qakbot | 5fb55797b544665fdc2b3bc35dc4b3170217e83f1cef2935223e37a01d6eaf7d

General

Target

48340cc03dead4862f324112f4b6b384_JaffaCakes118.dll
Size

708KB
MD5

48340cc03dead4862f324112f4b6b384
SHA1

f7ed73cdbe0013fd8d0c8602e2b6f782396ae8b3
SHA256

5fb55797b544665fdc2b3bc35dc4b3170217e83f1cef2935223e37a01d6eaf7d
SHA512

0a9d0b339a1de87b199693ef7adfdf03302d1bba5b06589c8a32fadcf3c09fa470fd1642f4178c017f5790e43531f723256ffcb92469e30f430530d8986744d1
SSDEEP

12288:TpbAcis08s7gQFMWC24/MFS+AWmdnWJIjJ5F3+DpEFs3H6v/+1oTNb:TZDis0dFA24/MFSptIJKnx+NE23a3+1e

Score

10^/10

qakbot obama106 1632905607 banker discovery evasion stealer trojan

Malware Config

Extracted

Family

qakbot

Version

402.363

Botnet

obama106

Campaign

1632905607

C2

37.210.152.224:995

120.151.47.189:443

105.198.236.99:443

122.11.220.212:2222

199.27.127.129:443

41.251.41.14:995

216.201.162.158:443

124.123.42.115:2078

181.118.183.94:443

120.150.218.241:995

185.250.148.74:443

217.17.56.163:443

182.181.78.18:995

140.82.49.12:443

105.159.144.186:995

89.101.97.139:443

217.17.56.163:0

27.223.92.142:995

95.77.223.148:443

109.190.253.11:2222

Attributes

salt
jHxastDcds)oMc=jvh7wdUhxcsdt2

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot

Windows security bypass 2 TTPs 4 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\Microsoft\Xrcihejtbo = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Wyawdecnkif = "0"	reg.exe

Loads dropped DLL 1 IoCs

pid	Process
5076	regsvr32.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe

Modifies data under HKEY_USERS 10 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Ghfiofyg\dde01df9 = 8eedfaecfbb5ebd9aba6e8ccec2db9be275d17e2fbf53b86b25a14b98aa1458bbdc7d5009c5261787b759929ee7ed975fad60708	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Ghfiofyg\ea3eedcb = 968224aaf61e915efdbfc16c38904f8577734cccc142e766274b87df5c2855b094d1ddce1e70	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Ghfiofyg\52828aae = 06e66b773305eddd00e091ce219b34c0a64803467ac2eb52c88f0f897e0555cf29f1bdeb9960a3e36b4f8d455f3d786ee6ebb22dfb4b068e4a79fc44b0314f477e824f5692cd7bfe	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Ghfiofyg\2f8ac524 = 36dcdb243c22edca90bbaced410ea9a85d7d70780fb073fcbb932c6e2312dd367c36563ee54209e7	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Ghfiofyg\9736a241 = 09e8d27cb8a37749ac19c9681be04ae78f7354636355ed0811692abda0a5f4a246f5ef71c9c50527	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Ghfiofyg\dde01df9 = 8eededecfbb5de16325f02b2d070c3a156a515b81a8433c0a4299aac355f875983c894d278bf5fcee4bb6d18ac031f87e5d7cfa77ff0c8d6f7b994ed27ed661b7f6a5994fb2dd7a6f1	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Ghfiofyg	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Ghfiofyg\e87fcdb7 = 16d5d95f638fe86f68b7ff129f051219860792c0345d4bbb476cc2677b3099f8ffa412106bcca87d18ba74bd88143a7f95e5d4fc4b3e291cc9d523c0e204678c0df4583ed629220e340477949bcc0bab7973a04dc88ae575da2797867bd777fdb68528ee7b5b888ed27e0956a5443817b93378da78c3de37008e11731ac2b1f8db6752cc7a29fba16df0019927f1	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Ghfiofyg\50c3aad2 = 4b3bbbf7ac29698227463b46b02561347314b5994507370bbb4f8ad2a8be1dcdf9b3dcd16c60243783240d60e63b7c4e03f7afb309ac2989f758a34c612661698a9bad2014244db38cd0b32e96	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Ghfiofyg\a2a9720f = d10f1a76e6370289ac0f8ff882573471a33e254c6ee043c27958316825dfb686218b747223fb71b7a72f1858c78bed9f20392d9cdd58c47b529fffea8e	explorer.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4364	schtasks.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
832	rundll32.exe
832	rundll32.exe
5076	regsvr32.exe
5076	regsvr32.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
832	rundll32.exe
5076	regsvr32.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 4752 wrote to memory of 832	4752	rundll32.exe	84
PID 4752 wrote to memory of 832	4752	rundll32.exe	84
PID 4752 wrote to memory of 832	4752	rundll32.exe	84
PID 832 wrote to memory of 4940	832	rundll32.exe	94
PID 832 wrote to memory of 4940	832	rundll32.exe	94
PID 832 wrote to memory of 4940	832	rundll32.exe	94
PID 832 wrote to memory of 4940	832	rundll32.exe	94
PID 832 wrote to memory of 4940	832	rundll32.exe	94
PID 4940 wrote to memory of 4364	4940	explorer.exe	95
PID 4940 wrote to memory of 4364	4940	explorer.exe	95
PID 4940 wrote to memory of 4364	4940	explorer.exe	95
PID 5116 wrote to memory of 5076	5116	regsvr32.exe	104
PID 5116 wrote to memory of 5076	5116	regsvr32.exe	104
PID 5116 wrote to memory of 5076	5116	regsvr32.exe	104
PID 5076 wrote to memory of 884	5076	regsvr32.exe	105
PID 5076 wrote to memory of 884	5076	regsvr32.exe	105
PID 5076 wrote to memory of 884	5076	regsvr32.exe	105
PID 5076 wrote to memory of 884	5076	regsvr32.exe	105
PID 5076 wrote to memory of 884	5076	regsvr32.exe	105
PID 884 wrote to memory of 4992	884	explorer.exe	106
PID 884 wrote to memory of 4992	884	explorer.exe	106
PID 884 wrote to memory of 4952	884	explorer.exe	108
PID 884 wrote to memory of 4952	884	explorer.exe	108

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\48340cc03dead4862f324112f4b6b384_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4752
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\48340cc03dead4862f324112f4b6b384_JaffaCakes118.dll,#1
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:832
- - C:\Windows\SysWOW64\explorer.exe
    C:\Windows\SysWOW64\explorer.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4940
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn vxnrqpwiyr /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Local\Temp\48340cc03dead4862f324112f4b6b384_JaffaCakes118.dll\"" /SC ONCE /Z /ST 13:58 /ET 14:10
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:4364

C:\Windows\system32\regsvr32.exe
regsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\48340cc03dead4862f324112f4b6b384_JaffaCakes118.dll"
1⤵
- Suspicious use of WriteProcessMemory
PID:5116
- C:\Windows\SysWOW64\regsvr32.exe
  -s "C:\Users\Admin\AppData\Local\Temp\48340cc03dead4862f324112f4b6b384_JaffaCakes118.dll"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:5076
- - C:\Windows\SysWOW64\explorer.exe
    C:\Windows\SysWOW64\explorer.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies data under HKEY_USERS
    - Suspicious use of WriteProcessMemory
    PID:884
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\ProgramData\Microsoft\Xrcihejtbo" /d "0"
      4⤵
      Windows security bypass
      PID:4992
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Wyawdecnkif" /d "0"
      4⤵
      Windows security bypass
      PID:4952

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Impair Defenses

1

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\48340cc03dead4862f324112f4b6b384_JaffaCakes118.dll

Filesize
708KB

MD5
48340cc03dead4862f324112f4b6b384

SHA1
f7ed73cdbe0013fd8d0c8602e2b6f782396ae8b3

SHA256
5fb55797b544665fdc2b3bc35dc4b3170217e83f1cef2935223e37a01d6eaf7d

SHA512
0a9d0b339a1de87b199693ef7adfdf03302d1bba5b06589c8a32fadcf3c09fa470fd1642f4178c017f5790e43531f723256ffcb92469e30f430530d8986744d1

Download Submit
memory/832-0-0x00000000751D0000-0x000000007529A000-memory.dmp

Filesize
808KB

Download
memory/832-5-0x00000000751D0000-0x000000007529A000-memory.dmp

Filesize
808KB

Download
memory/832-4-0x0000000075281000-0x0000000075287000-memory.dmp

Filesize
24KB

Download
memory/832-7-0x00000000751D0000-0x000000007529A000-memory.dmp

Filesize
808KB

Download
memory/832-1-0x00000000751D0000-0x000000007529A000-memory.dmp

Filesize
808KB

Download
memory/884-26-0x0000000001190000-0x00000000011B1000-memory.dmp

Filesize
132KB

Download
memory/884-25-0x0000000001190000-0x00000000011B1000-memory.dmp

Filesize
132KB

Download
memory/884-24-0x0000000001190000-0x00000000011B1000-memory.dmp

Filesize
132KB

Download
memory/4940-12-0x00000000004F0000-0x0000000000511000-memory.dmp

Filesize
132KB

Download
memory/4940-14-0x00000000004F0000-0x0000000000511000-memory.dmp

Filesize
132KB

Download
memory/4940-11-0x00000000004F0000-0x0000000000511000-memory.dmp

Filesize
132KB

Download
memory/4940-10-0x00000000004F0000-0x0000000000511000-memory.dmp

Filesize
132KB

Download
memory/4940-6-0x00000000004F0000-0x0000000000511000-memory.dmp

Filesize
132KB

Download
memory/5076-19-0x0000000075140000-0x000000007520A000-memory.dmp

Filesize
808KB

Download
memory/5076-18-0x0000000075140000-0x000000007520A000-memory.dmp

Filesize
808KB

Download
memory/5076-22-0x0000000075140000-0x000000007520A000-memory.dmp

Filesize
808KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads