qakbot | d4492c61ee559588e83fe74feef61b5c_JaffaCakes118

Sharing

Copy URL

Twitter E-mail

General

Target

d4492c61ee559588e83fe74feef61b5c_JaffaCakes118
Size

184KB
MD5

d4492c61ee559588e83fe74feef61b5c
SHA1

d1adf94903992c909633032bc07552d716b39240
SHA256

1579d32ee1dc31bab47e515f9849c4a82fb08ae76ea698ff9832736fe3020f75
SHA512

ffabb0c92cc52500f0d5f51d0f5394528adbfb095ecf85528e5dbaf00d97825b709305e33b3a77ba3916bf68887c64f2ef6d31d43eb95d5a1285d562b09dd89a
SSDEEP

3072:agp4bgYkM32chYZgTtJ4a/gEITBfAfdgwfztOo4T+fgno8muPwWe:agpvM32chMg5JF//ITBY1gOB1fmmuPwT

Score

10^/10

tr 1632152742 qakbot

Malware Config

Extracted

Family

qakbot

Version

402.318

Botnet

Campaign

1632152742

45.46.53.140:2222

144.139.47.206:443

189.210.115.207:443

120.150.218.241:995

47.22.148.6:443

140.82.49.12:443

24.139.72.117:443

24.229.150.54:995

24.55.112.61:443

136.232.34.70:443

95.77.223.148:443

173.21.10.71:2222

76.25.142.196:443

96.37.113.36:993

71.74.12.34:443

73.151.236.31:443

67.165.206.193:993

109.12.111.14:443

68.204.7.158:443

105.198.236.99:443

Attributes

salt
jHxastDcds)oMc=jvh7wdUhxcsdt2

Signatures

Qakbot family
qakbot

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

Processes:

resource
d4492c61ee559588e83fe74feef61b5c_JaffaCakes118

Files

d4492c61ee559588e83fe74feef61b5c_JaffaCakes118
.dll regsvr32 windows:6 windows x86 arch:x86

4ffea09c47d1299922aabf21a554a45d

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

ws2_32

inet_ntoa

msvcrt

localeconv
strtod
strchr
strncpy
_time64
malloc
free
memset
memchr
_strtoi64
_ftol2_sse
_vsnwprintf
memcpy
atol
_errno
qsort
_snprintf
_vsnprintf

kernel32

GetWindowsDirectoryW
GetSystemInfo
GetTickCount
LoadLibraryW
FlushFileBuffers
GetVersionExA
lstrcmpiA
LocalAlloc
SetFileAttributesW
FindNextFileW
FindFirstFileW
GetExitCodeProcess
GetCurrentProcess
CreateMutexA
lstrcmpA
DuplicateHandle
GetCurrentThread
lstrcpynA
GetLastError
lstrcatA
CreateDirectoryW
DisconnectNamedPipe
lstrcpynW
GetProcessId
lstrcatW
lstrcpyW
GetCurrentProcessId
lstrcmpiW
GetModuleFileNameW
GetFileAttributesW
GetModuleHandleA
MultiByteToWideChar
GetDriveTypeW
K32GetModuleFileNameExW
MoveFileW
SwitchToThread
GetProcAddress
HeapCreate
HeapFree
HeapAlloc
WideCharToMultiByte
SetLastError
LoadLibraryA
FreeLibrary
GetSystemTimeAsFileTime
SetThreadPriority
CreatePipe

user32

DestroyWindow
CreateWindowExA
UnregisterClassA
RegisterClassExA
CharUpperBuffA
DefWindowProcA
CharUpperBuffW

ole32

CoInitializeSecurity
CoSetProxyBlanket
CoCreateInstance
CoInitializeEx

oleaut32

SafeArrayDestroy
SafeArrayGetUBound
SafeArrayGetElement
SafeArrayGetLBound
SysFreeString
VariantClear
SysAllocString

Exports

Exports

DllRegisterServer

Sections

.text
Size: 90KB - Virtual size: 89KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 18KB - Virtual size: 17KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 6KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 3KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Extracted

Signatures

Files

4ffea09c47d1299922aabf21a554a45d

Headers

File Characteristics

Imports

ws2_32

msvcrt

kernel32

user32

ole32

oleaut32

Exports

Exports

Sections

.text Size: 90KB - Virtual size: 89KB

.rdata Size: 18KB - Virtual size: 17KB

.data Size: 6KB - Virtual size: 5KB

.rsrc Size: 1KB - Virtual size: 1KB

.reloc Size: 3KB - Virtual size: 3KB

.text
Size: 90KB - Virtual size: 89KB

.rdata
Size: 18KB - Virtual size: 17KB

.data
Size: 6KB - Virtual size: 5KB

.rsrc
Size: 1KB - Virtual size: 1KB

.reloc
Size: 3KB - Virtual size: 3KB