qakbot | 691f68e23ceb0e0b6b267e5dd05ab9ca77fc8f5535c18c86cbce8b864b3c90fa

Analysis

max time kernel
138s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
26/11/2024, 04:45

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

9fe419c79d4bb8b6eb8443a3096e7017_JaffaCakes118.dll
Size

378KB
MD5

9fe419c79d4bb8b6eb8443a3096e7017
SHA1

ed72c7f756348c2194ef6ba10f44661cc61d83ce
SHA256

691f68e23ceb0e0b6b267e5dd05ab9ca77fc8f5535c18c86cbce8b864b3c90fa
SHA512

0ccd8662cf3a282fe4c8f11defaa2bbbc8e05683f1ebb3f58e0fc77a44d76a914f35be3df36cd549dcc28fb97fa9ce6ff2d62b1e8cca438863d5e4a5facdc299
SSDEEP

3072:Do6vBnby4Yx0XjFFzPQ0MslzERfQB24hLxBVi/b/9+PdpiWC35ol/uwfTuT2b2M3:vs6Xpq0H3Jhds/9+qC/zfTPLR

Score

10^/10

qakbot obama104 1632729661 banker discovery evasion stealer trojan

Malware Config

Extracted

Family

qakbot

Version

402.343

Botnet

obama104

Campaign

1632729661

95.77.223.148:443

47.22.148.6:443

89.101.97.139:443

27.223.92.142:995

120.151.47.189:443

136.232.34.70:443

120.150.218.241:995

185.250.148.74:443

181.118.183.94:443

140.82.49.12:443

67.165.206.193:993

103.148.120.144:443

71.74.12.34:443

76.25.142.196:443

73.151.236.31:443

173.21.10.71:2222

75.188.35.168:443

2.178.88.145:61202

71.80.168.245:443

45.46.53.140:2222

Attributes

salt
jHxastDcds)oMc=jvh7wdUhxcsdt2

Signatures

Qakbot family
qakbot
Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot

Windows security bypass 2 TTPs 4 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\Microsoft\Lztjnug = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Rrbuiudn = "0"	reg.exe

Loads dropped DLL 1 IoCs

pid	Process
756	regsvr32.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe

Modifies data under HKEY_USERS 10 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Uuehuih	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Uuehuih\fbcf6cee = f5fcfd1539652608c76dc8e6d97c83be4ae4c556365360834b08b4e2e9cd92bbbc604022f2a4d38787b63b62a3f23bec2a464b652d7f3d3cbd0d09144721c0f9ad67e04496934c63c258b14be76436	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Uuehuih\ce50bca0 = 9f291ddcbee8f7844b3a51ce6529e185ba2164faf4d33b69868613c828144a38bc3453e35da2f8262897924558d0da5a49fc10401baaaa48fe6f317ad70c8b0120735b7902df44564dafe5b34986abe92a8fb88f16b719cbe5df7a1f97b77a4267fdaf8d88602e427954035a709de41f670e3a80a7449832dc1731de7f63566f9e37973c1d9d2fcf6c0a5b43c669fb4ccad682a6143e819c8c54d08431847d927c8576457f5caae6d955c0d86c57c285e1690a1e35	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Uuehuih\cc119cdc = 585d8fa75ceb4cfb8043103f33e711ec08f43eebd1667b527cf4ccb14aaed879d39612014f797dd55e4e393c526691d06fa4d514b4f0f4b89276e53c48cb8d832f	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Uuehuih\9a5b433 = fd6bcc1acbeb8da47ef32e2a92aa7484a08e953ca97824e77f	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Uuehuih\b119d356 = 9539d6c08f73c032e6793c3efb93def893991d291421ae82dd1f88713651a4768f5bba98ad8a208314b4ad3e82327b94abacb5b458f169	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Uuehuih\84860318 = 127f8aac1b1d4cea718323204d17e57c82c37ef54900be9ab02a15ee62e9db8662bc6a	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Uuehuih\74adfbb9 = fc27a92d8fbda012dd5831984186d988e4ae106d5b3f9be07a3344d5db8066dcb6ea661650eefcdd42e7db6bcb28f7574e952ad775d0b5a7984d0c7a1f4ed4ebb8c9623b0778a3411d158c29ab8328e689acaabe15c28cbd	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Uuehuih\76ecdbc5 = 2040d7f07b3493a9407d61e2b73598c5ffdc6cd3b9fd37481774371a71f4	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Uuehuih\fbcf6cee = f5fcea15396513eb6667a9c3ce65ac9e6811ac7818380bf4c705384726c6eb28618d908e71288193b7d67e8b3e218c8464f1337df7c5769bc30a5a806f60b34f9f19928a49972aad4602410c756ede7ded3f885d105d638d6f29f223691dc40ed802ba54	explorer.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2016	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1980	rundll32.exe
756	regsvr32.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
1980	rundll32.exe
756	regsvr32.exe

