-4-0x00000000029A0000-0x00000000029E2000-memory.dmp

Filesize
264KB

Download
memory/1672-5-0x0000000010000000-0x0000000010042000-memory.dmp

Filesize
264KB

Download
memory/1672-0-0x00000000029A0000-0x00000000029E2000-memory.dmp

Filesize
264KB

Download
memory/3816-9-0x0000000000C90000-0x0000000000CB1000-memory.dmp

Filesize
132KB

Download
memory/3816-12-0x0000000000C90000-0x0000000000CB1000-memory.dmp

Filesize
132KB

Download
memory/3816-10-0x0000000000C90000-0x0000000000CB1000-memory.dmp

Filesize
132KB

Download
memory/3816-8-0x0000000000C90000-0x0000000000CB1000-memory.dmp

Filesize
132KB

Download
memory/3816-2-0x0000000000C90000-0x0000000000CB1000-memory.dmp

Filesize
132KB

Download
memory/5064-17-0x0000000010000000-0x0000000010062000-memory.dmp

Filesize
392KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads