General

  • Target

    c1e068c1358f86d876a5918f918b688c_JaffaCakes118

  • Size

    4.6MB

  • Sample

    240826-afn1mavejr

  • MD5

    c1e068c1358f86d876a5918f918b688c

  • SHA1

    6809f607280e9c3d1a74190ca45b56e1901d96d8

  • SHA256

    746d073ee8221b904fb02c678793cc9088ba4314176aa11420755b7eddfa4114

  • SHA512

    0f7ebfb4e52ae81f7a6fbecae3da3672615be4c6acd47b288bfbd3f51e9230e5b0d80e0dff35100d700a57e98b5e6566eabbc32923f66ca331c8af0bb1a06c38

  • SSDEEP

    98304:3gyuh4zGSptsKDcvWfMsosFmon8XOXcIBfYJq3Njk:3m4zGSp2K4WfMsoFo8eXcIBQJOa

Malware Config

Extracted

Family

qakbot

Attributes
  • salt

    jHxastDcds)oMc=jvh7wdUhxcsdt2

Extracted

Family

qakbot

Version

401.138

Botnet

tr

Campaign

1613385567

C2

78.63.226.32:443

197.51.82.72:443

193.248.221.184:2222

95.77.223.148:443

71.199.192.62:443

77.211.30.202:995

80.227.5.69:443

77.27.204.204:995

81.97.154.100:443

173.184.119.153:995

38.92.225.121:443

81.150.181.168:2222

90.65.236.181:2222

83.110.103.152:443

73.153.211.227:443

188.25.63.105:443

89.137.211.239:995

202.188.138.162:443

98.173.34.212:995

87.202.87.210:2222

Attributes
  • salt

    jHxastDcds)oMc=jvh7wdUhxcsdt2

Targets

    • Target

      c1e068c1358f86d876a5918f918b688c_JaffaCakes118

    • Size

      4.6MB

    • MD5

      c1e068c1358f86d876a5918f918b688c

    • SHA1

      6809f607280e9c3d1a74190ca45b56e1901d96d8

    • SHA256

      746d073ee8221b904fb02c678793cc9088ba4314176aa11420755b7eddfa4114

    • SHA512

      0f7ebfb4e52ae81f7a6fbecae3da3672615be4c6acd47b288bfbd3f51e9230e5b0d80e0dff35100d700a57e98b5e6566eabbc32923f66ca331c8af0bb1a06c38

    • SSDEEP

      98304:3gyuh4zGSptsKDcvWfMsosFmon8XOXcIBfYJq3Njk:3m4zGSp2K4WfMsoFo8eXcIBQJOa

    • Qakbot/Qbot

      Qbot or Qakbot is a sophisticated worm with banking capabilities.

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks