qakbot | 5fb55797b544665fdc2b3bc35dc4b3170217e83f1cef2935223e37a01d6eaf7d

Analysis

max time kernel
139s
max time network
117s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
15-10-2024 13:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

48340cc03dead4862f324112f4b6b384_JaffaCakes118.dll
Size

708KB
MD5

48340cc03dead4862f324112f4b6b384
SHA1

f7ed73cdbe0013fd8d0c8602e2b6f782396ae8b3
SHA256

5fb55797b544665fdc2b3bc35dc4b3170217e83f1cef2935223e37a01d6eaf7d
SHA512

0a9d0b339a1de87b199693ef7adfdf03302d1bba5b06589c8a32fadcf3c09fa470fd1642f4178c017f5790e43531f723256ffcb92469e30f430530d8986744d1
SSDEEP

12288:TpbAcis08s7gQFMWC24/MFS+AWmdnWJIjJ5F3+DpEFs3H6v/+1oTNb:TZDis0dFA24/MFSptIJKnx+NE23a3+1e

Score

10^/10

qakbot obama106 1632905607 banker discovery evasion stealer trojan

Malware Config

Extracted

Family

qakbot

Version

402.363

Botnet

obama106

Campaign

1632905607

37.210.152.224:995

120.151.47.189:443

105.198.236.99:443

122.11.220.212:2222

199.27.127.129:443

41.251.41.14:995

216.201.162.158:443

124.123.42.115:2078

181.118.183.94:443

120.150.218.241:995

185.250.148.74:443

217.17.56.163:443

182.181.78.18:995

140.82.49.12:443

105.159.144.186:995

89.101.97.139:443

217.17.56.163:0

27.223.92.142:995

95.77.223.148:443

109.190.253.11:2222

Attributes

salt
jHxastDcds)oMc=jvh7wdUhxcsdt2

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot

Windows security bypass 2 TTPs 4 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\Microsoft\Arduayrv = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Rvxcldvib = "0"	reg.exe

Loads dropped DLL 1 IoCs

pid	Process
3000	regsvr32.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe

Modifies data under HKEY_USERS 10 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Aoxonwryc\aa5e5eb8 = 8def5a8521dfb110d92e8cd987da5f25b3765517c6ecf5eae6bbf1430fce29f42037e2b8	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Aoxonwryc\d7561132 = 26bc0532ec71ecb3b7afb93a3c448cb5afdabb5014898dc1f10dede493f3cdba9506447b2b8addb24611289bf069ccc46633f588c524becaa84f898f685b03af0e178439eb03c49d5035038a549dceb669629fac692c792d88751c1ee3bbe42a785e5d7241de369f2b0aa0	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Aoxonwryc\6fea7657 = 1e10a9e882d6616d2b6aa409aecd9e52a57e3eddaa4b87f2226402db3f4c1681b0ea1b7716d6560087770a3e1555470287f8d4a850634c1870ff7802182007c2136aa19244f261bc0e0ac552ac67a8fefac2b9896083796c1bc6f62aad77eacab0b38a050759f577ee5e6315859da8d211	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Aoxonwryc\a81f7ec4 = fc8862713b46a2db10b0cce532d66ed6fa386b7a78a3efdb	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Aoxonwryc\253cc9ef = 010d535753c7c5b14d17112fb048f55249fd31541e118a2e48457be7ce40167cf728113bc99b4b0d274553bc988326f1e82c8a7bfaa461e33dcdcc8b3f17b8eac7497a761ff62287d1ccca19d59e4f5748774f8a12d8	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Aoxonwryc\253cc9ef = 010d445753c7f057a4b5c7723c1bef56a8c2fda077a98bfde435be6a4a48c5a5a7bac1f5afda8874a877401b1e76f31347fdc2399ba1704bf9bc6e5d5beec330c6	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Aoxonwryc\10a319a1 = be135c1ac26d0bb0d39165cf1ec4834879af6bcf2088198e3bb467d0f2dc8c6df99be29fc56661426f229dff0c74d2573ad9965604dc7051b4e26f8eb4a73b6dea2ede00978680c87c5b2ab2cd31ed215e42194e7954eae9a154bb424018afafd517c970a8f7fc448f6d95ae9282e14498fd8dd064793cbc0cf651555ccf226d4f29136ae81b034f8b5b149566e09b19474e061ea01f0dd4c3de2d8192364a60925210653bd98303896824da3bdba854a9dc3b6e5cdb0dfb0c7d202589	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Aoxonwryc\5a75a619 = bc547d9304d6c8864076ab0cb915d9bb66a4fabcf01ac39b85d375e8d90d9f303d9b8093850ea0b5606184052d583301429e6ebf34	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Aoxonwryc	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Aoxonwryc\12e239dd = 6bfef7daef01ef05a0e94c86b2d37e539870ab8a9778feb47b5167c06e322eacb2030695f86bed5aebb381ee3ef42d731688548f592a1fa8639660c577e8408c54f9d6ce2d2478d2a706	explorer.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2180	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
372	rundll32.exe
3000	regsvr32.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
372	rundll32.exe
3000	regsvr32.exe

Suspicious use of WriteProcessMemory 43 IoCs

description	pid	Process	procid_target
PID 2068 wrote to memory of 372	2068	rundll32.exe	31
PID 2068 wrote to memory of 372	2068	rundll32.exe	31
PID 2068 wrote to memory of 372	2068	rundll32.exe	31
PID 2068 wrote to memory of 372	2068	rundll32.exe	31
PID 2068 wrote to memory of 372	2068	rundll32.exe	31
PID 2068 wrote to memory of 372	2068	rundll32.exe	31
PID 2068 wrote to memory of 372	2068	rundll32.exe	31
PID 372 wrote to memory of 2228	372	rundll32.exe	33
PID 372 wrote to memory of 2228	372	rundll32.exe	33
PID 372 wrote to memory of 2228	372	rundll32.exe	33
PID 372 wrote to memory of 2228	372	rundll32.exe	33
PID 372 wrote to memory of 2228	372	rundll32.exe	33
PID 372 wrote to memory of 2228	372	rundll32.exe	33
PID 2228 wrote to memory of 2180	2228	explorer.exe	34
PID 2228 wrote to memory of 2180	2228	explorer.exe	34
PID 2228 wrote to memory of 2180	2228	explorer.exe	34
PID 2228 wrote to memory of 2180	2228	explorer.exe	34
PID 1904 wrote to memory of 1964	1904	taskeng.exe	37
PID 1904 wrote to memory of 1964	1904	taskeng.exe	37
PID 1904 wrote to memory of 1964	1904	taskeng.exe	37
PID 1904 wrote to memory of 1964	1904	taskeng.exe	37
PID 1904 wrote to memory of 1964	1904	taskeng.exe	37
PID 1964 wrote to memory of 3000	1964	regsvr32.exe	38
PID 1964 wrote to memory of 3000	1964	regsvr32.exe	38
PID 1964 wrote to memory of 3000	1964	regsvr32.exe	38
PID 1964 wrote to memory of 3000	1964	regsvr32.exe	38
PID 1964 wrote to memory of 3000	1964	regsvr32.exe	38
PID 1964 wrote to memory of 3000	1964	regsvr32.exe	38
PID 1964 wrote to memory of 3000	1964	regsvr32.exe	38
PID 3000 wrote to memory of 2940	3000	regsvr32.exe	39
PID 3000 wrote to memory of 2940	3000	regsvr32.exe	39
PID 3000 wrote to memory of 2940	3000	regsvr32.exe	39
PID 3000 wrote to memory of 2940	3000	regsvr32.exe	39
PID 3000 wrote to memory of 2940	3000	regsvr32.exe	39
PID 3000 wrote to memory of 2940	3000	regsvr32.exe	39
PID 2940 wrote to memory of 1088	2940	explorer.exe	40
PID 2940 wrote to memory of 1088	2940	explorer.exe	40
PID 2940 wrote to memory of 1088	2940	explorer.exe	40
PID 2940 wrote to memory of 1088	2940	explorer.exe	40
PID 2940 wrote to memory of 2948	2940	explorer.exe	42
PID 2940 wrote to memory of 2948	2940	explorer.exe	42
PID 2940 wrote to memory of 2948	2940	explorer.exe	42
PID 2940 wrote to memory of 2948	2940	explorer.exe	42

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\48340cc03dead4862f324112f4b6b384_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2068
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\48340cc03dead4862f324112f4b6b384_JaffaCakes118.dll,#1
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:372
- - C:\Windows\SysWOW64\explorer.exe
    C:\Windows\SysWOW64\explorer.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2228
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn nwcljxv /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Local\Temp\48340cc03dead4862f324112f4b6b384_JaffaCakes118.dll\"" /SC ONCE /Z /ST 13:58 /ET 14:10
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:2180

C:\Windows\system32\taskeng.exe
taskeng.exe {64393723-97F0-48EF-9370-C7C9DAFF9136} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:1904
- C:\Windows\system32\regsvr32.exe
  regsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\48340cc03dead4862f324112f4b6b384_JaffaCakes118.dll"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1964
- - C:\Windows\SysWOW64\regsvr32.exe
    -s "C:\Users\Admin\AppData\Local\Temp\48340cc03dead4862f324112f4b6b384_JaffaCakes118.dll"
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:3000
  - - C:\Windows\SysWOW64\explorer.exe
      C:\Windows\SysWOW64\explorer.exe
      4⤵
      System Location Discovery: System Language Discovery
      Modifies data under HKEY_USERS
      Suspicious use of WriteProcessMemory
      PID:2940
    - - C:\Windows\system32\reg.exe
        
        C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\ProgramData\Microsoft\Arduayrv" /d "0"
        5⤵
        Windows security bypass
        
        PID:1088
    - - C:\Windows\system32\reg.exe
        
        C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Rvxcldvib" /d "0"
        5⤵
        Windows security bypass
        
        PID:2948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\48340cc03dead4862f324112f4b6b384_JaffaCakes118.dll

Filesize
708KB

MD5
48340cc03dead4862f324112f4b6b384

SHA1
f7ed73cdbe0013fd8d0c8602e2b6f782396ae8b3

SHA256
5fb55797b544665fdc2b3bc35dc4b3170217e83f1cef2935223e37a01d6eaf7d

SHA512
0a9d0b339a1de87b199693ef7adfdf03302d1bba5b06589c8a32fadcf3c09fa470fd1642f4178c017f5790e43531f723256ffcb92469e30f430530d8986744d1

Download Submit
memory/372-0-0x0000000074C50000-0x0000000074D1A000-memory.dmp

Filesize
808KB

Download
memory/372-4-0x0000000074C50000-0x0000000074D1A000-memory.dmp

Filesize
808KB

Download
memory/372-3-0x0000000074D01000-0x0000000074D07000-memory.dmp

Filesize
24KB

Download
memory/372-1-0x0000000074C50000-0x0000000074D1A000-memory.dmp

Filesize
808KB

Download
memory/372-8-0x0000000074C50000-0x0000000074D1A000-memory.dmp

Filesize
808KB

Download
memory/2228-12-0x00000000000C0000-0x00000000000E1000-memory.dmp

Filesize
132KB

Download
memory/2228-11-0x00000000000C0000-0x00000000000E1000-memory.dmp

Filesize
132KB

Download
memory/2228-13-0x00000000000C0000-0x00000000000E1000-memory.dmp

Filesize
132KB

Download
memory/2228-15-0x00000000000C0000-0x00000000000E1000-memory.dmp

Filesize
132KB

Download
memory/2228-7-0x00000000000C0000-0x00000000000E1000-memory.dmp

Filesize
132KB

Download
memory/2228-5-0x00000000000F0000-0x00000000000F2000-memory.dmp

Filesize
8KB

Download
memory/2940-27-0x0000000000080000-0x00000000000A1000-memory.dmp

Filesize
132KB

Download
memory/2940-29-0x0000000000080000-0x00000000000A1000-memory.dmp

Filesize
132KB

Download
memory/2940-28-0x0000000000080000-0x00000000000A1000-memory.dmp

Filesize
132KB

Download
memory/3000-21-0x0000000074220000-0x00000000742EA000-memory.dmp

Filesize
808KB

Download
memory/3000-20-0x0000000074220000-0x00000000742EA000-memory.dmp

Filesize
808KB

Download
memory/3000-25-0x0000000074220000-0x00000000742EA000-memory.dmp

Filesize
808KB

Download