Suspicious use of WriteProcessMemory 43 IoCs

description	pid	Process	procid_target
PID 1796 wrote to memory of 1980	1796	rundll32.exe	31
PID 1796 wrote to memory of 1980	1796	rundll32.exe	31
PID 1796 wrote to memory of 1980	1796	rundll32.exe	31
PID 1796 wrote to memory of 1980	1796	rundll32.exe	31
PID 1796 wrote to memory of 1980	1796	rundll32.exe	31
PID 1796 wrote to memory of 1980	1796	rundll32.exe	31
PID 1796 wrote to memory of 1980	1796	rundll32.exe	31
PID 1980 wrote to memory of 1156	1980	rundll32.exe	32
PID 1980 wrote to memory of 1156	1980	rundll32.exe	32
PID 1980 wrote to memory of 1156	1980	rundll32.exe	32
PID 1980 wrote to memory of 1156	1980	rundll32.exe	32
PID 1980 wrote to memory of 1156	1980	rundll32.exe	32
PID 1980 wrote to memory of 1156	1980	rundll32.exe	32
PID 1156 wrote to memory of 2016	1156	explorer.exe	33
PID 1156 wrote to memory of 2016	1156	explorer.exe	33
PID 1156 wrote to memory of 2016	1156	explorer.exe	33
PID 1156 wrote to memory of 2016	1156	explorer.exe	33
PID 560 wrote to memory of 1732	560	taskeng.exe	36
PID 560 wrote to memory of 1732	560	taskeng.exe	36
PID 560 wrote to memory of 1732	560	taskeng.exe	36
PID 560 wrote to memory of 1732	560	taskeng.exe	36
PID 560 wrote to memory of 1732	560	taskeng.exe	36
PID 1732 wrote to memory of 756	1732	regsvr32.exe	37
PID 1732 wrote to memory of 756	1732	regsvr32.exe	37
PID 1732 wrote to memory of 756	1732	regsvr32.exe	37
PID 1732 wrote to memory of 756	1732	regsvr32.exe	37
PID 1732 wrote to memory of 756	1732	regsvr32.exe	37
PID 1732 wrote to memory of 756	1732	regsvr32.exe	37
PID 1732 wrote to memory of 756	1732	regsvr32.exe	37
PID 756 wrote to memory of 1520	756	regsvr32.exe	38
PID 756 wrote to memory of 1520	756	regsvr32.exe	38
PID 756 wrote to memory of 1520	756	regsvr32.exe	38
PID 756 wrote to memory of 1520	756	regsvr32.exe	38
PID 756 wrote to memory of 1520	756	regsvr32.exe	38
PID 756 wrote to memory of 1520	756	regsvr32.exe	38
PID 1520 wrote to memory of 1604	1520	explorer.exe	39
PID 1520 wrote to memory of 1604	1520	explorer.exe	39
PID 1520 wrote to memory of 1604	1520	explorer.exe	39
PID 1520 wrote to memory of 1604	1520	explorer.exe	39
PID 1520 wrote to memory of 1608	1520	explorer.exe	41
PID 1520 wrote to memory of 1608	1520	explorer.exe	41
PID 1520 wrote to memory of 1608	1520	explorer.exe	41
PID 1520 wrote to memory of 1608	1520	explorer.exe	41

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\9fe419c79d4bb8b6eb8443a3096e7017_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1796
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\9fe419c79d4bb8b6eb8443a3096e7017_JaffaCakes118.dll,#1
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:1980
- - C:\Windows\SysWOW64\explorer.exe
    C:\Windows\SysWOW64\explorer.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1156
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn ppbvszsrc /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Local\Temp\9fe419c79d4bb8b6eb8443a3096e7017_JaffaCakes118.dll\"" /SC ONCE /Z /ST 04:47 /ET 04:59
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:2016

C:\Windows\system32\taskeng.exe
taskeng.exe {903A1A8C-9494-446C-B2C8-26ADD2E6E16F} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:560
- C:\Windows\system32\regsvr32.exe
  regsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\9fe419c79d4bb8b6eb8443a3096e7017_JaffaCakes118.dll"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1732
- - C:\Windows\SysWOW64\regsvr32.exe
    -s "C:\Users\Admin\AppData\Local\Temp\9fe419c79d4bb8b6eb8443a3096e7017_JaffaCakes118.dll"
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:756
  - - C:\Windows\SysWOW64\explorer.exe
      C:\Windows\SysWOW64\explorer.exe
      4⤵
      System Location Discovery: System Language Discovery
      Modifies data under HKEY_USERS
      Suspicious use of WriteProcessMemory
      PID:1520
    - - C:\Windows\system32\reg.exe
        
        C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\ProgramData\Microsoft\Lztjnug" /d "0"
        5⤵
        Windows security bypass
        
        PID:1604
    - - C:\Windows\system32\reg.exe
        
        C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Rrbuiudn" /d "0"
        5⤵
        Windows security bypass
        
        PID:1608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\9fe419c79d4bb8b6eb8443a3096e7017_JaffaCakes118.dll

Filesize
378KB

MD5
9fe419c79d4bb8b6eb8443a3096e7017

SHA1
ed72c7f756348c2194ef6ba10f44661cc61d83ce

SHA256
691f68e23ceb0e0b6b267e5dd05ab9ca77fc8f5535c18c86cbce8b864b3c90fa

SHA512
0ccd8662cf3a282fe4c8f11defaa2bbbc8e05683f1ebb3f58e0fc77a44d76a914f35be3df36cd549dcc28fb97fa9ce6ff2d62b1e8cca438863d5e4a5facdc299

Download Submit
memory/756-19-0x0000000010000000-0x0000000010062000-memory.dmp

Filesize
392KB

Download
memory/1156-9-0x0000000000080000-0x00000000000A1000-memory.dmp

Filesize
132KB

Download
memory/1156-4-0x0000000000080000-0x00000000000A1000-memory.dmp

Filesize
132KB

Download
memory/1156-10-0x0000000000080000-0x00000000000A1000-memory.dmp

Filesize
132KB

Download
memory/1156-11-0x0000000000080000-0x00000000000A1000-memory.dmp

Filesize
132KB

Download
memory/1156-13-0x0000000000080000-0x00000000000A1000-memory.dmp

Filesize
132KB

Download
memory/1156-2-0x00000000000B0000-0x00000000000B2000-memory.dmp

Filesize
8KB

Download
memory/1520-21-0x0000000000080000-0x00000000000A1000-memory.dmp

Filesize
132KB

Download
memory/1520-23-0x0000000000080000-0x00000000000A1000-memory.dmp

Filesize
132KB

Download
memory/1520-22-0x0000000000080000-0x00000000000A1000-memory.dmp

Filesize
132KB

Download
memory/1980-5-0x0000000010000000-0x0000000010062000-memory.dmp

Filesize
392KB

Download
memory/1980-6-0x0000000010000000-0x0000000010042000-memory.dmp

Filesize
264KB

Download
memory/1980-0-0x0000000000310000-0x0000000000352000-memory.dmp

Filesize
264KB

Download
memory/1980-1-0x0000000010000000-0x0000000010042000-memory.dmp

Filesize
264KB

Download