Overview

overview

10

Static

static

1

c42e511e79...18.vbs

windows7-x64

10

c42e511e79...18.vbs

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    27-08-2024 01:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c42e511e79fa6c3b2931080364522dfc_JaffaCakes118.vbs

  • Size

    1.8MB

  • MD5

    c42e511e79fa6c3b2931080364522dfc

  • SHA1

    413fa44b48570a07420aa1511276bb4c72374cd7

  • SHA256

    b293691f6cf941d9841b65a58f8b75b97e37da6752531bdcfba449ec7fe3128b

  • SHA512

    d114ffc76a5c9de6bb02228fe84f76e78ebcfcbf28be9f3dd02cfb2f00dfbc38579cee379cfb7adb580b6a5eb54c7d6e37b4fa346fcfea3ab9dd9abecf2b0295

  • SSDEEP

    49152:lP3fgyBTbzDjvjwSBLoZFVf4d6enfWoKFxCZqOoFBvQC6bztk2KSZxE2i:s

Score
10/10
qakbotspx011567608215bankerdiscoveryevasionpersistencestealertrojan

Malware Config

Extracted

Family

qakbot

Version

323.79

Botnet

spx01

Campaign

1567608215

C2

72.16.212.107:995

107.12.140.181:443

69.70.37.246:465

66.51.231.183:443

108.160.123.244:443

65.30.12.240:443

47.49.7.42:443

73.202.121.222:443

47.153.115.154:995

47.153.115.154:443

72.29.181.77:2083

104.3.91.20:995

190.144.81.158:995

186.7.117.189:443

50.247.230.33:443

216.221.88.160:443

67.246.16.250:995

107.180.70.163:443

70.169.2.228:21

72.36.14.160:443

Signatures

  • Qakbot/Qbot

    Qbot or Qakbot is a sophisticated worm with banking capabilities.

    trojanbankerstealerqakbot
  • Turns off Windows Defender SpyNet reporting 2 TTPs
    evasion
  • Windows security bypass 2 TTPs 2 IoCs
    evasiontrojan
  • Executes dropped EXE 7 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Modifies data under HKEY_USERS 3 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c42e511e79fa6c3b2931080364522dfc_JaffaCakes118.vbs"
    1⤵
      PID:2412
    • C:\Users\Admin\AppData\Local\Temp\itUsiSHOi.exe
      C:\Users\Admin\AppData\Local\Temp\itUsiSHOi.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2796
      • C:\Users\Admin\AppData\Local\Temp\itUsiSHOi.exe
        C:\Users\Admin\AppData\Local\Temp\itUsiSHOi.exe /C
        2⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:2800
      • C:\Users\Admin\AppData\Roaming\Microsoft\Uhraixbkfeo\mbarejao.exe
        C:\Users\Admin\AppData\Roaming\Microsoft\Uhraixbkfeo\mbarejao.exe
        2⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of WriteProcessMemory
        PID:2856
        • C:\Users\Admin\AppData\Roaming\Microsoft\Uhraixbkfeo\mbarejao.exe
          C:\Users\Admin\AppData\Roaming\Microsoft\Uhraixbkfeo\mbarejao.exe /C
          3⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          PID:2708
        • C:\Windows\SysWOW64\explorer.exe
          C:\Windows\SysWOW64\explorer.exe
          3⤵
          • Adds Run key to start application
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          PID:2644
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn fcjrzztr /tr "\"C:\Users\Admin\AppData\Local\Temp\itUsiSHOi.exe\" /I fcjrzztr" /SC ONCE /Z /ST 02:01 /ET 02:13
        2⤵
        • System Location Discovery: System Language Discovery
        • Scheduled Task/Job: Scheduled Task
        PID:1212
    • C:\Windows\system32\taskeng.exe
      taskeng.exe {BE1A0A31-3B9E-420C-A89F-66FAE9B813F6} S-1-5-18:NT AUTHORITY\System:Service:
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:1860
      • C:\Users\Admin\AppData\Local\Temp\itUsiSHOi.exe
        C:\Users\Admin\AppData\Local\Temp\itUsiSHOi.exe /I fcjrzztr
        2⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2968
        • C:\Windows\system32\reg.exe
          C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"
          3⤵
            PID:840
          • C:\Windows\system32\reg.exe
            C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"
            3⤵
              PID:2100
            • C:\Windows\system32\reg.exe
              C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"
              3⤵
                PID:3024
              • C:\Windows\system32\reg.exe
                C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"
                3⤵
                  PID:2580
                • C:\Windows\system32\reg.exe
                  C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"
                  3⤵
                    PID:616
                  • C:\Windows\system32\reg.exe
                    C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\SpyNet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"
                    3⤵
                      PID:1196
                    • C:\Windows\system32\reg.exe
                      C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"
                      3⤵
                        PID:1040
                      • C:\Windows\system32\reg.exe
                        C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"
                        3⤵
                          PID:760
                        • C:\Windows\system32\reg.exe
                          C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Uhraixbkfeo" /d "0"
                          3⤵
                          • Windows security bypass
                          PID:640
                        • C:\Users\Admin\AppData\Roaming\Microsoft\Uhraixbkfeo\mbarejao.exe
                          C:\Users\Admin\AppData\Roaming\Microsoft\Uhraixbkfeo\mbarejao.exe
                          3⤵
                          • Executes dropped EXE
                          • System Location Discovery: System Language Discovery
                          • Suspicious behavior: EnumeratesProcesses
                          PID:1700
                          • C:\Users\Admin\AppData\Roaming\Microsoft\Uhraixbkfeo\mbarejao.exe
                            C:\Users\Admin\AppData\Roaming\Microsoft\Uhraixbkfeo\mbarejao.exe /C
                            4⤵
                            • Executes dropped EXE
                            • System Location Discovery: System Language Discovery
                            • Suspicious behavior: EnumeratesProcesses
                            PID:1928
                        • C:\Windows\System32\cmd.exe
                          "C:\Windows\System32\cmd.exe" /c ping.exe -n 6 127.0.0.1 & type "C:\Windows\System32\calc.exe" > "C:\Users\Admin\AppData\Local\Temp\itUsiSHOi.exe"
                          3⤵
                          • System Network Configuration Discovery: Internet Connection Discovery
                          PID:1388
                          • C:\Windows\system32\PING.EXE
                            ping.exe -n 6 127.0.0.1
                            4⤵
                            • System Network Configuration Discovery: Internet Connection Discovery
                            • Runs ping.exe
                            PID:2464
                        • C:\Windows\system32\schtasks.exe
                          "C:\Windows\system32\schtasks.exe" /DELETE /F /TN fcjrzztr
                          3⤵
                            PID:872

                      Network

                      MITRE ATT&CK Enterprise v15

                      Reconnaissance

                      Resource Development

                      Initial Access

                      Execution

                      Scheduled Task/Job

                      1
                      T1053

                      Scheduled Task

                      1
                      T1053.005

                      Persistence

                      Boot or Logon Autostart Execution

                      1
                      T1547

                      Registry Run Keys / Startup Folder

                      1
                      T1547.001

                      Scheduled Task/Job

                      1
                      T1053

                      Scheduled Task

                      1
                      T1053.005

                      Privilege Escalation

                      Boot or Logon Autostart Execution

                      1
                      T1547

                      Registry Run Keys / Startup Folder

                      1
                      T1547.001

                      Scheduled Task/Job

                      1
                      T1053

                      Scheduled Task

                      1
                      T1053.005

                      Defense Evasion

                      Impair Defenses

                      2
                      T1562

                      Disable or Modify Tools

                      2
                      T1562.001

                      Modify Registry

                      3
                      T1112

                      Credential Access

                      Discovery

                      Query Registry

                      1
                      T1012

                      Remote System Discovery

                      1
                      T1018

                      System Information Discovery

                      1
                      T1082

                      System Location Discovery

                      1
                      T1614

                      System Language Discovery

                      1
                      T1614.001

                      System Network Configuration Discovery

                      1
                      T1016

                      Internet Connection Discovery

                      1
                      T1016.001

                      Lateral Movement

                      Collection

                      Command and Control

                      Exfiltration

                      Impact

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • C:\Users\Admin\AppData\Local\Temp\itUsiSHOi.exe
                        Filesize

                        644KB

                        MD5

                        e372d668d9e1d734b76655f5b0ebd0e6

                        SHA1

                        b6fc1da195130a16f15e471835041ed05473c795

                        SHA256

                        07ee7be992525cfa1a66ca03ee127f2df8041e88bf6c12a1fffcb206660606e7

                        SHA512

                        06b4be1d2ebb82860e6d8396ab963707840dcd35678c512cf18f085ba2c0d75c4f5341f2189685e65a8dc611317c93012bb8b3944758172377aa23bae1469496

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\Microsoft\Uhraixbkfeo\mbarejao.dat
                        Filesize

                        63B

                        MD5

                        930fabeed60c6d01d8dce114a692db8d

                        SHA1

                        21af9ab7c8bc0a8b8d20b83a0d74ccfcbe629852

                        SHA256

                        31fd0c8e4d85e6484911b142e090f7d49b45ddb169f377eaec9253395605ac20

                        SHA512

                        0289e44f1114513a8c5c9aa0b1718b9722af3cc49de3b11347a6d5bb78ca47fdb72aaa587c7531b47d6fbca8b41fb943940335912e0a8c33913e4ead373d9e48

                        Download Submit

                      • memory/1700-61-0x0000000000400000-0x00000000004A3000-memory.dmp

                        Filesize

                        652KB

                        Download

                      • memory/1928-60-0x0000000000400000-0x00000000004A3000-memory.dmp

                        Filesize

                        652KB

                        Download

                      • memory/2644-37-0x0000000000080000-0x0000000000111000-memory.dmp

                        Filesize

                        580KB

                        Download

                      • memory/2644-40-0x0000000000310000-0x0000000000350000-memory.dmp

                        Filesize

                        256KB

                        Download

                      • memory/2644-42-0x0000000000310000-0x0000000000350000-memory.dmp

                        Filesize

                        256KB

                        Download

                      • memory/2644-39-0x0000000000310000-0x0000000000350000-memory.dmp

                        Filesize

                        256KB

                        Download

                      • memory/2644-33-0x0000000000080000-0x0000000000111000-memory.dmp

                        Filesize

                        580KB

                        Download

                      • memory/2644-35-0x0000000000080000-0x0000000000111000-memory.dmp

                        Filesize

                        580KB

                        Download

                      • memory/2644-36-0x0000000000310000-0x0000000000350000-memory.dmp

                        Filesize

                        256KB

                        Download

                      • memory/2708-32-0x0000000000400000-0x00000000004A3000-memory.dmp

                        Filesize

                        652KB

                        Download

                      • memory/2796-26-0x0000000000400000-0x00000000004A3000-memory.dmp

                        Filesize

                        652KB

                        Download

                      • memory/2796-4-0x0000000000400000-0x00000000004A3000-memory.dmp

                        Filesize

                        652KB

                        Download

                      • memory/2796-3-0x00000000004B0000-0x0000000000541000-memory.dmp

                        Filesize

                        580KB

                        Download

                      • memory/2800-14-0x0000000000400000-0x00000000004A3000-memory.dmp

                        Filesize

                        652KB

                        Download

                      • memory/2800-13-0x0000000001D50000-0x0000000001DE1000-memory.dmp

                        Filesize

                        580KB

                        Download

                      • memory/2856-38-0x0000000000400000-0x00000000004A3000-memory.dmp

                        Filesize

                        652KB

                        Download

                      • memory/2856-22-0x0000000000320000-0x00000000003B1000-memory.dmp

                        Filesize

                        580KB

                        Download

                      • memory/2968-46-0x0000000000400000-0x00000000004A3000-memory.dmp

                        Filesize

                        652KB

                        Download

                      • memory/2968-54-0x0000000000400000-0x00000000004A3000-memory.dmp

                        Filesize

                        652KB

                        Download