General
-
Target
c1e068c1358f86d876a5918f918b688c_JaffaCakes118
-
Size
4.6MB
-
Sample
240826-afn1mavejr
-
MD5
c1e068c1358f86d876a5918f918b688c
-
SHA1
6809f607280e9c3d1a74190ca45b56e1901d96d8
-
SHA256
746d073ee8221b904fb02c678793cc9088ba4314176aa11420755b7eddfa4114
-
SHA512
0f7ebfb4e52ae81f7a6fbecae3da3672615be4c6acd47b288bfbd3f51e9230e5b0d80e0dff35100d700a57e98b5e6566eabbc32923f66ca331c8af0bb1a06c38
-
SSDEEP
98304:3gyuh4zGSptsKDcvWfMsosFmon8XOXcIBfYJq3Njk:3m4zGSp2K4WfMsoFo8eXcIBQJOa
Behavioral task
behavioral1
Sample
c1e068c1358f86d876a5918f918b688c_JaffaCakes118.dll
Resource
win7-20240704-en
Malware Config
Extracted
qakbot
-
salt
jHxastDcds)oMc=jvh7wdUhxcsdt2
Extracted
qakbot
401.138
tr
1613385567
78.63.226.32:443
197.51.82.72:443
193.248.221.184:2222
95.77.223.148:443
71.199.192.62:443
77.211.30.202:995
80.227.5.69:443
77.27.204.204:995
81.97.154.100:443
173.184.119.153:995
38.92.225.121:443
81.150.181.168:2222
90.65.236.181:2222
83.110.103.152:443
73.153.211.227:443
188.25.63.105:443
89.137.211.239:995
202.188.138.162:443
98.173.34.212:995
87.202.87.210:2222
195.12.154.8:443
47.217.24.69:6881
182.48.193.200:443
108.160.123.244:443
96.57.188.174:2222
45.118.216.157:443
84.72.35.226:443
172.115.177.204:2222
86.236.77.68:2222
82.127.125.209:990
176.181.247.197:443
97.69.160.4:2222
90.101.117.122:2222
189.223.201.91:443
140.82.49.12:443
2.7.69.217:2222
83.110.12.140:2222
85.132.36.111:2222
197.45.110.165:995
149.28.99.97:995
45.63.107.192:2222
149.28.98.196:2222
149.28.99.97:2222
144.202.38.185:443
149.28.99.97:443
45.63.107.192:443
45.63.107.192:995
144.202.38.185:2222
149.28.101.90:995
149.28.101.90:2222
149.28.101.90:8443
45.32.211.207:8443
149.28.98.196:995
149.28.98.196:443
45.32.211.207:995
149.28.101.90:443
207.246.77.75:443
45.77.115.208:8443
207.246.77.75:995
207.246.77.75:2222
45.32.211.207:2222
45.32.211.207:443
45.77.115.208:995
144.202.38.185:995
45.77.115.208:2222
207.246.116.237:8443
207.246.116.237:2222
207.246.77.75:8443
207.246.116.237:995
207.246.116.237:443
45.77.117.108:443
45.77.117.108:995
45.77.117.108:8443
45.77.117.108:2222
45.77.115.208:443
89.3.198.238:443
2.232.253.79:995
73.25.124.140:2222
136.232.34.70:443
157.131.108.180:443
217.133.54.140:32100
195.43.173.70:443
86.98.93.124:2078
176.205.222.30:2078
105.96.8.96:443
50.29.166.232:995
27.223.92.142:995
119.153.62.76:3389
47.187.115.228:443
67.6.12.4:443
65.27.228.247:443
23.240.70.80:995
216.201.162.158:443
139.216.137.189:995
64.121.114.87:443
79.129.121.81:995
172.87.157.235:3389
75.118.1.141:443
75.136.26.147:443
96.250.60.138:443
50.244.112.106:443
115.133.243.6:443
47.196.192.184:443
45.46.53.140:2222
105.198.236.101:443
144.139.166.18:443
196.151.252.84:443
71.197.126.250:443
196.221.207.137:995
71.117.132.169:443
74.68.144.202:443
76.25.142.196:443
98.240.24.57:443
144.139.47.206:443
86.245.46.27:2222
173.21.10.71:2222
78.97.207.104:443
86.220.60.133:2222
69.245.102.225:443
94.53.92.42:443
71.74.12.34:443
84.247.55.190:8443
173.25.45.66:443
46.153.55.149:995
78.22.58.205:3389
105.198.236.99:443
24.152.219.253:995
82.76.47.211:443
189.223.234.23:995
96.37.113.36:993
47.187.74.181:443
50.25.89.74:443
174.104.31.209:443
199.19.117.131:443
201.143.235.13:443
189.146.183.105:443
181.48.190.78:443
189.223.97.175:443
47.22.148.6:443
173.70.165.101:995
74.222.204.82:995
75.67.192.125:443
32.210.98.6:443
106.51.52.111:443
59.90.246.200:443
70.49.88.199:2222
186.28.51.27:443
98.252.118.134:443
209.210.187.52:995
189.210.115.207:443
-
salt
jHxastDcds)oMc=jvh7wdUhxcsdt2
Targets
-
-
Target
c1e068c1358f86d876a5918f918b688c_JaffaCakes118
-
Size
4.6MB
-
MD5
c1e068c1358f86d876a5918f918b688c
-
SHA1
6809f607280e9c3d1a74190ca45b56e1901d96d8
-
SHA256
746d073ee8221b904fb02c678793cc9088ba4314176aa11420755b7eddfa4114
-
SHA512
0f7ebfb4e52ae81f7a6fbecae3da3672615be4c6acd47b288bfbd3f51e9230e5b0d80e0dff35100d700a57e98b5e6566eabbc32923f66ca331c8af0bb1a06c38
-
SSDEEP
98304:3gyuh4zGSptsKDcvWfMsosFmon8XOXcIBfYJq3Njk:3m4zGSp2K4WfMsoFo8eXcIBQJOa
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-