qakbot | 4754a5c9610519b9eddf7768158b89c2b9f65fcbf101db3a8a8408d1c3ed101f

General

Target

39e805042e9ac176f16a079f55d15b5c_JaffaCakes118.dll
Size

253KB
MD5

39e805042e9ac176f16a079f55d15b5c
SHA1

7eb23c62e8e1886905282a067300e9828d97975c
SHA256

4754a5c9610519b9eddf7768158b89c2b9f65fcbf101db3a8a8408d1c3ed101f
SHA512

ed7e60e3205b6a8f51095ef808aa71ad188e18b2c5b84a033e970e7bd8c0e065a551b02ea529dd9a1fa9e23a0fd491aebbdb54c0f5aaf53f72560747b6b0ba66
SSDEEP

3072:0PQdEOItJPxluIalXQOr+nxQNBO0jTL23i7eBnaVImWeqSR4G78SYSuDSMv6UWN:MUr+nxQNBO0jf2Ee5aSzeF4DSY7Dh6f

Score

10^/10

qakbot obama105 1632819007 banker discovery evasion stealer trojan

Malware Config

Extracted

Family

qakbot

Version

402.343

Botnet

obama105

Campaign

1632819007

C2

120.150.218.241:995

95.77.223.148:443

185.250.148.74:443

181.118.183.94:443

105.198.236.99:443

140.82.49.12:443

37.210.152.224:995

89.101.97.139:443

81.241.252.59:2078

27.223.92.142:995

81.250.153.227:2222

73.151.236.31:443

47.22.148.6:443

122.11.220.212:2222

120.151.47.189:443

199.27.127.129:443

216.201.162.158:443

136.232.34.70:443

76.25.142.196:443

75.66.88.33:443

Attributes

salt
jHxastDcds)oMc=jvh7wdUhxcsdt2

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot

Windows security bypass 2 TTPs 4 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\Microsoft\Gdlczs = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Azwoapou = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe

Loads dropped DLL 1 IoCs

pid	Process
3848	regsvr32.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe

Modifies data under HKEY_USERS 10 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Yeqdoarjen\e35b824f = 50f9fc39a2a8115d39233f02e89b423a108198af6ef77e	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Yeqdoarjen\d485727d = 2369961ce6449c927f32710d1450752223408f4113f73e2b5ef407064896550f3858c96e80525ca87ce3ec545b3152b5bb15269a9e8fffe927f460c618ffe7f96c2439cc8323d4e3ac197b95723b9be0ad21e783764a153a44867a6f0750077d67173d9f198874	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Yeqdoarjen\6c391518 = 061c58794ee8793c5e3ea55f01c974360fa26b386ce6683da8fa7018495b718caad432653e5a851e35a81425c4efe5561a0c96ba33eaa970dcb80a6cca34fd9a1793a51ccd6fab9e943f5bf95f83c7af	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Yeqdoarjen\a98d3df7 = 1876e6818860b9d291eba45f247afd919708c40af11a2b443283104979326777109c4e56f2083fecd3ef574d947a065048fd0b8e416fe045426086d2e676f2c45a9096fe0985f818007ce08289e8f704d9dd9926	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Yeqdoarjen\6e783564 = 896735f7fb2aed1d4664f7357754d7bbba65a251b55690e309431d7da080c1385ec826b58a54fa7ea9d23eb151d33f5e5febf7665dd4c91386d03bf614ff3c18eef1046c07fb3b9f2d7d2785dfdb9e3757585a448671	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Yeqdoarjen	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Yeqdoarjen\d6c45201 = 1dd8a0494798087b5ec6751414488f30055f7cbc096fe41b17ae5024c71283aedf96723c4a23ebbf38ddb7d28241dff460e1b18c9d3699a28b4109186cf96fe108d8979b9e750e86833aea19fd382e573ec881a511c18837e32493677a50e15667b9f143b23997	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Yeqdoarjen\11315a92 = 593c01f2b8dfe4455bcf7b184d21ffc48b82daa5c94967619b959accfe8dff766126d4da0532463b80e4c57a214ee1d6200f7ca43e550a815ba99ccc574d6cba04cb2ab07b7466b7a8e4c60d0097	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Yeqdoarjen\9c12edb9 = 20b4af0c62702f3dc1e0df51a763a85b59075a6835f03a13407009c05c3d8d0e795e09cfc482e0fcca4b1c7a0451e963064e1300240e3eefc85777d3b3b2fad7388089bc7534b9	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Yeqdoarjen\e35b824f = 50f9eb39a2a82430dcc1c59c8cebe45cf193f88b5ad02c1f25506a4295efd3bdd91518cee1742e80cf0a04da	explorer.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4996	schtasks.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2692	rundll32.exe
2692	rundll32.exe
3848	regsvr32.exe
3848	regsvr32.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
2692	rundll32.exe
3848	regsvr32.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 4008 wrote to memory of 2692	4008	rundll32.exe	83
PID 4008 wrote to memory of 2692	4008	rundll32.exe	83
PID 4008 wrote to memory of 2692	4008	rundll32.exe	83
PID 2692 wrote to memory of 2264	2692	rundll32.exe	88
PID 2692 wrote to memory of 2264	2692	rundll32.exe	88
PID 2692 wrote to memory of 2264	2692	rundll32.exe	88
PID 2692 wrote to memory of 2264	2692	rundll32.exe	88
PID 2692 wrote to memory of 2264	2692	rundll32.exe	88
PID 2264 wrote to memory of 4996	2264	explorer.exe	89
PID 2264 wrote to memory of 4996	2264	explorer.exe	89
PID 2264 wrote to memory of 4996	2264	explorer.exe	89
PID 1328 wrote to memory of 3848	1328	regsvr32.exe	98
PID 1328 wrote to memory of 3848	1328	regsvr32.exe	98
PID 1328 wrote to memory of 3848	1328	regsvr32.exe	98
PID 3848 wrote to memory of 2920	3848	regsvr32.exe	99
PID 3848 wrote to memory of 2920	3848	regsvr32.exe	99
PID 3848 wrote to memory of 2920	3848	regsvr32.exe	99
PID 3848 wrote to memory of 2920	3848	regsvr32.exe	99
PID 3848 wrote to memory of 2920	3848	regsvr32.exe	99
PID 2920 wrote to memory of 884	2920	explorer.exe	100
PID 2920 wrote to memory of 884	2920	explorer.exe	100
PID 2920 wrote to memory of 4276	2920	explorer.exe	102
PID 2920 wrote to memory of 4276	2920	explorer.exe	102

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\39e805042e9ac176f16a079f55d15b5c_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4008
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\39e805042e9ac176f16a079f55d15b5c_JaffaCakes118.dll,#1
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:2692
- - C:\Windows\SysWOW64\explorer.exe
    C:\Windows\SysWOW64\explorer.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2264
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn vvtlsoo /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Local\Temp\39e805042e9ac176f16a079f55d15b5c_JaffaCakes118.dll\"" /SC ONCE /Z /ST 12:06 /ET 12:18
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:4996

C:\Windows\system32\regsvr32.exe
regsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\39e805042e9ac176f16a079f55d15b5c_JaffaCakes118.dll"
1⤵
- Suspicious use of WriteProcessMemory
PID:1328
- C:\Windows\SysWOW64\regsvr32.exe
  -s "C:\Users\Admin\AppData\Local\Temp\39e805042e9ac176f16a079f55d15b5c_JaffaCakes118.dll"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:3848
- - C:\Windows\SysWOW64\explorer.exe
    C:\Windows\SysWOW64\explorer.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies data under HKEY_USERS
    - Suspicious use of WriteProcessMemory
    PID:2920
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\ProgramData\Microsoft\Gdlczs" /d "0"
      4⤵
      Windows security bypass
      PID:884
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Azwoapou" /d "0"
      4⤵
      Windows security bypass
      PID:4276

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Impair Defenses

1

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\39e805042e9ac176f16a079f55d15b5c_JaffaCakes118.dll

Filesize
253KB

MD5
39e805042e9ac176f16a079f55d15b5c

SHA1
7eb23c62e8e1886905282a067300e9828d97975c

SHA256
4754a5c9610519b9eddf7768158b89c2b9f65fcbf101db3a8a8408d1c3ed101f

SHA512
ed7e60e3205b6a8f51095ef808aa71ad188e18b2c5b84a033e970e7bd8c0e065a551b02ea529dd9a1fa9e23a0fd491aebbdb54c0f5aaf53f72560747b6b0ba66

Download Submit
memory/2264-8-0x0000000000FD0000-0x0000000000FF1000-memory.dmp

Filesize
132KB

Download
memory/2264-5-0x0000000000FD0000-0x0000000000FF1000-memory.dmp

Filesize
132KB

Download
memory/2264-7-0x0000000000FD0000-0x0000000000FF1000-memory.dmp

Filesize
132KB

Download
memory/2264-0-0x0000000000FD0000-0x0000000000FF1000-memory.dmp

Filesize
132KB

Download
memory/2264-4-0x0000000000FD0000-0x0000000000FF1000-memory.dmp

Filesize
132KB

Download
memory/2264-6-0x0000000000FD0000-0x0000000000FF1000-memory.dmp

Filesize
132KB

Download
memory/2692-1-0x0000000010000000-0x0000000016278000-memory.dmp

Filesize
98.5MB

Download
memory/2920-15-0x0000000000660000-0x0000000000681000-memory.dmp

Filesize
132KB

Download
memory/2920-16-0x0000000000660000-0x0000000000681000-memory.dmp

Filesize
132KB

Download
memory/2920-17-0x0000000000660000-0x0000000000681000-memory.dmp

Filesize
132KB

Download
memory/2920-18-0x0000000000660000-0x0000000000681000-memory.dmp

Filesize
132KB

Download
memory/3848-13-0x0000000010000000-0x0000000016278000-memory.dmp

Filesize
98.5MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads