qakbot | 18d23b48774de9cc011cf0f89d20a3675b808b4a7e8f1de09e74a31b0d8d4588

Analysis

max time kernel
129s
max time network
127s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
23-10-2024 06:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6d8108a182f1d5cc5ed3058e525f3927_JaffaCakes118.dll
Size

378KB
MD5

6d8108a182f1d5cc5ed3058e525f3927
SHA1

f729d7478096363dc347101e4298d8abea1045eb
SHA256

18d23b48774de9cc011cf0f89d20a3675b808b4a7e8f1de09e74a31b0d8d4588
SHA512

b81d29086ee5bb104b4481c58e569dbf66672754025f0013325572f512636d4fe12ac736a091b4b34d9bdfb3c3a5317859efbd9e692612072060c8e36b7bcb12
SSDEEP

3072:Do6vBnby4Yx0XjFFzPQ0MslzERfQB24hLxBVi/b/9+PdpiWC35ol/uwfTuT2b2Mg:vs6Xpq0H3Jhds/9+qC/zfTPLa

Score

10^/10

qakbot obama104 1632729661 banker discovery evasion stealer trojan

Malware Config

Extracted

Family

qakbot

Version

402.343

Botnet

obama104

Campaign

1632729661

95.77.223.148:443

47.22.148.6:443

89.101.97.139:443

27.223.92.142:995

120.151.47.189:443

136.232.34.70:443

120.150.218.241:995

185.250.148.74:443

181.118.183.94:443

140.82.49.12:443

67.165.206.193:993

103.148.120.144:443

71.74.12.34:443

76.25.142.196:443

73.151.236.31:443

173.21.10.71:2222

75.188.35.168:443

2.178.88.145:61202

71.80.168.245:443

45.46.53.140:2222

Attributes

salt
jHxastDcds)oMc=jvh7wdUhxcsdt2

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot

Windows security bypass 2 TTPs 4 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\Microsoft\Oalyicii = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Amowaaoypa = "0"	reg.exe

Loads dropped DLL 1 IoCs

pid	Process
1288	regsvr32.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe

Modifies data under HKEY_USERS 10 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Xetsaxezxc\b6565ae0 = 410760fe1df837e0d535c53fc4283eeacb862057786ba4da74555aadb3bbc0ceac514d5ba8f6f10907b9f1d45d31a6144ccfa0076f181d294b5efe02eaf7877b13efdf285dfa60ae5657f4	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Xetsaxezxc	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Xetsaxezxc\8188aad2 = b1643bfcb2c0c4e82903269f2b592a7e	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Xetsaxezxc\fc80e558 = 2742f36301f6af4a4886843328a768f1f76cd0b65c010e892c613b5a2dda78e868da8d62d22eefdf8ee633db60f612c2d547597acfa3f4b0b3f76801b3103fbc9f60cd93e3484f60bf42db6952e4594844cf9842336e7c95a0d9d2d495ef0535ccb0dbdd5a281ae6	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Xetsaxezxc\c91f3516 = e7bf461f0a7542d9b95acece7e2f790006235e9156f165aa29bd22aa0a58e4689a2a6874264a4386ee1c4e7ad1505117f31ad52ca8718a734466d24ddc1028538e074927616b9828656becc7c95b5111a21f721523609f9af9860f97da8369283da9ae5f1a3c5077be19a6	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Xetsaxezxc\3b75edcb = 3ca81443ceb4bd24fb99ed7b22bc7c75e979f8657f793369aa1e59ac55dfc7e76844efd1d59d6187eea9ae1af584be830d36d577aec7ac1989a9daff0dd0343ea68596530a6c379322b752e16ac250843844bb8bcb9fc569109ce07caedf4140d6fc16d15de1fd87fb	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Xetsaxezxc\b6565ae0 = 410777fe1df80235626f584ca622e2fe86a56b5cf0eba8b45c33e6a303fca7520404c5f890b721417942f16e38d17a498e982c135be6	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Xetsaxezxc\83c98aae = f3577246853b84b7249fadc9c575154cf08f532634c7bb35f5297bb1e6bc2b324903d6798571fcb5b4bfb3091e735a8ede4be7e85e28b2b330c27bde29889538ef9b11eaf82b301523bac4b6ed8b485435e8f7b395d47e3bb9d0f106b56991c31f9f96f1ffdb25a906e16e25a775d689d0da41bed10903b7ec58e4a0bf266249f48c40e2	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Xetsaxezxc\3934cdb7 = 5a86b7684d26e6d87a64fce6a4973e1152f1283ead2d40bd852ac0f48bbee2	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Xetsaxezxc\443c823d = 2264d2699ebc89ba2822bd471b94f8dfee18551bd017a15c70e51b29e764bb6933a96b82391ad881e7e120e9bf18ea	explorer.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2804	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2080	rundll32.exe
1288	regsvr32.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
2080	rundll32.exe
1288	regsvr32.exe

Suspicious use of WriteProcessMemory 43 IoCs

description	pid	Process	procid_target
PID 1228 wrote to memory of 2080	1228	rundll32.exe	30
PID 1228 wrote to memory of 2080	1228	rundll32.exe	30
PID 1228 wrote to memory of 2080	1228	rundll32.exe	30
PID 1228 wrote to memory of 2080	1228	rundll32.exe	30
PID 1228 wrote to memory of 2080	1228	rundll32.exe	30
PID 1228 wrote to memory of 2080	1228	rundll32.exe	30
PID 1228 wrote to memory of 2080	1228	rundll32.exe	30
PID 2080 wrote to memory of 2820	2080	rundll32.exe	31
PID 2080 wrote to memory of 2820	2080	rundll32.exe	31
PID 2080 wrote to memory of 2820	2080	rundll32.exe	31
PID 2080 wrote to memory of 2820	2080	rundll32.exe	31
PID 2080 wrote to memory of 2820	2080	rundll32.exe	31
PID 2080 wrote to memory of 2820	2080	rundll32.exe	31
PID 2820 wrote to memory of 2804	2820	explorer.exe	32
PID 2820 wrote to memory of 2804	2820	explorer.exe	32
PID 2820 wrote to memory of 2804	2820	explorer.exe	32
PID 2820 wrote to memory of 2804	2820	explorer.exe	32
PID 2900 wrote to memory of 2244	2900	taskeng.exe	36
PID 2900 wrote to memory of 2244	2900	taskeng.exe	36
PID 2900 wrote to memory of 2244	2900	taskeng.exe	36
PID 2900 wrote to memory of 2244	2900	taskeng.exe	36
PID 2900 wrote to memory of 2244	2900	taskeng.exe	36
PID 2244 wrote to memory of 1288	2244	regsvr32.exe	37
PID 2244 wrote to memory of 1288	2244	regsvr32.exe	37
PID 2244 wrote to memory of 1288	2244	regsvr32.exe	37
PID 2244 wrote to memory of 1288	2244	regsvr32.exe	37
PID 2244 wrote to memory of 1288	2244	regsvr32.exe	37
PID 2244 wrote to memory of 1288	2244	regsvr32.exe	37
PID 2244 wrote to memory of 1288	2244	regsvr32.exe	37
PID 1288 wrote to memory of 1324	1288	regsvr32.exe	38
PID 1288 wrote to memory of 1324	1288	regsvr32.exe	38
PID 1288 wrote to memory of 1324	1288	regsvr32.exe	38
PID 1288 wrote to memory of 1324	1288	regsvr32.exe	38
PID 1288 wrote to memory of 1324	1288	regsvr32.exe	38
PID 1288 wrote to memory of 1324	1288	regsvr32.exe	38
PID 1324 wrote to memory of 2568	1324	explorer.exe	39
PID 1324 wrote to memory of 2568	1324	explorer.exe	39
PID 1324 wrote to memory of 2568	1324	explorer.exe	39
PID 1324 wrote to memory of 2568	1324	explorer.exe	39
PID 1324 wrote to memory of 2412	1324	explorer.exe	41
PID 1324 wrote to memory of 2412	1324	explorer.exe	41
PID 1324 wrote to memory of 2412	1324	explorer.exe	41
PID 1324 wrote to memory of 2412	1324	explorer.exe	41

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\6d8108a182f1d5cc5ed3058e525f3927_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1228
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\6d8108a182f1d5cc5ed3058e525f3927_JaffaCakes118.dll,#1
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:2080
- - C:\Windows\SysWOW64\explorer.exe
    C:\Windows\SysWOW64\explorer.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2820
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn wzqczjxmsk /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Local\Temp\6d8108a182f1d5cc5ed3058e525f3927_JaffaCakes118.dll\"" /SC ONCE /Z /ST 06:32 /ET 06:44
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:2804

C:\Windows\system32\taskeng.exe
taskeng.exe {C9800DC9-224F-42C1-BB1F-D18497680D45} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:2900
- C:\Windows\system32\regsvr32.exe
  regsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\6d8108a182f1d5cc5ed3058e525f3927_JaffaCakes118.dll"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2244
- - C:\Windows\SysWOW64\regsvr32.exe
    -s "C:\Users\Admin\AppData\Local\Temp\6d8108a182f1d5cc5ed3058e525f3927_JaffaCakes118.dll"
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:1288
  - - C:\Windows\SysWOW64\explorer.exe
      C:\Windows\SysWOW64\explorer.exe
      4⤵
      System Location Discovery: System Language Discovery
      Modifies data under HKEY_USERS
      Suspicious use of WriteProcessMemory
      PID:1324
    - - C:\Windows\system32\reg.exe
        
        C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\ProgramData\Microsoft\Oalyicii" /d "0"
        5⤵
        Windows security bypass
        
        PID:2568
    - - C:\Windows\system32\reg.exe
        
        C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Amowaaoypa" /d "0"
        5⤵
        Windows security bypass
        
        PID:2412

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\6d8108a182f1d5cc5ed3058e525f3927_JaffaCakes118.dll

Filesize
378KB

MD5
6d8108a182f1d5cc5ed3058e525f3927

SHA1
f729d7478096363dc347101e4298d8abea1045eb

SHA256
18d23b48774de9cc011cf0f89d20a3675b808b4a7e8f1de09e74a31b0d8d4588

SHA512
b81d29086ee5bb104b4481c58e569dbf66672754025f0013325572f512636d4fe12ac736a091b4b34d9bdfb3c3a5317859efbd9e692612072060c8e36b7bcb12

Download Submit
memory/1288-19-0x0000000010000000-0x0000000010062000-memory.dmp

Filesize
392KB

Download
memory/1324-22-0x0000000000080000-0x00000000000A1000-memory.dmp

Filesize
132KB

Download
memory/1324-23-0x0000000000080000-0x00000000000A1000-memory.dmp

Filesize
132KB

Download
memory/1324-21-0x0000000000080000-0x00000000000A1000-memory.dmp

Filesize
132KB

Download
memory/2080-4-0x0000000010000000-0x0000000010062000-memory.dmp

Filesize
392KB

Download
memory/2080-5-0x0000000010000000-0x0000000010042000-memory.dmp

Filesize
264KB

Download
memory/2080-6-0x0000000000240000-0x0000000000282000-memory.dmp

Filesize
264KB

Download
memory/2080-1-0x0000000010000000-0x0000000010042000-memory.dmp

Filesize
264KB

Download
memory/2080-0-0x0000000000240000-0x0000000000282000-memory.dmp

Filesize
264KB

Download
memory/2820-9-0x0000000000080000-0x00000000000A1000-memory.dmp

Filesize
132KB

Download
memory/2820-12-0x0000000000080000-0x00000000000A1000-memory.dmp

Filesize
132KB

Download
memory/2820-11-0x0000000000080000-0x00000000000A1000-memory.dmp

Filesize
132KB

Download
memory/2820-10-0x0000000000080000-0x00000000000A1000-memory.dmp

Filesize
132KB

Download
memory/2820-13-0x0000000000080000-0x00000000000A1000-memory.dmp

Filesize
132KB

Download
memory/2820-3-0x0000000000080000-0x00000000000A1000-memory.dmp

Filesize
132KB

Download
memory/2820-2-0x00000000000B0000-0x00000000000B2000-memory.dmp

Filesize
8KB

Download