qakbot | 6ca1498b43435ae08ce08a4cffce0fcfe660bdd907a48eda0dc7a663f4c971a7

Analysis

max time kernel
129s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
23-10-2024 07:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6dcf8baea04fda87a96b3a137ea4dbfc_JaffaCakes118.dll
Size

136KB
MD5

6dcf8baea04fda87a96b3a137ea4dbfc
SHA1

19ed57597ebb7649e76076c1531f2d665b551435
SHA256

6ca1498b43435ae08ce08a4cffce0fcfe660bdd907a48eda0dc7a663f4c971a7
SHA512

33e252f7a262d1c7d6fb0d1792381a9295a0d81ff9191298989f1e01de9d7d3d560804131abd1d265618b46254d2fae18e7c8e8cc6f7efcc36880571beb2b2eb
SSDEEP

1536:AKQJDzynl8pck/VxhNRjJrBbQ2oTPycJFtNmQ/IOEnToIfwTToqMV29ic:jnl1kNxhN1J9c2oTzJHNfxoTBfwEVA

Score

10^/10

qakbot tr 1632817399 banker discovery evasion stealer trojan

Malware Config

Extracted

Family

qakbot

Version

402.363

Botnet

Campaign

1632817399

105.198.236.99:443

140.82.49.12:443

37.210.152.224:995

89.101.97.139:443

81.241.252.59:2078

27.223.92.142:995

81.250.153.227:2222

73.151.236.31:443

47.22.148.6:443

122.11.220.212:2222

120.151.47.189:443

199.27.127.129:443

216.201.162.158:443

136.232.34.70:443

76.25.142.196:443

181.118.183.94:443

120.150.218.241:995

185.250.148.74:443

95.77.223.148:443

75.66.88.33:443

Attributes

salt
jHxastDcds)oMc=jvh7wdUhxcsdt2

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot

Windows security bypass 2 TTPs 4 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\Microsoft\Ubuiaauowi = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Gmvqau = "0"	reg.exe

Loads dropped DLL 1 IoCs

pid	Process
2392	regsvr32.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe

Modifies data under HKEY_USERS 10 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Ggdoatauiuqkef\b9cfc32b = b52aa657d97e219ea967a1a1cabe0c84363c2eedb767f9283d08fc47db4f87c594aa55f0893f2c5dd9a5df5bc5835216f5e91a192289b8cf70c192d2f95fb95d3c0e6c854b05a3f16b7c7d02ec84b68876a7ac	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Ggdoatauiuqkef\8e113319 = d31b4f0442395c6bbebb0101b2be9c27217368ea3c07d96b91553a52d257fcba51bb944d1c10338b0838eea9e1a8ee3a73876338361f59f0975767c2c22b143ed19810b48009a972f0905c67e0a52ad1040ae04c0e0fb071fafe	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Ggdoatauiuqkef\36ad547c = 77015936cbd99844346e60ed04825a3a8b35acd64c16d048ccda7669aa02025999414958b2aa731ac08123dbee02	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Ggdoatauiuqkef\4ba51bf6 = 3b206daa92dcfb8abd58c1c2c633d81c4daf004c2d5c96d342460975da40aa71941040	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Ggdoatauiuqkef\f3197c93 = d46262caaa63a78eaaae76dcdb8e6dda832efe47769c09857f240f850192c09b9a4350df9a696370859d9e585396f0420e6b87c17a5e6ef7b623739305588e588c88a2	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Ggdoatauiuqkef\34ec7400 = b5347ab2cc662c7c404cdc0330d27e6284b934d4f82efe533fee233c52541c953da0a514cae9288246b56ff52c9c6737b058a124b1fd5052ba291387056527016a3c6071eecafe1c671cf6b56eb0d092a226d206bb41916c1de7ebb2464023d1a0e6438aafea456438bab4a0e52d2c759d3c	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Ggdoatauiuqkef\c686acdd = 7c7c22d6781df0ad6923988465df0ea7671599486616c07bef031da642849577a2ce4efcef9630f67c87b7cd8c7f728f09b8	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Ggdoatauiuqkef	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Ggdoatauiuqkef\b9cfc32b = b52ab157d97e14279c4a6393e180660e60fe5ef05ac0a9b16cc297d2f82163d068f7b3edeaf81f61cf73ed73235225c3bd9f9d2f7ec130690758b1abe967	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Ggdoatauiuqkef\8c501365 = 2b8e175cf016db820a393c372e72f201f5e3e22b0640ec64646bb901ccefe053b7ddee1629e2f90fdc2a261197549bd7749bbb136b18a99f39b9e38eac2b384e315fd9049cc7e7dda2f407bc3960189ec1e15950ab00b9df657786c92cca23179a75113354b9aee2d71b20e25d1ffcf9ae79f54f5f20cde4d7d0d30789be9a8f50d92f4e7703aea301d736e24ff44976a0a2ecb1f05bcfcb5bee3440196355	explorer.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2780	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2716	regsvr32.exe
2392	regsvr32.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
2716	regsvr32.exe
2392	regsvr32.exe

Suspicious use of WriteProcessMemory 43 IoCs

description	pid	Process	procid_target
PID 2824 wrote to memory of 2716	2824	regsvr32.exe	30
PID 2824 wrote to memory of 2716	2824	regsvr32.exe	30
PID 2824 wrote to memory of 2716	2824	regsvr32.exe	30
PID 2824 wrote to memory of 2716	2824	regsvr32.exe	30
PID 2824 wrote to memory of 2716	2824	regsvr32.exe	30
PID 2824 wrote to memory of 2716	2824	regsvr32.exe	30
PID 2824 wrote to memory of 2716	2824	regsvr32.exe	30
PID 2716 wrote to memory of 3060	2716	regsvr32.exe	31
PID 2716 wrote to memory of 3060	2716	regsvr32.exe	31
PID 2716 wrote to memory of 3060	2716	regsvr32.exe	31
PID 2716 wrote to memory of 3060	2716	regsvr32.exe	31
PID 2716 wrote to memory of 3060	2716	regsvr32.exe	31
PID 2716 wrote to memory of 3060	2716	regsvr32.exe	31
PID 3060 wrote to memory of 2780	3060	explorer.exe	32
PID 3060 wrote to memory of 2780	3060	explorer.exe	32
PID 3060 wrote to memory of 2780	3060	explorer.exe	32
PID 3060 wrote to memory of 2780	3060	explorer.exe	32
PID 2424 wrote to memory of 1704	2424	taskeng.exe	36
PID 2424 wrote to memory of 1704	2424	taskeng.exe	36
PID 2424 wrote to memory of 1704	2424	taskeng.exe	36
PID 2424 wrote to memory of 1704	2424	taskeng.exe	36
PID 2424 wrote to memory of 1704	2424	taskeng.exe	36
PID 1704 wrote to memory of 2392	1704	regsvr32.exe	37
PID 1704 wrote to memory of 2392	1704	regsvr32.exe	37
PID 1704 wrote to memory of 2392	1704	regsvr32.exe	37
PID 1704 wrote to memory of 2392	1704	regsvr32.exe	37
PID 1704 wrote to memory of 2392	1704	regsvr32.exe	37
PID 1704 wrote to memory of 2392	1704	regsvr32.exe	37
PID 1704 wrote to memory of 2392	1704	regsvr32.exe	37
PID 2392 wrote to memory of 2004	2392	regsvr32.exe	38
PID 2392 wrote to memory of 2004	2392	regsvr32.exe	38
PID 2392 wrote to memory of 2004	2392	regsvr32.exe	38
PID 2392 wrote to memory of 2004	2392	regsvr32.exe	38
PID 2392 wrote to memory of 2004	2392	regsvr32.exe	38
PID 2392 wrote to memory of 2004	2392	regsvr32.exe	38
PID 2004 wrote to memory of 1544	2004	explorer.exe	39
PID 2004 wrote to memory of 1544	2004	explorer.exe	39
PID 2004 wrote to memory of 1544	2004	explorer.exe	39
PID 2004 wrote to memory of 1544	2004	explorer.exe	39
PID 2004 wrote to memory of 2292	2004	explorer.exe	41
PID 2004 wrote to memory of 2292	2004	explorer.exe	41
PID 2004 wrote to memory of 2292	2004	explorer.exe	41
PID 2004 wrote to memory of 2292	2004	explorer.exe	41

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\6dcf8baea04fda87a96b3a137ea4dbfc_JaffaCakes118.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:2824
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\6dcf8baea04fda87a96b3a137ea4dbfc_JaffaCakes118.dll
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:2716
- - C:\Windows\SysWOW64\explorer.exe
    C:\Windows\SysWOW64\explorer.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3060
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn ivemaeri /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Local\Temp\6dcf8baea04fda87a96b3a137ea4dbfc_JaffaCakes118.dll\"" /SC ONCE /Z /ST 07:58 /ET 08:10
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:2780

C:\Windows\system32\taskeng.exe
taskeng.exe {078A0CF0-A6EB-4B5E-8F55-1ABEC1A68559} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:2424
- C:\Windows\system32\regsvr32.exe
  regsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\6dcf8baea04fda87a96b3a137ea4dbfc_JaffaCakes118.dll"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1704
- - C:\Windows\SysWOW64\regsvr32.exe
    -s "C:\Users\Admin\AppData\Local\Temp\6dcf8baea04fda87a96b3a137ea4dbfc_JaffaCakes118.dll"
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:2392
  - - C:\Windows\SysWOW64\explorer.exe
      C:\Windows\SysWOW64\explorer.exe
      4⤵
      System Location Discovery: System Language Discovery
      Modifies data under HKEY_USERS
      Suspicious use of WriteProcessMemory
      PID:2004
    - - C:\Windows\system32\reg.exe
        
        C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\ProgramData\Microsoft\Ubuiaauowi" /d "0"
        5⤵
        Windows security bypass
        
        PID:1544
    - - C:\Windows\system32\reg.exe
        
        C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Gmvqau" /d "0"
        5⤵
        Windows security bypass
        
        PID:2292

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\6dcf8baea04fda87a96b3a137ea4dbfc_JaffaCakes118.dll

Filesize
136KB

MD5
6dcf8baea04fda87a96b3a137ea4dbfc

SHA1
19ed57597ebb7649e76076c1531f2d665b551435

SHA256
6ca1498b43435ae08ce08a4cffce0fcfe660bdd907a48eda0dc7a663f4c971a7

SHA512
33e252f7a262d1c7d6fb0d1792381a9295a0d81ff9191298989f1e01de9d7d3d560804131abd1d265618b46254d2fae18e7c8e8cc6f7efcc36880571beb2b2eb

Download Submit
memory/2004-22-0x0000000000110000-0x0000000000132000-memory.dmp

Filesize
136KB

Download
memory/2004-23-0x0000000000110000-0x0000000000132000-memory.dmp

Filesize
136KB

Download
memory/2004-21-0x0000000000110000-0x0000000000132000-memory.dmp

Filesize
136KB

Download
memory/2392-16-0x00000000001E0000-0x0000000000202000-memory.dmp

Filesize
136KB

Download
memory/2716-0-0x0000000000190000-0x00000000001B2000-memory.dmp

Filesize
136KB

Download
memory/3060-10-0x00000000000C0000-0x00000000000E2000-memory.dmp

Filesize
136KB

Download
memory/3060-11-0x00000000000C0000-0x00000000000E2000-memory.dmp

Filesize
136KB

Download
memory/3060-7-0x00000000000C0000-0x00000000000E2000-memory.dmp

Filesize
136KB

Download
memory/3060-8-0x00000000000C0000-0x00000000000E2000-memory.dmp

Filesize
136KB

Download
memory/3060-9-0x00000000000C0000-0x00000000000E2000-memory.dmp

Filesize
136KB

Download
memory/3060-4-0x00000000000C0000-0x00000000000E2000-memory.dmp

Filesize
136KB

Download
memory/3060-2-0x0000000000130000-0x0000000000132000-memory.dmp

Filesize
8KB

Download