qakbot | 09852993c42eb2951a04df62e409eb302b9503e0630cd31b59f9d1d665f5285f

General

Target

53759d3a69d41706a6f3119890d216b9_JaffaCakes118.dll
Size

708KB
MD5

53759d3a69d41706a6f3119890d216b9
SHA1

071b76992d73795a0611c375707847014b562662
SHA256

09852993c42eb2951a04df62e409eb302b9503e0630cd31b59f9d1d665f5285f
SHA512

a7bd9338d79e6be6dfb769c140276db5a4be64d74153aabda191bdfdde10c474881611d7576c20436abb5a0dca9c2c70a92150b99885e68cf73d81e97f7689e6
SSDEEP

12288:DCbAcis08s7gQFMWC24/MFS+AWmdnWJIjJ5F3+DpEFs3H6v/+JoTNt:DIDis0dFA24/MFSptIJKnx+NE23a3+J0

Score

10^/10

qakbot obama106 1632905607 banker discovery evasion stealer trojan

Malware Config

Extracted

Family

qakbot

Version

402.363

Botnet

obama106

Campaign

1632905607

C2

37.210.152.224:995

120.151.47.189:443

105.198.236.99:443

122.11.220.212:2222

199.27.127.129:443

41.251.41.14:995

216.201.162.158:443

124.123.42.115:2078

181.118.183.94:443

120.150.218.241:995

185.250.148.74:443

217.17.56.163:443

182.181.78.18:995

140.82.49.12:443

105.159.144.186:995

89.101.97.139:443

217.17.56.163:0

27.223.92.142:995

95.77.223.148:443

109.190.253.11:2222

Attributes

salt
jHxastDcds)oMc=jvh7wdUhxcsdt2

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot

Windows security bypass 2 TTPs 4 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\Microsoft\Rqfbcmzn = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Lrvqkyy = "0"	reg.exe

Loads dropped DLL 1 IoCs

pid	Process
1296	regsvr32.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe

Modifies data under HKEY_USERS 10 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Ykaopcitciwwft\f582672a = 20bb3e1660733f1bd64555611328a5c852a6f979dc6d269355f320fd2e055f9fb5ee14ea05acb00a0e2c7b6fe1d083bd82b6d1a3712f5545ca1f2e52f1f3bc3eba71bb5e03f7c105a2d47f0c0632e8f9f4a2672bb57bbaa34fc7a97db723830d2e73e8461f2f85a105ac936796e23c9a3e36	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Ykaopcitciwwft\888a28a0 = b0a27e06551e6ee6b1e038a40f8d04fcd6e8e676ce840553aa57fe3438987583f657b0d00fd92d800e68b98c36ec49ae34c3d2abb8fd6a30862c756f2e9ad2b57b4c6cf151088d9ba96251e5b03f299b97ba154f60c85f1d	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Ykaopcitciwwft\4f7f2033 = cb8978e24c77a480218bc2c3e25773c0d762b576b0167c4416615f1f447b3b5b35f2834a8b42	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Ykaopcitciwwft\bd15f8ee = ffd99b5785ab1d7baa65a698df846d8d103372b5d30d2419590ca30275f8459d9899edc945eeb874a97b2bdf6609b9e8bd5f114171fc0460d7c5aa5fe7431639a6329472410996e0469df4d8f283e5fb8d3f417a	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Ykaopcitciwwft	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Ykaopcitciwwft\c25c9718 = 74daab86a4278012a75d6bec4ec82ba82a1c6de43e784736a57b56fabaae15f77dd57212fcd6e1ee2f116cbd5eba351477f0fa9bc86637109bc2b142c3d987974b44d4454e20a1a43a1cd1	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Ykaopcitciwwft\f7c34756 = 8af2ddc37beac63c552baf4796e59fe6afaadba4ac33d417c31d115e6c1016a5fba3793a281fdd0b29f3574f2ce7f216e92c6a06e76d908e9368774765fb41b3aba95068c2c61ee4c48fca091f62eba35e81cb699824f265380c7c955b64caa5c2a2c9c145c84c8ad8cb7ab90b2925f998cf686a839740268c4b8016011590e6630aa523273ceee72e8804dbaab8d96e82b7585d51912ca9d0e3798c7766d6a6ff7238ce1517e46964f18e33319947953e1bce2e8cc9f994bd24e8b7838af0121adb	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Ykaopcitciwwft\4d3e004f = 5d8cb07f14901a6792ffd3c068d0ba96f3e81051a12a723b8e7f981149de1c6c8123f34a0f282c69ecd118ad8c2bbda482a70a5a939740346f46a72e85ea18c04b24cb7bd58d04d3283a83dc1d1bbc7ab1d61e952bc6d2603588bd1baf8f0a6530887593f99b9e1878ef9b455a1694ed245c	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Ykaopcitciwwft\30364fc5 = ec506661a8a0ee4480409015df6f14f3672f84f60ce9a251d4b86c254a7b67539f7337b1c57228	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Ykaopcitciwwft\c25c9718 = 74dabc86a427b511b1f51cf1c506efbddcc908aac1f718c26d749ff3c38a3df2ec69e134b17c2038e0ab2ba9a9578eb4ece92ee63db737c4a2ce336dc856de2c78065b47b21a6330a6403252f57519a4f9d609235432bc7222abee021721ad4e	explorer.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1148	schtasks.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4104	rundll32.exe
4104	rundll32.exe
1296	regsvr32.exe
1296	regsvr32.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
4104	rundll32.exe
1296	regsvr32.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 788 wrote to memory of 4104	788	rundll32.exe	84
PID 788 wrote to memory of 4104	788	rundll32.exe	84
PID 788 wrote to memory of 4104	788	rundll32.exe	84
PID 4104 wrote to memory of 3004	4104	rundll32.exe	96
PID 4104 wrote to memory of 3004	4104	rundll32.exe	96
PID 4104 wrote to memory of 3004	4104	rundll32.exe	96
PID 4104 wrote to memory of 3004	4104	rundll32.exe	96
PID 4104 wrote to memory of 3004	4104	rundll32.exe	96
PID 3004 wrote to memory of 1148	3004	explorer.exe	97
PID 3004 wrote to memory of 1148	3004	explorer.exe	97
PID 3004 wrote to memory of 1148	3004	explorer.exe	97
PID 1096 wrote to memory of 1296	1096	regsvr32.exe	117
PID 1096 wrote to memory of 1296	1096	regsvr32.exe	117
PID 1096 wrote to memory of 1296	1096	regsvr32.exe	117
PID 1296 wrote to memory of 2880	1296	regsvr32.exe	118
PID 1296 wrote to memory of 2880	1296	regsvr32.exe	118
PID 1296 wrote to memory of 2880	1296	regsvr32.exe	118
PID 1296 wrote to memory of 2880	1296	regsvr32.exe	118
PID 1296 wrote to memory of 2880	1296	regsvr32.exe	118
PID 2880 wrote to memory of 2900	2880	explorer.exe	119
PID 2880 wrote to memory of 2900	2880	explorer.exe	119
PID 2880 wrote to memory of 3964	2880	explorer.exe	121
PID 2880 wrote to memory of 3964	2880	explorer.exe	121

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\53759d3a69d41706a6f3119890d216b9_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:788
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\53759d3a69d41706a6f3119890d216b9_JaffaCakes118.dll,#1
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:4104
- - C:\Windows\SysWOW64\explorer.exe
    C:\Windows\SysWOW64\explorer.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3004
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn oczobfi /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Local\Temp\53759d3a69d41706a6f3119890d216b9_JaffaCakes118.dll\"" /SC ONCE /Z /ST 20:03 /ET 20:15
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:1148

C:\Windows\system32\regsvr32.exe
regsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\53759d3a69d41706a6f3119890d216b9_JaffaCakes118.dll"
1⤵
- Suspicious use of WriteProcessMemory
PID:1096
- C:\Windows\SysWOW64\regsvr32.exe
  -s "C:\Users\Admin\AppData\Local\Temp\53759d3a69d41706a6f3119890d216b9_JaffaCakes118.dll"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:1296
- - C:\Windows\SysWOW64\explorer.exe
    C:\Windows\SysWOW64\explorer.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies data under HKEY_USERS
    - Suspicious use of WriteProcessMemory
    PID:2880
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\ProgramData\Microsoft\Rqfbcmzn" /d "0"
      4⤵
      Windows security bypass
      PID:2900
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Lrvqkyy" /d "0"
      4⤵
      Windows security bypass
      PID:3964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Impair Defenses

1

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\53759d3a69d41706a6f3119890d216b9_JaffaCakes118.dll

Filesize
708KB

MD5
53759d3a69d41706a6f3119890d216b9

SHA1
071b76992d73795a0611c375707847014b562662

SHA256
09852993c42eb2951a04df62e409eb302b9503e0630cd31b59f9d1d665f5285f

SHA512
a7bd9338d79e6be6dfb769c140276db5a4be64d74153aabda191bdfdde10c474881611d7576c20436abb5a0dca9c2c70a92150b99885e68cf73d81e97f7689e6

Download Submit
memory/1296-22-0x0000000074BC0000-0x0000000074C8A000-memory.dmp

Filesize
808KB

Download
memory/1296-20-0x0000000074BC0000-0x0000000074C8A000-memory.dmp

Filesize
808KB

Download
memory/1296-18-0x0000000074BC0000-0x0000000074C8A000-memory.dmp

Filesize
808KB

Download
memory/1296-17-0x0000000074BC0000-0x0000000074C8A000-memory.dmp

Filesize
808KB

Download
memory/2880-26-0x0000000000940000-0x0000000000961000-memory.dmp

Filesize
132KB

Download
memory/2880-25-0x0000000000940000-0x0000000000961000-memory.dmp

Filesize
132KB

Download
memory/2880-24-0x0000000000940000-0x0000000000961000-memory.dmp

Filesize
132KB

Download
memory/3004-13-0x0000000000710000-0x0000000000731000-memory.dmp

Filesize
132KB

Download
memory/3004-10-0x0000000000710000-0x0000000000731000-memory.dmp

Filesize
132KB

Download
memory/3004-11-0x0000000000710000-0x0000000000731000-memory.dmp

Filesize
132KB

Download
memory/3004-9-0x0000000000710000-0x0000000000731000-memory.dmp

Filesize
132KB

Download
memory/3004-5-0x0000000000710000-0x0000000000731000-memory.dmp

Filesize
132KB

Download
memory/4104-1-0x0000000074C50000-0x0000000074D1A000-memory.dmp

Filesize
808KB

Download
memory/4104-6-0x0000000074C50000-0x0000000074D1A000-memory.dmp

Filesize
808KB

Download
memory/4104-0-0x0000000074C50000-0x0000000074D1A000-memory.dmp

Filesize
808KB

Download
memory/4104-4-0x0000000074D01000-0x0000000074D07000-memory.dmp

Filesize
24KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads