qakbot | 7700152ba41e002bf9921cee1d86d028407678f63c926b65f4a9029b633b3370

General

Target

2368656454a6bad8d0bec40e729ba6b7_JaffaCakes118.dll
Size

708KB
MD5

2368656454a6bad8d0bec40e729ba6b7
SHA1

58ad4c996f9590fed9498e27a0cb133f3b82f63b
SHA256

7700152ba41e002bf9921cee1d86d028407678f63c926b65f4a9029b633b3370
SHA512

d0f0a59b0d2a7996e507d2294332534f1d1b6b5ac4ddc195db7a4e13ed3bddc8fa31682a6a470236e0ba4b3f98ccd8ea88f5e7000bd2cfdfbc453c647c32e754
SSDEEP

12288:LDbAcis08s7gQFMWC24/MFS+AWmdXWJIjJ5F3+DpEFs3H6v/+JoTNL:LPDis0dFA24/MFSptoJKnx+NE23a3+JO

Score

10^/10

qakbot obama106 1632905607 banker discovery evasion stealer trojan

Malware Config

Extracted

Family

qakbot

Version

402.363

Botnet

obama106

Campaign

1632905607

C2

37.210.152.224:995

120.151.47.189:443

105.198.236.99:443

122.11.220.212:2222

199.27.127.129:443

41.251.41.14:995

216.201.162.158:443

124.123.42.115:2078

181.118.183.94:443

120.150.218.241:995

185.250.148.74:443

217.17.56.163:443

182.181.78.18:995

140.82.49.12:443

105.159.144.186:995

89.101.97.139:443

217.17.56.163:0

27.223.92.142:995

95.77.223.148:443

109.190.253.11:2222

Attributes

salt
jHxastDcds)oMc=jvh7wdUhxcsdt2

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot

Windows security bypass 2 TTPs 4 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

reg.exereg.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\Microsoft\Hkhplbzu = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Jujbizeex = "0"	reg.exe

Loads dropped DLL 1 IoCs

Processes:

regsvr32.exe

pid process

2784 regsvr32.exe

pid	process
2784	regsvr32.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

rundll32.exeexplorer.exeschtasks.exeregsvr32.exeexplorer.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe

Modifies data under HKEY_USERS 10 IoCs

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Uweqrlhesdybvi	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Uweqrlhesdybvi\cd93968a = 6161c7e113623aa27afa7df502e990c01db6c06d1cac24a5e19c0575d8faa54045cf159ce49431bd2df5dc6bc6732a17f299bf2069c8192d9307adb92482fe008e5d54482a88f1836fd28f745298ab20059a62b5471418a33dc0b82ec2221c85d1c47980176f21da77de72774720bb	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Uweqrlhesdybvi\752ff1ef = 44dda88f4c449906ffee3327b54843b3c82b94ddc2af8eb49bcce948	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Uweqrlhesdybvi\b09bd900 = 44f641045544d74e39530fe1b908592a363d93dffd1c494b96e0e7c35cb01891dab9fb2cf2288c	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Uweqrlhesdybvi\fa4d66b8 = f4c46294b907f7e177a2dee92f8b19e1a46214c5af08833972b9c0ee597a472c9f4af48955a14422578db0978339501725e67e	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Uweqrlhesdybvi\fa4d66b8 = f4c47594b907c291324342e4e976a153a60dc9c912ccca0cb421c73865e5	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Uweqrlhesdybvi\cfd2b6f6 = df3b2d07fb159ac9a29672f43633651ceb4fc08ac5c937722cdcbba31bc8bc875a6bf47109cc48c0c7bade08f36829243ebfe2745db6ede220cfd754cfda3871f6f902c4e1d023bd731233f835bfbb024948ea1e5a04624a9a48417aab6e2d48ae5ebdffb37f1906159dd38c6047f4216e228dfce16644d97c35876088a017cce9d9ca56ac58255278d58b47e0d909	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Uweqrlhesdybvi\827be65 = 31e6be6c468561f4c6244d0721456be0150d6434df1e0ba6dc022ff0a78de178cfa1cf8c106f83396bb8a4f28fd2bae7e8133e3eaaaff7144aaabb42254b9f6103ba0347d7b6d982c50e0e3abf4fa4852c4b1fcab0c4db10ab76d9dd	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Uweqrlhesdybvi\776ed193 = 4a0b7235f6370b60b5ebb13f7b992df05d770e5d23d281e007866d7450e2e31ddd04769a6a	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Uweqrlhesdybvi\8504094e = 1b402e94c9156b5b6cef5c084bf63e5aedebf50e779305067881cc8238839b9635860063b2f2670daac032eb3e65836fc5d985aa4ab1e93370805540a246e1ef8c347fca3bbd6a44513f	explorer.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exe

pid process

2964 schtasks.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

rundll32.exeregsvr32.exe

pid process

2424 rundll32.exe
2784 regsvr32.exe
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

rundll32.exeregsvr32.exe

pid process

2424 rundll32.exe
2784 regsvr32.exe

pid	process
2964	schtasks.exe

pid	process
2424	rundll32.exe
2784	regsvr32.exe

pid	process
2424	rundll32.exe
2784	regsvr32.exe

Suspicious use of WriteProcessMemory 43 IoCs

Processes:

rundll32.exerundll32.exeexplorer.exetaskeng.exeregsvr32.exeregsvr32.exeexplorer.exe

description	pid	process	target process
PID 2276 wrote to memory of 2424	2276	rundll32.exe	rundll32.exe
PID 2276 wrote to memory of 2424	2276	rundll32.exe	rundll32.exe
PID 2276 wrote to memory of 2424	2276	rundll32.exe	rundll32.exe
PID 2276 wrote to memory of 2424	2276	rundll32.exe	rundll32.exe
PID 2276 wrote to memory of 2424	2276	rundll32.exe	rundll32.exe
PID 2276 wrote to memory of 2424	2276	rundll32.exe	rundll32.exe
PID 2276 wrote to memory of 2424	2276	rundll32.exe	rundll32.exe
PID 2424 wrote to memory of 2256	2424	rundll32.exe	explorer.exe
PID 2424 wrote to memory of 2256	2424	rundll32.exe	explorer.exe
PID 2424 wrote to memory of 2256	2424	rundll32.exe	explorer.exe
PID 2424 wrote to memory of 2256	2424	rundll32.exe	explorer.exe
PID 2424 wrote to memory of 2256	2424	rundll32.exe	explorer.exe
PID 2424 wrote to memory of 2256	2424	rundll32.exe	explorer.exe
PID 2256 wrote to memory of 2964	2256	explorer.exe	schtasks.exe
PID 2256 wrote to memory of 2964	2256	explorer.exe	schtasks.exe
PID 2256 wrote to memory of 2964	2256	explorer.exe	schtasks.exe
PID 2256 wrote to memory of 2964	2256	explorer.exe	schtasks.exe
PID 3040 wrote to memory of 264	3040	taskeng.exe	regsvr32.exe
PID 3040 wrote to memory of 264	3040	taskeng.exe	regsvr32.exe
PID 3040 wrote to memory of 264	3040	taskeng.exe	regsvr32.exe
PID 3040 wrote to memory of 264	3040	taskeng.exe	regsvr32.exe
PID 3040 wrote to memory of 264	3040	taskeng.exe	regsvr32.exe
PID 264 wrote to memory of 2784	264	regsvr32.exe	regsvr32.exe
PID 264 wrote to memory of 2784	264	regsvr32.exe	regsvr32.exe
PID 264 wrote to memory of 2784	264	regsvr32.exe	regsvr32.exe
PID 264 wrote to memory of 2784	264	regsvr32.exe	regsvr32.exe
PID 264 wrote to memory of 2784	264	regsvr32.exe	regsvr32.exe
PID 264 wrote to memory of 2784	264	regsvr32.exe	regsvr32.exe
PID 264 wrote to memory of 2784	264	regsvr32.exe	regsvr32.exe
PID 2784 wrote to memory of 1716	2784	regsvr32.exe	explorer.exe
PID 2784 wrote to memory of 1716	2784	regsvr32.exe	explorer.exe
PID 2784 wrote to memory of 1716	2784	regsvr32.exe	explorer.exe
PID 2784 wrote to memory of 1716	2784	regsvr32.exe	explorer.exe
PID 2784 wrote to memory of 1716	2784	regsvr32.exe	explorer.exe
PID 2784 wrote to memory of 1716	2784	regsvr32.exe	explorer.exe
PID 1716 wrote to memory of 1764	1716	explorer.exe	reg.exe
PID 1716 wrote to memory of 1764	1716	explorer.exe	reg.exe
PID 1716 wrote to memory of 1764	1716	explorer.exe	reg.exe
PID 1716 wrote to memory of 1764	1716	explorer.exe	reg.exe
PID 1716 wrote to memory of 2740	1716	explorer.exe	reg.exe
PID 1716 wrote to memory of 2740	1716	explorer.exe	reg.exe
PID 1716 wrote to memory of 2740	1716	explorer.exe	reg.exe
PID 1716 wrote to memory of 2740	1716	explorer.exe	reg.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\2368656454a6bad8d0bec40e729ba6b7_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2276
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\2368656454a6bad8d0bec40e729ba6b7_JaffaCakes118.dll,#1
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:2424
- - C:\Windows\SysWOW64\explorer.exe
    C:\Windows\SysWOW64\explorer.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2256
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn ttfddmzc /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Local\Temp\2368656454a6bad8d0bec40e729ba6b7_JaffaCakes118.dll\"" /SC ONCE /Z /ST 22:35 /ET 22:47
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:2964

C:\Windows\system32\taskeng.exe
taskeng.exe {E1406F82-DE23-448B-BA32-560D013384E9} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:3040
- C:\Windows\system32\regsvr32.exe
  regsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\2368656454a6bad8d0bec40e729ba6b7_JaffaCakes118.dll"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:264
- - C:\Windows\SysWOW64\regsvr32.exe
    -s "C:\Users\Admin\AppData\Local\Temp\2368656454a6bad8d0bec40e729ba6b7_JaffaCakes118.dll"
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:2784
  - - C:\Windows\SysWOW64\explorer.exe
      C:\Windows\SysWOW64\explorer.exe
      4⤵
      System Location Discovery: System Language Discovery
      Modifies data under HKEY_USERS
      Suspicious use of WriteProcessMemory
      PID:1716
    - - C:\Windows\system32\reg.exe
        
        C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\ProgramData\Microsoft\Hkhplbzu" /d "0"
        5⤵
        Windows security bypass
        
        PID:1764
    - - C:\Windows\system32\reg.exe
        
        C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Jujbizeex" /d "0"
        5⤵
        Windows security bypass
        
        PID:2740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Impair Defenses

1

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2368656454a6bad8d0bec40e729ba6b7_JaffaCakes118.dll

Filesize
708KB

MD5
2368656454a6bad8d0bec40e729ba6b7

SHA1
58ad4c996f9590fed9498e27a0cb133f3b82f63b

SHA256
7700152ba41e002bf9921cee1d86d028407678f63c926b65f4a9029b633b3370

SHA512
d0f0a59b0d2a7996e507d2294332534f1d1b6b5ac4ddc195db7a4e13ed3bddc8fa31682a6a470236e0ba4b3f98ccd8ea88f5e7000bd2cfdfbc453c647c32e754

Download Submit
\??\PIPE\wkssvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1716-29-0x0000000000350000-0x0000000000371000-memory.dmp

Filesize
132KB

Download
memory/1716-28-0x0000000000350000-0x0000000000371000-memory.dmp

Filesize
132KB

Download
memory/1716-27-0x0000000000350000-0x0000000000371000-memory.dmp

Filesize
132KB

Download
memory/2256-13-0x0000000000310000-0x0000000000331000-memory.dmp

Filesize
132KB

Download
memory/2256-11-0x0000000000310000-0x0000000000331000-memory.dmp

Filesize
132KB

Download
memory/2256-12-0x0000000000310000-0x0000000000331000-memory.dmp

Filesize
132KB

Download
memory/2256-15-0x0000000000310000-0x0000000000331000-memory.dmp

Filesize
132KB

Download
memory/2256-7-0x0000000000310000-0x0000000000331000-memory.dmp

Filesize
132KB

Download
memory/2256-6-0x0000000000340000-0x0000000000342000-memory.dmp

Filesize
8KB

Download
memory/2424-5-0x0000000074CB0000-0x0000000074D7A000-memory.dmp

Filesize
808KB

Download
memory/2424-1-0x0000000074CB0000-0x0000000074D7A000-memory.dmp

Filesize
808KB

Download
memory/2424-8-0x0000000074CB0000-0x0000000074D7A000-memory.dmp

Filesize
808KB

Download
memory/2424-4-0x0000000074D61000-0x0000000074D67000-memory.dmp

Filesize
24KB

Download
memory/2424-0-0x0000000074CB0000-0x0000000074D7A000-memory.dmp

Filesize
808KB

Download
memory/2784-21-0x0000000074B10000-0x0000000074BDA000-memory.dmp

Filesize
808KB

Download
memory/2784-25-0x0000000074B10000-0x0000000074BDA000-memory.dmp

Filesize
808KB

Download
memory/2784-20-0x0000000074B10000-0x0000000074BDA000-memory.dmp

Filesize
808KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads