qakbot | 585e9a5e42724ce79e7cb016add54a730f6682f172a48e0a40592625d981dbcb

General

Target

490c585ede21201a9046ff10ae62411e_JaffaCakes118.dll
Size

378KB
MD5

490c585ede21201a9046ff10ae62411e
SHA1

096dc722950a1827df58e97474b43174700474bc
SHA256

585e9a5e42724ce79e7cb016add54a730f6682f172a48e0a40592625d981dbcb
SHA512

5222dce1ecfc8fc352bb49fb5ecb31ab575dc041212312547e77de13570df0dd5a6422f6465244efc57c0e1cdec13f5e6af09331d4bcb1933353926199ba23fc
SSDEEP

3072:Do6vBnby4Yx0XjFFzPQ0MslzERfQB24hLxBVi/b/9+PdpiWC35ol/uwfTuT2b2M6:vs6Xpq0H3Jhds/9+qC/zfTPLc

Score

10^/10

qakbot obama104 1632729661 banker discovery evasion stealer trojan

Malware Config

Extracted

Family

qakbot

Version

402.343

Botnet

obama104

Campaign

1632729661

C2

95.77.223.148:443

47.22.148.6:443

89.101.97.139:443

27.223.92.142:995

120.151.47.189:443

136.232.34.70:443

120.150.218.241:995

185.250.148.74:443

181.118.183.94:443

140.82.49.12:443

67.165.206.193:993

103.148.120.144:443

71.74.12.34:443

76.25.142.196:443

73.151.236.31:443

173.21.10.71:2222

75.188.35.168:443

2.178.88.145:61202

71.80.168.245:443

45.46.53.140:2222

Attributes

salt
jHxastDcds)oMc=jvh7wdUhxcsdt2

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot

Windows security bypass 2 TTPs 4 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\Microsoft\Uaonwayg = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Edhevymb = "0"	reg.exe

Loads dropped DLL 1 IoCs

pid	Process
4140	regsvr32.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe

Modifies data under HKEY_USERS 10 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Ywxzybdqemmtl\4aabb739 = 7678adad9cc53136b3c8bcd1238e4e019b3e29751a750de6fd99070726b37495646fee12a323	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Ywxzybdqemmtl\35e2d8cf = 6e58496057a971c226d5914edb61d655f204206ae1e88c67849d7e48269c1156753f1d3078040e66115bd464696473be12b99a0090c31b67a15edaa75f77f02adbf1bf561597ce016eeddf0f127c08cbbf3745e9b0f5	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Ywxzybdqemmtl\7d0881 = 3b148d5a831f153f64b34ca1aceca60b6c178696c80d3df8e8a2badd681962929a4036f63c5466e7fdebc1964482a70b1895f94b3fc004418c5841f7814f35e6f672a8ac52a4329c3319b73b16b196df8306bff7463e5118ee07a1a0cbfb8521353f3164a2	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Ywxzybdqemmtl\c7880012 = c403fdf846ac4a21fd7ac49581b64495f69d585d85e3386026c80080513d39579526bb8915f32f472aa0200980762f4b3b2bf56abfc118a67592c66069986a62b9faf1f1a09d	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Ywxzybdqemmtl\b8c16fe4 = 54b0117ad174be30010f12ebb47d18199a11b0be698a1b1d4e553792790f26c7f9a43fa28349ca1dc1b0a127e67ca6e16755af20214f0260b419e6331b2b1d749fa13db3e907f8092e0e6c6ac8379cd17bea42a1f531f6b7d1	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Ywxzybdqemmtl\ba804f98 = 31de064d64dd61d7983440ec42000fec2991f8017f9173e786adccf74f60b20e462f344713e05e9d695816e981699c80a9ea80d902b39c71c6839f342f9db94092e8862f541fa1450e	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Ywxzybdqemmtl\7f346777 = bbffcfd5cdac8968f4a037e548835a7523fb5cb2805bda174f96f24423c54fabe3714b636fbc365bc3669175d58068c0e4a0f7596d148348ce197ad1da3c6c61d8b1ce2b5f	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Ywxzybdqemmtl	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Ywxzybdqemmtl\35e2d8cf = 6e585e6057a9440c3be9b1fc19f05ffa55888b7cddb37d744dd48cf303c586048d960b794443fb3bafb0b545837f0569c7205b9a63761f27d5123008aee4bf957d	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Ywxzybdqemmtl\23c28fd = b58b5b30857c7769a84acb368ba94caee1b0572a96db2e3e37d36af8ce1ee0458e69f72d	explorer.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4152	schtasks.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1532	rundll32.exe
1532	rundll32.exe
4140	regsvr32.exe
4140	regsvr32.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
1532	rundll32.exe
4140	regsvr32.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 2456 wrote to memory of 1532	2456	rundll32.exe	84
PID 2456 wrote to memory of 1532	2456	rundll32.exe	84
PID 2456 wrote to memory of 1532	2456	rundll32.exe	84
PID 1532 wrote to memory of 4476	1532	rundll32.exe	88
PID 1532 wrote to memory of 4476	1532	rundll32.exe	88
PID 1532 wrote to memory of 4476	1532	rundll32.exe	88
PID 1532 wrote to memory of 4476	1532	rundll32.exe	88
PID 1532 wrote to memory of 4476	1532	rundll32.exe	88
PID 4476 wrote to memory of 4152	4476	explorer.exe	89
PID 4476 wrote to memory of 4152	4476	explorer.exe	89
PID 4476 wrote to memory of 4152	4476	explorer.exe	89
PID 4316 wrote to memory of 4140	4316	regsvr32.exe	119
PID 4316 wrote to memory of 4140	4316	regsvr32.exe	119
PID 4316 wrote to memory of 4140	4316	regsvr32.exe	119
PID 4140 wrote to memory of 3840	4140	regsvr32.exe	120
PID 4140 wrote to memory of 3840	4140	regsvr32.exe	120
PID 4140 wrote to memory of 3840	4140	regsvr32.exe	120
PID 4140 wrote to memory of 3840	4140	regsvr32.exe	120
PID 4140 wrote to memory of 3840	4140	regsvr32.exe	120
PID 3840 wrote to memory of 3676	3840	explorer.exe	121
PID 3840 wrote to memory of 3676	3840	explorer.exe	121
PID 3840 wrote to memory of 2436	3840	explorer.exe	123
PID 3840 wrote to memory of 2436	3840	explorer.exe	123

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\490c585ede21201a9046ff10ae62411e_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2456
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\490c585ede21201a9046ff10ae62411e_JaffaCakes118.dll,#1
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:1532
- - C:\Windows\SysWOW64\explorer.exe
    C:\Windows\SysWOW64\explorer.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4476
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn gcniuxhk /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Local\Temp\490c585ede21201a9046ff10ae62411e_JaffaCakes118.dll\"" /SC ONCE /Z /ST 17:19 /ET 17:31
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:4152

C:\Windows\system32\regsvr32.exe
regsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\490c585ede21201a9046ff10ae62411e_JaffaCakes118.dll"
1⤵
- Suspicious use of WriteProcessMemory
PID:4316
- C:\Windows\SysWOW64\regsvr32.exe
  -s "C:\Users\Admin\AppData\Local\Temp\490c585ede21201a9046ff10ae62411e_JaffaCakes118.dll"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:4140
- - C:\Windows\SysWOW64\explorer.exe
    C:\Windows\SysWOW64\explorer.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies data under HKEY_USERS
    - Suspicious use of WriteProcessMemory
    PID:3840
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\ProgramData\Microsoft\Uaonwayg" /d "0"
      4⤵
      Windows security bypass
      PID:3676
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Edhevymb" /d "0"
      4⤵
      Windows security bypass
      PID:2436

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Impair Defenses

1

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\490c585ede21201a9046ff10ae62411e_JaffaCakes118.dll

Filesize
378KB

MD5
490c585ede21201a9046ff10ae62411e

SHA1
096dc722950a1827df58e97474b43174700474bc

SHA256
585e9a5e42724ce79e7cb016add54a730f6682f172a48e0a40592625d981dbcb

SHA512
5222dce1ecfc8fc352bb49fb5ecb31ab575dc041212312547e77de13570df0dd5a6422f6465244efc57c0e1cdec13f5e6af09331d4bcb1933353926199ba23fc

Download Submit
memory/1532-0-0x0000000000D80000-0x0000000000DC2000-memory.dmp

Filesize
264KB

Download
memory/1532-3-0x0000000010000000-0x0000000010062000-memory.dmp

Filesize
392KB

Download
memory/1532-5-0x0000000000D80000-0x0000000000DC2000-memory.dmp

Filesize
264KB

Download
memory/1532-4-0x0000000010000000-0x0000000010042000-memory.dmp

Filesize
264KB

Download
memory/1532-1-0x0000000010000000-0x0000000010042000-memory.dmp

Filesize
264KB

Download
memory/3840-20-0x0000000000420000-0x0000000000441000-memory.dmp

Filesize
132KB

Download
memory/3840-21-0x0000000000420000-0x0000000000441000-memory.dmp

Filesize
132KB

Download
memory/3840-19-0x0000000000420000-0x0000000000441000-memory.dmp

Filesize
132KB

Download
memory/4140-17-0x0000000010000000-0x0000000010062000-memory.dmp

Filesize
392KB

Download
memory/4476-12-0x0000000000530000-0x0000000000551000-memory.dmp

Filesize
132KB

Download
memory/4476-9-0x0000000000530000-0x0000000000551000-memory.dmp

Filesize
132KB

Download
memory/4476-10-0x0000000000530000-0x0000000000551000-memory.dmp

Filesize
132KB

Download
memory/4476-8-0x0000000000530000-0x0000000000551000-memory.dmp

Filesize
132KB

Download
memory/4476-2-0x0000000000530000-0x0000000000551000-memory.dmp

Filesize
132KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads