qakbot | 4754a5c9610519b9eddf7768158b89c2b9f65fcbf101db3a8a8408d1c3ed101f

Analysis

max time kernel
130s
max time network
127s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
12-10-2024 12:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

39e805042e9ac176f16a079f55d15b5c_JaffaCakes118.dll
Size

253KB
MD5

39e805042e9ac176f16a079f55d15b5c
SHA1

7eb23c62e8e1886905282a067300e9828d97975c
SHA256

4754a5c9610519b9eddf7768158b89c2b9f65fcbf101db3a8a8408d1c3ed101f
SHA512

ed7e60e3205b6a8f51095ef808aa71ad188e18b2c5b84a033e970e7bd8c0e065a551b02ea529dd9a1fa9e23a0fd491aebbdb54c0f5aaf53f72560747b6b0ba66
SSDEEP

3072:0PQdEOItJPxluIalXQOr+nxQNBO0jTL23i7eBnaVImWeqSR4G78SYSuDSMv6UWN:MUr+nxQNBO0jf2Ee5aSzeF4DSY7Dh6f

Score

10^/10

qakbot obama105 1632819007 banker discovery evasion stealer trojan

Malware Config

Extracted

Family

qakbot

Version

402.343

Botnet

obama105

Campaign

1632819007

120.150.218.241:995

95.77.223.148:443

185.250.148.74:443

181.118.183.94:443

105.198.236.99:443

140.82.49.12:443

37.210.152.224:995

89.101.97.139:443

81.241.252.59:2078

27.223.92.142:995

81.250.153.227:2222

73.151.236.31:443

47.22.148.6:443

122.11.220.212:2222

120.151.47.189:443

199.27.127.129:443

216.201.162.158:443

136.232.34.70:443

76.25.142.196:443

75.66.88.33:443

Attributes

salt
jHxastDcds)oMc=jvh7wdUhxcsdt2

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot

Windows security bypass 2 TTPs 4 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\Microsoft\Xcaomainzfuu = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Hyievwdjgypg = "0"	reg.exe

Loads dropped DLL 1 IoCs

pid	Process
2984	regsvr32.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe

Modifies data under HKEY_USERS 10 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Aqlveimacetb\c3368bb2 = 15e4f7ff26b6b4ba692ffe9418e3e5296c5c67724266fe43f0e148092548f738489741c80a018fcc408688cc333171d933a97b7e5a523d4e87ea01265f8247c0862e5ad59d6902e33287f2ce	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Aqlveimacetb\f6a95bfc = 44d4aba0c04c63b4e3be1295a3ddcd367a1a0fd9d9c138a49d1adc4d30884aa9786c5b5cf2ef65ccb2b6e202764e9557f95b65c1f7c1902f81169809758f8559300beef0a9bfaad21eab8fb59d96833ef14465344c0c5f2b2010c814278223effc58fbc4d181fd11fbe34217ef4121bf6a09592647826dccaa06604d690ec14d90e349ccdf88463f28b19982cf5ac62d0d5877a9eaeed297c5bbf229c6	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Aqlveimacetb\f4e87b80 = 1b0e3638e081729acc38e1cc55de42bd429d7a92d04193981c931cbaec9d86ae22b61cc19166b426f0b81b8d46e358bdd790d5426cc099e267140ecd2705a6913e3be2b13cf9dc795389e0ad140c98d9c6f223d2426aecfd1ede3153b9	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Aqlveimacetb\4c541ce5 = 989132491f5f385bd905d8ed5debef922c	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Aqlveimacetb\315c536f = bf4b119d53e020ed7157ded5d99ec1ff2c7b7c0a6edb2577e5d57e30adc068c105401fffd5a6fada7910ba3608b9312537ecf3c193f4484cd3b7e1db5a641b2c00b50fc6ddc86b4a7d130c6903926e4a3860e5fc5b0677	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Aqlveimacetb\89e0340a = fdc41594b5c85eeee11739f57edd900f06679e30424a8ac0a5cfcfb3b6eb7c4eb3f69d8d9fb5097ab1	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Aqlveimacetb	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Aqlveimacetb\bc7fe444 = 480a69f11631d71873c1c0fd02d69b878ff780b34707a4efa3a7866fb8769d7ab2e4ee787a15b0862420ba32d6f1bcaa0261eec07a96a6364866af7a5f04586e0133f1dc764b8986695ef25c	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Aqlveimacetb\c3368bb2 = 15e4e0ff26b6815c6fec911ad2aae036593907cf89bfdc9c360b63219f9ee80dd679ff0a73389ec83618cb05d25b03adbe29eea812fc1545cb4ce053232eca9b9055a19e8b20571b500ef0a639ea0e9f69092dd90425ac84965584e305110b8d5f	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Aqlveimacetb\4e153c99 = 87a3d40feab564b24a583eead1fc154334a312fd6f27a01f41c67f3abe6e531b8921be215e76b2fe121f48b5685ecbc03da8b4e28eb059807a517fe7fb020096d7d8bb610f8b	explorer.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2836	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2876	rundll32.exe
2984	regsvr32.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
2876	rundll32.exe
2984	regsvr32.exe

Suspicious use of WriteProcessMemory 43 IoCs

description	pid	Process	procid_target
PID 2880 wrote to memory of 2876	2880	rundll32.exe	30
PID 2880 wrote to memory of 2876	2880	rundll32.exe	30
PID 2880 wrote to memory of 2876	2880	rundll32.exe	30
PID 2880 wrote to memory of 2876	2880	rundll32.exe	30
PID 2880 wrote to memory of 2876	2880	rundll32.exe	30
PID 2880 wrote to memory of 2876	2880	rundll32.exe	30
PID 2880 wrote to memory of 2876	2880	rundll32.exe	30
PID 2876 wrote to memory of 2792	2876	rundll32.exe	31
PID 2876 wrote to memory of 2792	2876	rundll32.exe	31
PID 2876 wrote to memory of 2792	2876	rundll32.exe	31
PID 2876 wrote to memory of 2792	2876	rundll32.exe	31
PID 2876 wrote to memory of 2792	2876	rundll32.exe	31
PID 2876 wrote to memory of 2792	2876	rundll32.exe	31
PID 2792 wrote to memory of 2836	2792	explorer.exe	32
PID 2792 wrote to memory of 2836	2792	explorer.exe	32
PID 2792 wrote to memory of 2836	2792	explorer.exe	32
PID 2792 wrote to memory of 2836	2792	explorer.exe	32
PID 1140 wrote to memory of 2980	1140	taskeng.exe	36
PID 1140 wrote to memory of 2980	1140	taskeng.exe	36
PID 1140 wrote to memory of 2980	1140	taskeng.exe	36
PID 1140 wrote to memory of 2980	1140	taskeng.exe	36
PID 1140 wrote to memory of 2980	1140	taskeng.exe	36
PID 2980 wrote to memory of 2984	2980	regsvr32.exe	37
PID 2980 wrote to memory of 2984	2980	regsvr32.exe	37
PID 2980 wrote to memory of 2984	2980	regsvr32.exe	37
PID 2980 wrote to memory of 2984	2980	regsvr32.exe	37
PID 2980 wrote to memory of 2984	2980	regsvr32.exe	37
PID 2980 wrote to memory of 2984	2980	regsvr32.exe	37
PID 2980 wrote to memory of 2984	2980	regsvr32.exe	37
PID 2984 wrote to memory of 1148	2984	regsvr32.exe	38
PID 2984 wrote to memory of 1148	2984	regsvr32.exe	38
PID 2984 wrote to memory of 1148	2984	regsvr32.exe	38
PID 2984 wrote to memory of 1148	2984	regsvr32.exe	38
PID 2984 wrote to memory of 1148	2984	regsvr32.exe	38
PID 2984 wrote to memory of 1148	2984	regsvr32.exe	38
PID 1148 wrote to memory of 1092	1148	explorer.exe	39
PID 1148 wrote to memory of 1092	1148	explorer.exe	39
PID 1148 wrote to memory of 1092	1148	explorer.exe	39
PID 1148 wrote to memory of 1092	1148	explorer.exe	39
PID 1148 wrote to memory of 2384	1148	explorer.exe	41
PID 1148 wrote to memory of 2384	1148	explorer.exe	41
PID 1148 wrote to memory of 2384	1148	explorer.exe	41
PID 1148 wrote to memory of 2384	1148	explorer.exe	41

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\39e805042e9ac176f16a079f55d15b5c_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2880
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\39e805042e9ac176f16a079f55d15b5c_JaffaCakes118.dll,#1
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:2876
- - C:\Windows\SysWOW64\explorer.exe
    C:\Windows\SysWOW64\explorer.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2792
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn sasgjre /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Local\Temp\39e805042e9ac176f16a079f55d15b5c_JaffaCakes118.dll\"" /SC ONCE /Z /ST 12:06 /ET 12:18
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:2836

C:\Windows\system32\taskeng.exe
taskeng.exe {4BE7B866-5C69-4C86-B669-86E2FD1CACF6} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:1140
- C:\Windows\system32\regsvr32.exe
  regsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\39e805042e9ac176f16a079f55d15b5c_JaffaCakes118.dll"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2980
- - C:\Windows\SysWOW64\regsvr32.exe
    -s "C:\Users\Admin\AppData\Local\Temp\39e805042e9ac176f16a079f55d15b5c_JaffaCakes118.dll"
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:2984
  - - C:\Windows\SysWOW64\explorer.exe
      C:\Windows\SysWOW64\explorer.exe
      4⤵
      System Location Discovery: System Language Discovery
      Modifies data under HKEY_USERS
      Suspicious use of WriteProcessMemory
      PID:1148
    - - C:\Windows\system32\reg.exe
        
        C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\ProgramData\Microsoft\Xcaomainzfuu" /d "0"
        5⤵
        Windows security bypass
        
        PID:1092
    - - C:\Windows\system32\reg.exe
        
        C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Hyievwdjgypg" /d "0"
        5⤵
        Windows security bypass
        
        PID:2384

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\39e805042e9ac176f16a079f55d15b5c_JaffaCakes118.dll

Filesize
253KB

MD5
39e805042e9ac176f16a079f55d15b5c

SHA1
7eb23c62e8e1886905282a067300e9828d97975c

SHA256
4754a5c9610519b9eddf7768158b89c2b9f65fcbf101db3a8a8408d1c3ed101f

SHA512
ed7e60e3205b6a8f51095ef808aa71ad188e18b2c5b84a033e970e7bd8c0e065a551b02ea529dd9a1fa9e23a0fd491aebbdb54c0f5aaf53f72560747b6b0ba66

Download Submit
memory/1148-15-0x0000000000080000-0x00000000000A1000-memory.dmp

Filesize
132KB

Download
memory/1148-16-0x0000000000080000-0x00000000000A1000-memory.dmp

Filesize
132KB

Download
memory/1148-17-0x0000000000080000-0x00000000000A1000-memory.dmp

Filesize
132KB

Download
memory/2792-0-0x00000000000B0000-0x00000000000B2000-memory.dmp

Filesize
8KB

Download
memory/2792-4-0x0000000000080000-0x00000000000A1000-memory.dmp

Filesize
132KB

Download
memory/2792-6-0x0000000000080000-0x00000000000A1000-memory.dmp

Filesize
132KB

Download
memory/2792-5-0x0000000000080000-0x00000000000A1000-memory.dmp

Filesize
132KB

Download
memory/2792-7-0x0000000000080000-0x00000000000A1000-memory.dmp

Filesize
132KB

Download
memory/2876-1-0x0000000010000000-0x0000000016278000-memory.dmp

Filesize
98.5MB

Download
memory/2984-13-0x0000000010000000-0x0000000016278000-memory.dmp

Filesize
98.5MB

Download