Analysis

  • max time kernel
    143s
  • max time network
    142s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27-08-2024 01:58

General

  • Target

    c42e511e79fa6c3b2931080364522dfc_JaffaCakes118.vbs

  • Size

    1.8MB

  • MD5

    c42e511e79fa6c3b2931080364522dfc

  • SHA1

    413fa44b48570a07420aa1511276bb4c72374cd7

  • SHA256

    b293691f6cf941d9841b65a58f8b75b97e37da6752531bdcfba449ec7fe3128b

  • SHA512

    d114ffc76a5c9de6bb02228fe84f76e78ebcfcbf28be9f3dd02cfb2f00dfbc38579cee379cfb7adb580b6a5eb54c7d6e37b4fa346fcfea3ab9dd9abecf2b0295

  • SSDEEP

    49152:lP3fgyBTbzDjvjwSBLoZFVf4d6enfWoKFxCZqOoFBvQC6bztk2KSZxE2i:s

Malware Config

Extracted

Family

qakbot

Version

323.79

Botnet

spx01

Campaign

1567608215

C2

72.16.212.107:995

107.12.140.181:443

69.70.37.246:465

66.51.231.183:443

108.160.123.244:443

65.30.12.240:443

47.49.7.42:443

73.202.121.222:443

47.153.115.154:995

47.153.115.154:443

72.29.181.77:2083

104.3.91.20:995

190.144.81.158:995

186.7.117.189:443

50.247.230.33:443

216.221.88.160:443

67.246.16.250:995

107.180.70.163:443

70.169.2.228:21

72.36.14.160:443

Signatures

  • Qakbot/Qbot

    Qbot or Qakbot is a sophisticated worm with banking capabilities.

  • Turns off Windows Defender SpyNet reporting 2 TTPs
  • Windows security bypass 2 TTPs 2 IoCs
  • Executes dropped EXE 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Checks SCSI registry key(s) 3 TTPs 18 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 5 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 24 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of WriteProcessMemory 46 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c42e511e79fa6c3b2931080364522dfc_JaffaCakes118.vbs"
    1⤵
      PID:4360
    • C:\Users\Admin\AppData\Local\Temp\itUsiSHOi.exe
      C:\Users\Admin\AppData\Local\Temp\itUsiSHOi.exe
      1⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1748
      • C:\Users\Admin\AppData\Local\Temp\itUsiSHOi.exe
        C:\Users\Admin\AppData\Local\Temp\itUsiSHOi.exe /C
        2⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Checks SCSI registry key(s)
        • Suspicious behavior: EnumeratesProcesses
        PID:3628
      • C:\Users\Admin\AppData\Roaming\Microsoft\Qcyggyscuud\ayoeiizp.exe
        C:\Users\Admin\AppData\Roaming\Microsoft\Qcyggyscuud\ayoeiizp.exe
        2⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of WriteProcessMemory
        PID:4236
        • C:\Users\Admin\AppData\Roaming\Microsoft\Qcyggyscuud\ayoeiizp.exe
          C:\Users\Admin\AppData\Roaming\Microsoft\Qcyggyscuud\ayoeiizp.exe /C
          3⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Checks SCSI registry key(s)
          • Suspicious behavior: EnumeratesProcesses
          PID:4436
        • C:\Windows\SysWOW64\explorer.exe
          C:\Windows\SysWOW64\explorer.exe
          3⤵
          • Adds Run key to start application
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          PID:3620
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn xswbenfjc /tr "\"C:\Users\Admin\AppData\Local\Temp\itUsiSHOi.exe\" /I xswbenfjc" /SC ONCE /Z /ST 02:01 /ET 02:13
        2⤵
        • System Location Discovery: System Language Discovery
        • Scheduled Task/Job: Scheduled Task
        PID:3772
    • C:\Users\Admin\AppData\Local\Temp\itUsiSHOi.exe
      C:\Users\Admin\AppData\Local\Temp\itUsiSHOi.exe /I xswbenfjc
      1⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Modifies data under HKEY_USERS
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1712
      • C:\Windows\system32\reg.exe
        C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"
        2⤵
          PID:3784
        • C:\Windows\system32\reg.exe
          C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"
          2⤵
            PID:760
          • C:\Windows\system32\reg.exe
            C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"
            2⤵
              PID:4956
            • C:\Windows\system32\reg.exe
              C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"
              2⤵
                PID:1720
              • C:\Windows\system32\reg.exe
                C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"
                2⤵
                  PID:4152
                • C:\Windows\system32\reg.exe
                  C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\SpyNet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"
                  2⤵
                    PID:748
                  • C:\Windows\system32\reg.exe
                    C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"
                    2⤵
                      PID:4424
                    • C:\Windows\system32\reg.exe
                      C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"
                      2⤵
                        PID:3408
                      • C:\Windows\system32\reg.exe
                        C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Qcyggyscuud" /d "0"
                        2⤵
                        • Windows security bypass
                        PID:3108
                      • C:\Users\Admin\AppData\Roaming\Microsoft\Qcyggyscuud\ayoeiizp.exe
                        C:\Users\Admin\AppData\Roaming\Microsoft\Qcyggyscuud\ayoeiizp.exe
                        2⤵
                        • Executes dropped EXE
                        • System Location Discovery: System Language Discovery
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of WriteProcessMemory
                        PID:2388
                        • C:\Users\Admin\AppData\Roaming\Microsoft\Qcyggyscuud\ayoeiizp.exe
                          C:\Users\Admin\AppData\Roaming\Microsoft\Qcyggyscuud\ayoeiizp.exe /C
                          3⤵
                          • Executes dropped EXE
                          • System Location Discovery: System Language Discovery
                          • Checks SCSI registry key(s)
                          • Suspicious behavior: EnumeratesProcesses
                          PID:4696
                      • C:\Windows\System32\cmd.exe
                        "C:\Windows\System32\cmd.exe" /c ping.exe -n 6 127.0.0.1 & type "C:\Windows\System32\calc.exe" > "C:\Users\Admin\AppData\Local\Temp\itUsiSHOi.exe"
                        2⤵
                        • System Network Configuration Discovery: Internet Connection Discovery
                        • Suspicious use of WriteProcessMemory
                        PID:4884
                        • C:\Windows\system32\PING.EXE
                          ping.exe -n 6 127.0.0.1
                          3⤵
                          • System Network Configuration Discovery: Internet Connection Discovery
                          • Runs ping.exe
                          PID:2204
                      • C:\Windows\system32\schtasks.exe
                        "C:\Windows\system32\schtasks.exe" /DELETE /F /TN xswbenfjc
                        2⤵
                          PID:708

                      Network

                      MITRE ATT&CK Enterprise v15

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • C:\Users\Admin\AppData\Local\Temp\itUsiSHOi.exe

                        Filesize

                        644KB

                        MD5

                        e372d668d9e1d734b76655f5b0ebd0e6

                        SHA1

                        b6fc1da195130a16f15e471835041ed05473c795

                        SHA256

                        07ee7be992525cfa1a66ca03ee127f2df8041e88bf6c12a1fffcb206660606e7

                        SHA512

                        06b4be1d2ebb82860e6d8396ab963707840dcd35678c512cf18f085ba2c0d75c4f5341f2189685e65a8dc611317c93012bb8b3944758172377aa23bae1469496

                      • C:\Users\Admin\AppData\Roaming\Microsoft\Qcyggyscuud\ayoeiizp.dat

                        Filesize

                        63B

                        MD5

                        3293bed115d40541731b160527d6ff11

                        SHA1

                        c4aae3b347d81be32acb12f6d6b2785f00379ab8

                        SHA256

                        d9ce80e3d62e331b532a941289aa21f128eeb28980cd14d1dc65de1db8992774

                        SHA512

                        bc029a7e0ef0a5e4193ebdd67836a3d78ade05cbed80802ea8f02d9a44dab68aa1b8f5264ed46fa9ddc7661be3d04b19b889d6d654f86f5fcc9e48999973ec27

                      • memory/1712-50-0x0000000000400000-0x00000000004A3000-memory.dmp

                        Filesize

                        652KB

                      • memory/1712-43-0x0000000000400000-0x00000000004A3000-memory.dmp

                        Filesize

                        652KB

                      • memory/1748-20-0x0000000000400000-0x00000000004A3000-memory.dmp

                        Filesize

                        652KB

                      • memory/1748-6-0x0000000000400000-0x00000000004A3000-memory.dmp

                        Filesize

                        652KB

                      • memory/1748-24-0x0000000000400000-0x00000000004A3000-memory.dmp

                        Filesize

                        652KB

                      • memory/1748-4-0x00000000021C0000-0x0000000002251000-memory.dmp

                        Filesize

                        580KB

                      • memory/2388-56-0x0000000000400000-0x00000000004A3000-memory.dmp

                        Filesize

                        652KB

                      • memory/3620-32-0x0000000001400000-0x0000000001491000-memory.dmp

                        Filesize

                        580KB

                      • memory/3620-34-0x0000000001400000-0x0000000001491000-memory.dmp

                        Filesize

                        580KB

                      • memory/3620-33-0x0000000003290000-0x00000000032D0000-memory.dmp

                        Filesize

                        256KB

                      • memory/3620-37-0x0000000003290000-0x00000000032D0000-memory.dmp

                        Filesize

                        256KB

                      • memory/3620-39-0x0000000003290000-0x00000000032D0000-memory.dmp

                        Filesize

                        256KB

                      • memory/3620-36-0x0000000003290000-0x00000000032D0000-memory.dmp

                        Filesize

                        256KB

                      • memory/3620-30-0x0000000001400000-0x0000000001491000-memory.dmp

                        Filesize

                        580KB

                      • memory/3628-9-0x0000000002190000-0x0000000002221000-memory.dmp

                        Filesize

                        580KB

                      • memory/3628-13-0x0000000000400000-0x00000000004A3000-memory.dmp

                        Filesize

                        652KB

                      • memory/4236-35-0x0000000000400000-0x00000000004A3000-memory.dmp

                        Filesize

                        652KB

                      • memory/4436-29-0x0000000000400000-0x00000000004A3000-memory.dmp

                        Filesize

                        652KB

                      • memory/4696-55-0x0000000000400000-0x00000000004A3000-memory.dmp

                        Filesize

                        652KB