qakbot | df883ad9d0144b24448da884be2714b2f9193bc87c019a0e025e23996d00cbac

Analysis

max time kernel
142s
max time network
131s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
31-10-2024 11:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

82c3c48b0a6f83f622c60ef35b2f6238_JaffaCakes118.dll
Size

708KB
MD5

82c3c48b0a6f83f622c60ef35b2f6238
SHA1

43590bfbb0f336fdf17499c33f4619f8eb50efbe
SHA256

df883ad9d0144b24448da884be2714b2f9193bc87c019a0e025e23996d00cbac
SHA512

128c49a922f559cd4031e26e5bc973a923fbfa488cbafb4fd1ad6c312c0c404e0d06b368f9355b3fd4fe2ef3bc3547bf5359f1e22d958f1b6be0b479a2cc4da6
SSDEEP

12288:fsbAcis08s7gQFMWC24/MFS+AWmdnWJIjJ5F3+DpEFs3H6v/+FoTN:fODis0dFA24/MFSptIJKnx+NE23a3+FS

Score

10^/10

qakbot obama106 1632905607 banker discovery evasion stealer trojan

Malware Config

Extracted

Family

qakbot

Version

402.363

Botnet

obama106

Campaign

1632905607

37.210.152.224:995

120.151.47.189:443

105.198.236.99:443

122.11.220.212:2222

199.27.127.129:443

41.251.41.14:995

216.201.162.158:443

124.123.42.115:2078

181.118.183.94:443

120.150.218.241:995

185.250.148.74:443

217.17.56.163:443

182.181.78.18:995

140.82.49.12:443

105.159.144.186:995

89.101.97.139:443

217.17.56.163:0

27.223.92.142:995

95.77.223.148:443

109.190.253.11:2222

Attributes

salt
jHxastDcds)oMc=jvh7wdUhxcsdt2

Signatures

Qakbot family
qakbot
Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot

Windows security bypass 2 TTPs 4 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\Microsoft\Yjqydaadc = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Pcdnf = "0"	reg.exe

Loads dropped DLL 1 IoCs

pid	Process
3064	regsvr32.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe

Modifies data under HKEY_USERS 10 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Upjnajl\9c1283f9 = 889807398f5fd68ad9c7ad9db1433c54b1f0f534b5779f4b0d70c98ea18b864b6d8611985b1716bf8848af2d15303bf27fdc9b2a0be1160eff29bee4213288b761148713568534b0dd2b557967f59ae026a9	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Upjnajl\e35bec0f = a071322efe7f5fe6bfebb3b6416dd2bde3d74c229f6e5a873326d72d491a5f276e8aa91fd2c9c6c22e8682594ea9d920b9	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Upjnajl\113134d2 = ff7e5003d8b66f04989a8d385988847e539011767ca9dba1423c7c86aa8ca690283ce10c87e3dd2b17dc7cba2f2c1a99b9ce93a020873962e2f27f06da8289a9a352b3	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Upjnajl\6e785b24 = ae1f08e427208be0874522624ee44bf06bb74ac7a2c9b64d9cc2c76a1a8741f42563cbfcfa229e428656c486500b5dd9975535800bb84afa71213d6a70	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Upjnajl\59a6ab16 = a9719c23708675212b48137453646ef5cd755190ffb07c592f8643bc8e5fa9bcd21302eb20edd7f11bcf019ff74dc7fd1be4319ae431a502afe8f2e6e7f9c8f16f8263605d0cec36979af000bc35be	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Upjnajl\e11acc73 = 340b757d0f0f4b8381c4ad874bc6293c4a07c67d185a24b1da0127a5977e0d96cc516f3e2f83563a6fe87998da985e4b0f01fd25c57fe92505acc107dc75ef514966573b6cd18ed9b99337f2ef7e83af16	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Upjnajl\5be78b6a = c5a9bcb6928e3c000e736a83cf94e97006d9f869be872d4e91c33b486f381dd309eace69a690b8a835e9057fbc695f3308dfa1b0a5fa9607c4c761837cccd61345705dfd87384b49ef1e6cb7f2089e7d2061ff0a4fb60bc1f0afc23cc56c5ee4568f5b9e141e16d0a3d4f604d700f572b75d4e93abfce9579d8f2b995e6789e6b2000072fa98950388953369fde6d135a49771874590ac28d54c9102218b049d1bc88b9ba04578c3a7fc1c482e60091ba321774c9fd39aa0	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Upjnajl\24aee49c = 55da9f3f4fcdc796c8efce25b12f6c62740cd83868d72a22d73513d1743f4ba9b484b4c4a622261a6438df52b8487f45d1ce421989b865d91c	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Upjnajl	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Upjnajl\6e785b24 = ae1f1fe42720bebc821ce847834f9b9c80aad5f1877ee3ea845f1a0f2e30bbdf25004a4517a2693e	explorer.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2688	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3000	rundll32.exe
3064	regsvr32.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
3000	rundll32.exe
3064	regsvr32.exe

Suspicious use of WriteProcessMemory 43 IoCs

description	pid	Process	procid_target
PID 1240 wrote to memory of 3000	1240	rundll32.exe	30
PID 1240 wrote to memory of 3000	1240	rundll32.exe	30
PID 1240 wrote to memory of 3000	1240	rundll32.exe	30
PID 1240 wrote to memory of 3000	1240	rundll32.exe	30
PID 1240 wrote to memory of 3000	1240	rundll32.exe	30
PID 1240 wrote to memory of 3000	1240	rundll32.exe	30
PID 1240 wrote to memory of 3000	1240	rundll32.exe	30
PID 3000 wrote to memory of 1712	3000	rundll32.exe	32
PID 3000 wrote to memory of 1712	3000	rundll32.exe	32
PID 3000 wrote to memory of 1712	3000	rundll32.exe	32
PID 3000 wrote to memory of 1712	3000	rundll32.exe	32
PID 3000 wrote to memory of 1712	3000	rundll32.exe	32
PID 3000 wrote to memory of 1712	3000	rundll32.exe	32
PID 1712 wrote to memory of 2688	1712	explorer.exe	33
PID 1712 wrote to memory of 2688	1712	explorer.exe	33
PID 1712 wrote to memory of 2688	1712	explorer.exe	33
PID 1712 wrote to memory of 2688	1712	explorer.exe	33
PID 1976 wrote to memory of 2684	1976	taskeng.exe	36
PID 1976 wrote to memory of 2684	1976	taskeng.exe	36
PID 1976 wrote to memory of 2684	1976	taskeng.exe	36
PID 1976 wrote to memory of 2684	1976	taskeng.exe	36
PID 1976 wrote to memory of 2684	1976	taskeng.exe	36
PID 2684 wrote to memory of 3064	2684	regsvr32.exe	37
PID 2684 wrote to memory of 3064	2684	regsvr32.exe	37
PID 2684 wrote to memory of 3064	2684	regsvr32.exe	37
PID 2684 wrote to memory of 3064	2684	regsvr32.exe	37
PID 2684 wrote to memory of 3064	2684	regsvr32.exe	37
PID 2684 wrote to memory of 3064	2684	regsvr32.exe	37
PID 2684 wrote to memory of 3064	2684	regsvr32.exe	37
PID 3064 wrote to memory of 2944	3064	regsvr32.exe	38
PID 3064 wrote to memory of 2944	3064	regsvr32.exe	38
PID 3064 wrote to memory of 2944	3064	regsvr32.exe	38
PID 3064 wrote to memory of 2944	3064	regsvr32.exe	38
PID 3064 wrote to memory of 2944	3064	regsvr32.exe	38
PID 3064 wrote to memory of 2944	3064	regsvr32.exe	38
PID 2944 wrote to memory of 784	2944	explorer.exe	39
PID 2944 wrote to memory of 784	2944	explorer.exe	39
PID 2944 wrote to memory of 784	2944	explorer.exe	39
PID 2944 wrote to memory of 784	2944	explorer.exe	39
PID 2944 wrote to memory of 484	2944	explorer.exe	41
PID 2944 wrote to memory of 484	2944	explorer.exe	41
PID 2944 wrote to memory of 484	2944	explorer.exe	41
PID 2944 wrote to memory of 484	2944	explorer.exe	41

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\82c3c48b0a6f83f622c60ef35b2f6238_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1240
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\82c3c48b0a6f83f622c60ef35b2f6238_JaffaCakes118.dll,#1
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:3000
- - C:\Windows\SysWOW64\explorer.exe
    C:\Windows\SysWOW64\explorer.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1712
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn afrhjtnckb /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Local\Temp\82c3c48b0a6f83f622c60ef35b2f6238_JaffaCakes118.dll\"" /SC ONCE /Z /ST 11:04 /ET 11:16
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:2688

C:\Windows\system32\taskeng.exe
taskeng.exe {74A66FE3-3FE2-4EE5-AADB-2A2E33876D2A} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:1976
- C:\Windows\system32\regsvr32.exe
  regsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\82c3c48b0a6f83f622c60ef35b2f6238_JaffaCakes118.dll"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2684
- - C:\Windows\SysWOW64\regsvr32.exe
    -s "C:\Users\Admin\AppData\Local\Temp\82c3c48b0a6f83f622c60ef35b2f6238_JaffaCakes118.dll"
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:3064
  - - C:\Windows\SysWOW64\explorer.exe
      C:\Windows\SysWOW64\explorer.exe
      4⤵
      System Location Discovery: System Language Discovery
      Modifies data under HKEY_USERS
      Suspicious use of WriteProcessMemory
      PID:2944
    - - C:\Windows\system32\reg.exe
        
        C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\ProgramData\Microsoft\Yjqydaadc" /d "0"
        5⤵
        Windows security bypass
        
        PID:784
    - - C:\Windows\system32\reg.exe
        
        C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Pcdnf" /d "0"
        5⤵
        Windows security bypass
        
        PID:484

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\82c3c48b0a6f83f622c60ef35b2f6238_JaffaCakes118.dll

Filesize
708KB

MD5
82c3c48b0a6f83f622c60ef35b2f6238

SHA1
43590bfbb0f336fdf17499c33f4619f8eb50efbe

SHA256
df883ad9d0144b24448da884be2714b2f9193bc87c019a0e025e23996d00cbac

SHA512
128c49a922f559cd4031e26e5bc973a923fbfa488cbafb4fd1ad6c312c0c404e0d06b368f9355b3fd4fe2ef3bc3547bf5359f1e22d958f1b6be0b479a2cc4da6

Download Submit
memory/1712-13-0x00000000000D0000-0x00000000000F1000-memory.dmp

Filesize
132KB

Download
memory/1712-7-0x00000000000D0000-0x00000000000F1000-memory.dmp

Filesize
132KB

Download
memory/1712-12-0x00000000000D0000-0x00000000000F1000-memory.dmp

Filesize
132KB

Download
memory/1712-5-0x0000000000080000-0x0000000000082000-memory.dmp

Filesize
8KB

Download
memory/1712-15-0x00000000000D0000-0x00000000000F1000-memory.dmp

Filesize
132KB

Download
memory/1712-11-0x00000000000D0000-0x00000000000F1000-memory.dmp

Filesize
132KB

Download
memory/2944-27-0x0000000000080000-0x00000000000A1000-memory.dmp

Filesize
132KB

Download
memory/2944-28-0x0000000000080000-0x00000000000A1000-memory.dmp

Filesize
132KB

Download
memory/2944-26-0x0000000000080000-0x00000000000A1000-memory.dmp

Filesize
132KB

Download
memory/3000-8-0x0000000074410000-0x00000000744DA000-memory.dmp

Filesize
808KB

Download
memory/3000-0-0x0000000074410000-0x00000000744DA000-memory.dmp

Filesize
808KB

Download
memory/3000-1-0x0000000074410000-0x00000000744DA000-memory.dmp

Filesize
808KB

Download
memory/3000-4-0x0000000074410000-0x00000000744DA000-memory.dmp

Filesize
808KB

Download
memory/3000-3-0x00000000744C1000-0x00000000744C7000-memory.dmp

Filesize
24KB

Download
memory/3064-20-0x0000000074270000-0x000000007433A000-memory.dmp

Filesize
808KB

Download
memory/3064-21-0x0000000074270000-0x000000007433A000-memory.dmp

Filesize
808KB

Download
memory/3064-24-0x0000000074270000-0x000000007433A000-memory.dmp

Filesize
808KB

Download