qakbot | ff2ab7f29f375ffa5d27b3a780c94c94002068d75ac8535dfd0a03f8213ae702

General

Target

428c802af0aeb924db797954d07970c1_JaffaCakes118.dll
Size

708KB
MD5

428c802af0aeb924db797954d07970c1
SHA1

33143186ac3f2106cf0c35e418c9e99702f83d18
SHA256

ff2ab7f29f375ffa5d27b3a780c94c94002068d75ac8535dfd0a03f8213ae702
SHA512

c254cccf59279dba2f82d6a9cfdb9121ef6f3bf5acb6630c1e2bac80fc8d0761e97d2bf3606d63ca6120b4619a535f83530fb9483bb3b7cfe164b050d75252d8
SSDEEP

12288:XkbAcis08s7gQFMWC24/MFS+AWmdnWJIjJ5F3+DpEFs3H6v/+5oTNW:XWDis0dFA24/MFSptIJKnx+NE23a3+5r

Score

10^/10

qakbot obama106 1632905607 banker discovery evasion stealer trojan

Malware Config

Extracted

Family

qakbot

Version

402.363

Botnet

obama106

Campaign

1632905607

C2

37.210.152.224:995

120.151.47.189:443

105.198.236.99:443

122.11.220.212:2222

199.27.127.129:443

41.251.41.14:995

216.201.162.158:443

124.123.42.115:2078

181.118.183.94:443

120.150.218.241:995

185.250.148.74:443

217.17.56.163:443

182.181.78.18:995

140.82.49.12:443

105.159.144.186:995

89.101.97.139:443

217.17.56.163:0

27.223.92.142:995

95.77.223.148:443

109.190.253.11:2222

Attributes

salt
jHxastDcds)oMc=jvh7wdUhxcsdt2

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot

Windows security bypass 2 TTPs 4 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\Microsoft\Uayiliidyedf = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Iucqfjezljr = "0"	reg.exe

Loads dropped DLL 1 IoCs

pid	Process
5096	regsvr32.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe

Modifies data under HKEY_USERS 10 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Crwzigel\d86c77cc = ccbe8175cd725666ed444f416c44bc8ed4d3cc6950a89103dc4862cbf2de04bd1662bdd53963a71033f6ca8171ce3f65a98cfbf9009e9a034bcd96f52395b8e0d21dabe4d8a43c80c942cf86e931cd54b89ed46a	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Crwzigel\a5643846 = 3da0a7675e8677757ae39e7bfe8bdadc83fe5c2cd5f2dc3242788283e589d4ffd43100c0622086970bbd42686a4a5d9229d2e3e169763d62b06b9b304dfcb30ec2909b6b4f2f8b52cece	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Crwzigel\570ee09b = 8eb3a88fbe6ffe3f1723c22c6fe91c8797cdc67c95b484f3d8e30c6b57a7355a5c01f065bc0afc1c6046658855d538a50cdc4e04	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Crwzigel	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Crwzigel\570ee09b = 8eb3bf8fbe6fcbf18d5d47d0e559bed097f9b91236a683f8c5990ba7d88d29	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Crwzigel\629130d5 = ee84a760741d0e46ad72096af80bcda8ea44d6f7d6871c86c3c784fb73fc3c467f3d7623344b75abe7c67f578ecb25322855f02212b4b4b457361d58742e4c8f80d44e28be78d916dfb4de8957a0797ea2549702a40b368a3fb0077af3817fe24e5a1639e782a5e4a5067b38d620d760	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Crwzigel\60d010a9 = dd10ab43b024a2cba99ebf26c22300f172341afeb1f2e1e39f8c7e11fa492efaf4db94ff572e5458e041886e12a143a37098d1d2a0ec8b194760d7b70f572017fc924791bf47505d1872fced6826862f9f112d55fc566c8d54bfcdd521c56334d48490c43736df8789	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Crwzigel\1dd85f23 = 56942ad4a2fd42bf20c1d14ecf260e4d	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Crwzigel\da2d57b0 = 04ab549e6019bb5417636adcdf816fb1c97f66650fc9d50db6586176c72803fabb26ebb09a5e75116a0ca904134df6425d275bc6a7042376e820e38732d8d341af9bc8f279f70f	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Crwzigel\28478f6d = 08ce280b4513f9d314b62a6c5bf471edc18c742d08cf6b5d46dfe5e6ce205973ab169c205726b51b7c5ae6b100af280831c93fe382be	explorer.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2628	schtasks.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1068	rundll32.exe
1068	rundll32.exe
5096	regsvr32.exe
5096	regsvr32.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
1068	rundll32.exe
5096	regsvr32.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 4556 wrote to memory of 1068	4556	rundll32.exe	83
PID 4556 wrote to memory of 1068	4556	rundll32.exe	83
PID 4556 wrote to memory of 1068	4556	rundll32.exe	83
PID 1068 wrote to memory of 5116	1068	rundll32.exe	87
PID 1068 wrote to memory of 5116	1068	rundll32.exe	87
PID 1068 wrote to memory of 5116	1068	rundll32.exe	87
PID 1068 wrote to memory of 5116	1068	rundll32.exe	87
PID 1068 wrote to memory of 5116	1068	rundll32.exe	87
PID 5116 wrote to memory of 2628	5116	explorer.exe	88
PID 5116 wrote to memory of 2628	5116	explorer.exe	88
PID 5116 wrote to memory of 2628	5116	explorer.exe	88
PID 3848 wrote to memory of 5096	3848	regsvr32.exe	99
PID 3848 wrote to memory of 5096	3848	regsvr32.exe	99
PID 3848 wrote to memory of 5096	3848	regsvr32.exe	99
PID 5096 wrote to memory of 2196	5096	regsvr32.exe	104
PID 5096 wrote to memory of 2196	5096	regsvr32.exe	104
PID 5096 wrote to memory of 2196	5096	regsvr32.exe	104
PID 5096 wrote to memory of 2196	5096	regsvr32.exe	104
PID 5096 wrote to memory of 2196	5096	regsvr32.exe	104
PID 2196 wrote to memory of 3668	2196	explorer.exe	105
PID 2196 wrote to memory of 3668	2196	explorer.exe	105
PID 2196 wrote to memory of 5072	2196	explorer.exe	107
PID 2196 wrote to memory of 5072	2196	explorer.exe	107

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\428c802af0aeb924db797954d07970c1_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4556
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\428c802af0aeb924db797954d07970c1_JaffaCakes118.dll,#1
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:1068
- - C:\Windows\SysWOW64\explorer.exe
    C:\Windows\SysWOW64\explorer.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:5116
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn ylnzycwr /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Local\Temp\428c802af0aeb924db797954d07970c1_JaffaCakes118.dll\"" /SC ONCE /Z /ST 13:30 /ET 13:42
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:2628

C:\Windows\system32\regsvr32.exe
regsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\428c802af0aeb924db797954d07970c1_JaffaCakes118.dll"
1⤵
- Suspicious use of WriteProcessMemory
PID:3848
- C:\Windows\SysWOW64\regsvr32.exe
  -s "C:\Users\Admin\AppData\Local\Temp\428c802af0aeb924db797954d07970c1_JaffaCakes118.dll"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:5096
- - C:\Windows\SysWOW64\explorer.exe
    C:\Windows\SysWOW64\explorer.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies data under HKEY_USERS
    - Suspicious use of WriteProcessMemory
    PID:2196
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\ProgramData\Microsoft\Uayiliidyedf" /d "0"
      4⤵
      Windows security bypass
      PID:3668
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Iucqfjezljr" /d "0"
      4⤵
      Windows security bypass
      PID:5072

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Impair Defenses

1

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\428c802af0aeb924db797954d07970c1_JaffaCakes118.dll

Filesize
708KB

MD5
428c802af0aeb924db797954d07970c1

SHA1
33143186ac3f2106cf0c35e418c9e99702f83d18

SHA256
ff2ab7f29f375ffa5d27b3a780c94c94002068d75ac8535dfd0a03f8213ae702

SHA512
c254cccf59279dba2f82d6a9cfdb9121ef6f3bf5acb6630c1e2bac80fc8d0761e97d2bf3606d63ca6120b4619a535f83530fb9483bb3b7cfe164b050d75252d8

Download Submit
memory/1068-4-0x0000000075281000-0x0000000075287000-memory.dmp

Filesize
24KB

Download
memory/1068-0-0x00000000751D0000-0x000000007529A000-memory.dmp

Filesize
808KB

Download
memory/1068-6-0x00000000751D0000-0x000000007529A000-memory.dmp

Filesize
808KB

Download
memory/1068-1-0x00000000751D0000-0x000000007529A000-memory.dmp

Filesize
808KB

Download
memory/2196-26-0x0000000000800000-0x0000000000821000-memory.dmp

Filesize
132KB

Download
memory/2196-25-0x0000000000800000-0x0000000000821000-memory.dmp

Filesize
132KB

Download
memory/2196-24-0x0000000000800000-0x0000000000821000-memory.dmp

Filesize
132KB

Download
memory/5096-20-0x0000000075140000-0x000000007520A000-memory.dmp

Filesize
808KB

Download
memory/5096-18-0x0000000075140000-0x000000007520A000-memory.dmp

Filesize
808KB

Download
memory/5096-17-0x0000000075140000-0x000000007520A000-memory.dmp

Filesize
808KB

Download
memory/5096-22-0x0000000075140000-0x000000007520A000-memory.dmp

Filesize
808KB

Download
memory/5116-13-0x0000000001170000-0x0000000001191000-memory.dmp

Filesize
132KB

Download
memory/5116-11-0x0000000001170000-0x0000000001191000-memory.dmp

Filesize
132KB

Download
memory/5116-10-0x0000000001170000-0x0000000001191000-memory.dmp

Filesize
132KB

Download
memory/5116-9-0x0000000001170000-0x0000000001191000-memory.dmp

Filesize
132KB

Download
memory/5116-5-0x0000000001170000-0x0000000001191000-memory.dmp

Filesize
132KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads