qakbot | 5de6ad719a0cee44d2c20618fa76ee50cd80a9297695bb2a486555d5551ea678

General

Target

affdfcd92c28e6c6690f81f01219490f_JaffaCakes118.dll
Size

378KB
MD5

affdfcd92c28e6c6690f81f01219490f
SHA1

8f1541009d521e6fcc1b3de98976439331d02032
SHA256

5de6ad719a0cee44d2c20618fa76ee50cd80a9297695bb2a486555d5551ea678
SHA512

9c470655af66ab63b2a2c1c8689e071f5e4d05a151cbaafadd9cb8e1fc7ddebdd8b71589b64e00374bf95dccab990c90eda3e6991f4b4454854833c41563d835
SSDEEP

3072:Do6vBnby4Yx0XjFFzPQ0MslzERfQB24hLxBVi/b/9+PdpiWC35ol/uwfTuT2b2MB:vs6Xpq0H3Jhds/9+qC/zfTPLH

Score

10^/10

qakbot obama104 1632729661 banker discovery evasion stealer trojan

Malware Config

Extracted

Family

qakbot

Version

402.343

Botnet

obama104

Campaign

1632729661

C2

95.77.223.148:443

47.22.148.6:443

89.101.97.139:443

27.223.92.142:995

120.151.47.189:443

136.232.34.70:443

120.150.218.241:995

185.250.148.74:443

181.118.183.94:443

140.82.49.12:443

67.165.206.193:993

103.148.120.144:443

71.74.12.34:443

76.25.142.196:443

73.151.236.31:443

173.21.10.71:2222

75.188.35.168:443

2.178.88.145:61202

71.80.168.245:443

45.46.53.140:2222

Attributes

salt
jHxastDcds)oMc=jvh7wdUhxcsdt2

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot

Windows security bypass 2 TTPs 4 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\Microsoft\Katqaufjby = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Qxnzf = "0"	reg.exe

Loads dropped DLL 1 IoCs

pid	Process
2028	regsvr32.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe

Modifies data under HKEY_USERS 10 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Aartlzscg\a7df6f67 = c8bca315212b995522336dbdff9362c80723e2ea6ae5fd6b2cc0ae6032746a300c18776ce4e7249b89a00be79756ec0b5ba325881aec93	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Aartlzscg\9240bf29 = 183aaf7b993c80f813a0dc3e5dcf8527e0f580b0ddb65d1de2407c5ffaf267b9f54f33f4c6b79765a564b639	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Aartlzscg\ed09d0df = 7a122c1816dc0235debcb9832cfd53e98e4f04ffeec3dddf9db339958ba780ffd38473be0f6e6edb348bd4fd7fe5e3832a41c282a72a015cd76e189bd97520eca71948eb19ccf5550d4d7837c2b9de6d98c73373fdf3aed15f0c7e02178c78a81441a2e01710065cfcf9817e8f61330802ed17e3	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Aartlzscg	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Aartlzscg\ed09d0df = 7a123b1816dc37f2648d74a1e86b13275d6ad76e7d8f953789ceb758b609e149509613cc89b8d11be525e2fd7baf0e067f4edc9e06d4b9b72ba1669cbbc47f62e02fa08d537aded692e19565ef4546f02ea9361d86f674587d251f40eb71ba	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Aartlzscg\dad720ed = 579bbb6a41953baeef209aa61e67c8f8fd42	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Aartlzscg\602a67f4 = 7237e0ed37454a680ae5342efff332d14cdf3b91fc731439d7978f27e384bb475ae32c4d9ed19ecacbbe8618b7670a3b74ba10e0590a636ab445d062972a50076aa6848aa04af79c9a61	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Aartlzscg\d8960091 = b4a1cf9f75c38470ec62ce65cbc1f255e2705810a31a779dde4805959c54e191e1b83f9f1523d729c28763d34d6758f006f21a7ca3ee272859b409100fa30de9e29e54b8de0e95816013fbaff0f536d0cabf7b432649f8a8536126c6a7736f4354ad5c968526c655cf4c3ef098c3b8bb19ca6e280f9bc437	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Aartlzscg\626b4788 = 7699f26cd05ab13bf7ea58ab3df9fcc3c2bfd27c8e7bce191b122023afac5295487f16229ed963c6af444b069f6cbbd88cbb311113ca5a0c9d63	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Aartlzscg\1f630802 = 18a16ad16b253a4c4e7573a13b9e749ed966dff677	explorer.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1528	schtasks.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4848	rundll32.exe
4848	rundll32.exe
2028	regsvr32.exe
2028	regsvr32.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
4848	rundll32.exe
2028	regsvr32.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 4388 wrote to memory of 4848	4388	rundll32.exe	86
PID 4388 wrote to memory of 4848	4388	rundll32.exe	86
PID 4388 wrote to memory of 4848	4388	rundll32.exe	86
PID 4848 wrote to memory of 1544	4848	rundll32.exe	90
PID 4848 wrote to memory of 1544	4848	rundll32.exe	90
PID 4848 wrote to memory of 1544	4848	rundll32.exe	90
PID 4848 wrote to memory of 1544	4848	rundll32.exe	90
PID 4848 wrote to memory of 1544	4848	rundll32.exe	90
PID 1544 wrote to memory of 1528	1544	explorer.exe	91
PID 1544 wrote to memory of 1528	1544	explorer.exe	91
PID 1544 wrote to memory of 1528	1544	explorer.exe	91
PID 4920 wrote to memory of 2028	4920	regsvr32.exe	111
PID 4920 wrote to memory of 2028	4920	regsvr32.exe	111
PID 4920 wrote to memory of 2028	4920	regsvr32.exe	111
PID 2028 wrote to memory of 5012	2028	regsvr32.exe	112
PID 2028 wrote to memory of 5012	2028	regsvr32.exe	112
PID 2028 wrote to memory of 5012	2028	regsvr32.exe	112
PID 2028 wrote to memory of 5012	2028	regsvr32.exe	112
PID 2028 wrote to memory of 5012	2028	regsvr32.exe	112
PID 5012 wrote to memory of 4828	5012	explorer.exe	113
PID 5012 wrote to memory of 4828	5012	explorer.exe	113
PID 5012 wrote to memory of 4108	5012	explorer.exe	115
PID 5012 wrote to memory of 4108	5012	explorer.exe	115

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\affdfcd92c28e6c6690f81f01219490f_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4388
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\affdfcd92c28e6c6690f81f01219490f_JaffaCakes118.dll,#1
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:4848
- - C:\Windows\SysWOW64\explorer.exe
    C:\Windows\SysWOW64\explorer.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1544
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn wrduiport /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Local\Temp\affdfcd92c28e6c6690f81f01219490f_JaffaCakes118.dll\"" /SC ONCE /Z /ST 16:38 /ET 16:50
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:1528

C:\Windows\system32\regsvr32.exe
regsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\affdfcd92c28e6c6690f81f01219490f_JaffaCakes118.dll"
1⤵
- Suspicious use of WriteProcessMemory
PID:4920
- C:\Windows\SysWOW64\regsvr32.exe
  -s "C:\Users\Admin\AppData\Local\Temp\affdfcd92c28e6c6690f81f01219490f_JaffaCakes118.dll"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:2028
- - C:\Windows\SysWOW64\explorer.exe
    C:\Windows\SysWOW64\explorer.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies data under HKEY_USERS
    - Suspicious use of WriteProcessMemory
    PID:5012
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\ProgramData\Microsoft\Katqaufjby" /d "0"
      4⤵
      Windows security bypass
      PID:4828
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Qxnzf" /d "0"
      4⤵
      Windows security bypass
      PID:4108

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Impair Defenses

1

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\affdfcd92c28e6c6690f81f01219490f_JaffaCakes118.dll

Filesize
378KB

MD5
affdfcd92c28e6c6690f81f01219490f

SHA1
8f1541009d521e6fcc1b3de98976439331d02032

SHA256
5de6ad719a0cee44d2c20618fa76ee50cd80a9297695bb2a486555d5551ea678

SHA512
9c470655af66ab63b2a2c1c8689e071f5e4d05a151cbaafadd9cb8e1fc7ddebdd8b71589b64e00374bf95dccab990c90eda3e6991f4b4454854833c41563d835

Download Submit
memory/1544-10-0x0000000000690000-0x00000000006B1000-memory.dmp

Filesize
132KB

Download
memory/1544-2-0x0000000000690000-0x00000000006B1000-memory.dmp

Filesize
132KB

Download
memory/1544-12-0x0000000000690000-0x00000000006B1000-memory.dmp

Filesize
132KB

Download
memory/1544-9-0x0000000000690000-0x00000000006B1000-memory.dmp

Filesize
132KB

Download
memory/1544-8-0x0000000000690000-0x00000000006B1000-memory.dmp

Filesize
132KB

Download
memory/2028-17-0x0000000010000000-0x0000000010062000-memory.dmp

Filesize
392KB

Download
memory/4848-4-0x0000000000830000-0x0000000000872000-memory.dmp

Filesize
264KB

Download
memory/4848-5-0x0000000010000000-0x0000000010042000-memory.dmp

Filesize
264KB

Download
memory/4848-3-0x0000000010000000-0x0000000010062000-memory.dmp

Filesize
392KB

Download
memory/4848-1-0x0000000010000000-0x0000000010042000-memory.dmp

Filesize
264KB

Download
memory/4848-0-0x0000000000830000-0x0000000000872000-memory.dmp

Filesize
264KB

Download
memory/5012-19-0x0000000000480000-0x00000000004A1000-memory.dmp

Filesize
132KB

Download
memory/5012-20-0x0000000000480000-0x00000000004A1000-memory.dmp

Filesize
132KB

Download
memory/5012-21-0x0000000000480000-0x00000000004A1000-memory.dmp

Filesize
132KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads