qakbot | e1a733800f7dd38acdb202f7b6acb34566206bed7f84bbe012b1531063ccc62d

General

Target

3e29ecd0dc87c66e250dd3151b6f8e38_JaffaCakes118.dll
Size

708KB
MD5

3e29ecd0dc87c66e250dd3151b6f8e38
SHA1

5f22d9b57d6285aab9d9a4ed76afbd743f2301e1
SHA256

e1a733800f7dd38acdb202f7b6acb34566206bed7f84bbe012b1531063ccc62d
SHA512

701422b8c31d627e7a0d62a569a0d36b4fb6ede1058421fab01c7c295626f47f32b94abfb9d65fdadab24445f9bacb93f13278f99382e2f2ecfc4a3a0504568c
SSDEEP

12288:IZbAcis08s7gQFMWC24/MFS+AWmdXWJIjJ5F3+DpEFs3H6v/+ZoTND:IpDis0dFA24/MFSptoJKnx+NE23a3+Zi

Score

10^/10

qakbot obama106 1632905607 banker discovery evasion stealer trojan

Malware Config

Extracted

Family

qakbot

Version

402.363

Botnet

obama106

Campaign

1632905607

C2

37.210.152.224:995

120.151.47.189:443

105.198.236.99:443

122.11.220.212:2222

199.27.127.129:443

41.251.41.14:995

216.201.162.158:443

124.123.42.115:2078

181.118.183.94:443

120.150.218.241:995

185.250.148.74:443

217.17.56.163:443

182.181.78.18:995

140.82.49.12:443

105.159.144.186:995

89.101.97.139:443

217.17.56.163:0

27.223.92.142:995

95.77.223.148:443

109.190.253.11:2222

Attributes

salt
jHxastDcds)oMc=jvh7wdUhxcsdt2

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot

Windows security bypass 2 TTPs 4 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\Microsoft\Iutsw = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Jyyible = "0"	reg.exe

Loads dropped DLL 1 IoCs

pid	Process
1116	regsvr32.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe

Modifies data under HKEY_USERS 10 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Tylythtst\f9f78312 = d719e34c1a16aea0f244951c97c1e3aca3052813	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Tylythtst\86beece4 = f8387318063e313555b949d4	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Tylythtst\b3213caa = f094ec5012595b723f2eaa890eed00ee4cb8495c16baca503354f8b72d6ecb4f16aee3861aa4cdba57b0ff5c90035b87f771dc7fc6efe2086cab15fda0b1601f0d2e7a351344b56a9a9420cab289336265217476dd02fa0fa1ea33512bed022cf654b59343cb7c749e41ac104018df54f8e0b49add2c71fd798f7896c19b75019c1463cceedb95b1a5f1d8a7a1c6506b126aa76bc1f9bb900f080d29f3e4ed5a3b6019b3bc008d9a05da44040052c34ab2b1	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Tylythtst\b1601cd6 = 5338c4914dc9f98ecfd91dbdfa466c988e7ca3675c5eab6f97d3ee3fb9f52ceb36e7ba05b7a6bc4b2c8826935bdcbd234b53c40ded97f93cdfc4b246b3d6040f72b1b785246766954acd649a09245005d1754e97f7883cdb70225a013d2b95f6f1	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Tylythtst\9dc7bb3 = 97f3dba98468990342db3588873e49054b40a89085e0089d678da45705e3df	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Tylythtst\74d43439 = 9b3ef54792006edd908669af60fe69b8be38974f8935cceb09357d272f4a	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Tylythtst\cc68535c = e31dc436057835b046383cbe0ccf19241b7ef2d73932896792c18d0fb62ade6916ab665c135c855bed481167367d59d2f24328ae21b35e	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Tylythtst\b9d5bcf = d5041557d795ff5796d0fafa5f884409e957c1dfd36c516d0af241fd06a251fcd2e3b6b88ff1b47556ca862e96e160c3cbdb052b0bdd5ddcf1ea1f	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Tylythtst	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Tylythtst\86beece4 = f8386418063e04eeebf50bdcd52ee04f24ae6b9bce15390dd0a9e138fac2f2ba5c	explorer.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2076	schtasks.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4728	rundll32.exe
4728	rundll32.exe
1116	regsvr32.exe
1116	regsvr32.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
4728	rundll32.exe
1116	regsvr32.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 4468 wrote to memory of 4728	4468	rundll32.exe	83
PID 4468 wrote to memory of 4728	4468	rundll32.exe	83
PID 4468 wrote to memory of 4728	4468	rundll32.exe	83
PID 4728 wrote to memory of 1796	4728	rundll32.exe	87
PID 4728 wrote to memory of 1796	4728	rundll32.exe	87
PID 4728 wrote to memory of 1796	4728	rundll32.exe	87
PID 4728 wrote to memory of 1796	4728	rundll32.exe	87
PID 4728 wrote to memory of 1796	4728	rundll32.exe	87
PID 1796 wrote to memory of 2076	1796	explorer.exe	88
PID 1796 wrote to memory of 2076	1796	explorer.exe	88
PID 1796 wrote to memory of 2076	1796	explorer.exe	88
PID 2248 wrote to memory of 1116	2248	regsvr32.exe	98
PID 2248 wrote to memory of 1116	2248	regsvr32.exe	98
PID 2248 wrote to memory of 1116	2248	regsvr32.exe	98
PID 1116 wrote to memory of 3692	1116	regsvr32.exe	99
PID 1116 wrote to memory of 3692	1116	regsvr32.exe	99
PID 1116 wrote to memory of 3692	1116	regsvr32.exe	99
PID 1116 wrote to memory of 3692	1116	regsvr32.exe	99
PID 1116 wrote to memory of 3692	1116	regsvr32.exe	99
PID 3692 wrote to memory of 3804	3692	explorer.exe	100
PID 3692 wrote to memory of 3804	3692	explorer.exe	100
PID 3692 wrote to memory of 3736	3692	explorer.exe	102
PID 3692 wrote to memory of 3736	3692	explorer.exe	102

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\3e29ecd0dc87c66e250dd3151b6f8e38_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4468
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\3e29ecd0dc87c66e250dd3151b6f8e38_JaffaCakes118.dll,#1
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:4728
- - C:\Windows\SysWOW64\explorer.exe
    C:\Windows\SysWOW64\explorer.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1796
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn lzvvdwdmal /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Local\Temp\3e29ecd0dc87c66e250dd3151b6f8e38_JaffaCakes118.dll\"" /SC ONCE /Z /ST 05:55 /ET 06:07
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:2076

C:\Windows\system32\regsvr32.exe
regsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\3e29ecd0dc87c66e250dd3151b6f8e38_JaffaCakes118.dll"
1⤵
- Suspicious use of WriteProcessMemory
PID:2248
- C:\Windows\SysWOW64\regsvr32.exe
  -s "C:\Users\Admin\AppData\Local\Temp\3e29ecd0dc87c66e250dd3151b6f8e38_JaffaCakes118.dll"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:1116
- - C:\Windows\SysWOW64\explorer.exe
    C:\Windows\SysWOW64\explorer.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies data under HKEY_USERS
    - Suspicious use of WriteProcessMemory
    PID:3692
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\ProgramData\Microsoft\Iutsw" /d "0"
      4⤵
      Windows security bypass
      PID:3804
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Jyyible" /d "0"
      4⤵
      Windows security bypass
      PID:3736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Impair Defenses

1

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3e29ecd0dc87c66e250dd3151b6f8e38_JaffaCakes118.dll

Filesize
708KB

MD5
3e29ecd0dc87c66e250dd3151b6f8e38

SHA1
5f22d9b57d6285aab9d9a4ed76afbd743f2301e1

SHA256
e1a733800f7dd38acdb202f7b6acb34566206bed7f84bbe012b1531063ccc62d

SHA512
701422b8c31d627e7a0d62a569a0d36b4fb6ede1058421fab01c7c295626f47f32b94abfb9d65fdadab24445f9bacb93f13278f99382e2f2ecfc4a3a0504568c

Download Submit
memory/1116-23-0x0000000075070000-0x000000007513A000-memory.dmp

Filesize
808KB

Download
memory/1116-21-0x0000000075070000-0x000000007513A000-memory.dmp

Filesize
808KB

Download
memory/1116-18-0x0000000075070000-0x000000007513A000-memory.dmp

Filesize
808KB

Download
memory/1116-19-0x0000000075070000-0x000000007513A000-memory.dmp

Filesize
808KB

Download
memory/1796-6-0x0000000001230000-0x0000000001251000-memory.dmp

Filesize
132KB

Download
memory/1796-12-0x0000000001230000-0x0000000001251000-memory.dmp

Filesize
132KB

Download
memory/1796-10-0x0000000001230000-0x0000000001251000-memory.dmp

Filesize
132KB

Download
memory/1796-14-0x0000000001230000-0x0000000001251000-memory.dmp

Filesize
132KB

Download
memory/1796-11-0x0000000001230000-0x0000000001251000-memory.dmp

Filesize
132KB

Download
memory/3692-25-0x00000000006B0000-0x00000000006D1000-memory.dmp

Filesize
132KB

Download
memory/3692-26-0x00000000006B0000-0x00000000006D1000-memory.dmp

Filesize
132KB

Download
memory/3692-27-0x00000000006B0000-0x00000000006D1000-memory.dmp

Filesize
132KB

Download
memory/4728-7-0x0000000075100000-0x00000000751CA000-memory.dmp

Filesize
808KB

Download
memory/4728-2-0x0000000075100000-0x00000000751CA000-memory.dmp

Filesize
808KB

Download
memory/4728-0-0x0000000075100000-0x00000000751CA000-memory.dmp

Filesize
808KB

Download
memory/4728-5-0x0000000075100000-0x00000000751CA000-memory.dmp

Filesize
808KB

Download
memory/4728-4-0x00000000751B1000-0x00000000751B7000-memory.dmp

Filesize
24KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads