qakbot | 691f68e23ceb0e0b6b267e5dd05ab9ca77fc8f5535c18c86cbce8b864b3c90fa

General

Target

9fe419c79d4bb8b6eb8443a3096e7017_JaffaCakes118.dll
Size

378KB
MD5

9fe419c79d4bb8b6eb8443a3096e7017
SHA1

ed72c7f756348c2194ef6ba10f44661cc61d83ce
SHA256

691f68e23ceb0e0b6b267e5dd05ab9ca77fc8f5535c18c86cbce8b864b3c90fa
SHA512

0ccd8662cf3a282fe4c8f11defaa2bbbc8e05683f1ebb3f58e0fc77a44d76a914f35be3df36cd549dcc28fb97fa9ce6ff2d62b1e8cca438863d5e4a5facdc299
SSDEEP

3072:Do6vBnby4Yx0XjFFzPQ0MslzERfQB24hLxBVi/b/9+PdpiWC35ol/uwfTuT2b2M3:vs6Xpq0H3Jhds/9+qC/zfTPLR

Score

10^/10

qakbot obama104 1632729661 banker discovery evasion stealer trojan

Malware Config

Extracted

Family

qakbot

Version

402.343

Botnet

obama104

Campaign

1632729661

C2

95.77.223.148:443

47.22.148.6:443

89.101.97.139:443

27.223.92.142:995

120.151.47.189:443

136.232.34.70:443

120.150.218.241:995

185.250.148.74:443

181.118.183.94:443

140.82.49.12:443

67.165.206.193:993

103.148.120.144:443

71.74.12.34:443

76.25.142.196:443

73.151.236.31:443

173.21.10.71:2222

75.188.35.168:443

2.178.88.145:61202

71.80.168.245:443

45.46.53.140:2222

Attributes

salt
jHxastDcds)oMc=jvh7wdUhxcsdt2

Signatures

Qakbot family
qakbot
Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot

Windows security bypass 2 TTPs 4 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Jrwuynr = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\Microsoft\Esjqjdbkyh = "0"	reg.exe

Loads dropped DLL 1 IoCs

pid	Process
3444	regsvr32.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe

Modifies data under HKEY_USERS 10 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Qpoeyuyaae\ad5609cf = 5287e1c891fd7574aa25044a2f1e8ec8b3978785a07a1c74bef8d82698798925a2b744b597787fa601c96cc6cb8c42aee20be59e733959a7337b8fd393c2a74efa2f3fca2b11dc3ca25eb8504995a6661c057e01c13f52b3064ba2405ae34c2311fdfdd4a220863e554fef93db0eaeb3340269dac2b1408913c5f4aee520252ac9c7832ec711e561c62fe9005f0cf02055b86c16247cb0e25f3af3b3d76726d5ebe8bd92685371f06fd556d3060972969d7a1783f7fd	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Qpoeyuyaae\6aa3015c = f4ebf13e8ac53261d8c0490badb3281439033a4074ae3ae2c1d08de7226b9a6acc4aa02e092e47b8e6c2a2d8b8b024ef6c8e872ceb69949ecf825ff988c26aa1474c0ef29415b33512604f30c71c9bf7be76814d68842196e2b6dc728b66094672b2b88d50bf8ff44a9f2c7ade27	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Qpoeyuyaae\d21f6639 = ce0457b3efa0be04f98da00d22570f7de5c6d85847bc0bb0a63867a9dccacae9efe5ff88079c2d2e2b96fc385c35ac8eab67fa8f4349a3055cd59392fd47aab2cef826b1d68b7faadbd2e4e5d82a49a19b506ab7ed8d6977d4c709b0e08efb633a	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Qpoeyuyaae\98c9d981 = 7c842e63cc74fa977767bfa12d21e86dc4a67ddfd1349ba803906480cf52c06137fd7e3f28b8fa91197ab2a3b28d36737a3e5b25d556803cd8	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Qpoeyuyaae	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Qpoeyuyaae\98c9d981 = 7c843963cc74cf163bbca9f67abd321fc284eb8445ae6a005f1708d7991d2011b7efb249	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Qpoeyuyaae\15ea6eaa = 026d7c52d40c33f1c196c7441ce5a3731b11474bdcd9455d697bc7a4fef8148cd6ea8280d2f245d8e9672d8edb4462a3c17b7064b8495544a699fcf37c850ab3dda97948edfa425c0455483f9fa6d0bc5bc13bf3c68bdf8b5c457c380d4fd28ae535	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Qpoeyuyaae\e780b677 = ea907eefca4502e557926db431247989126f11d44945fa987fb6cb8358ed0454cdd4450cc2a63eab6594bc9c411c9f624d4a25e99d470d125490853f2d3d3213cf9a19595145edcc28d9aa74ef93a18e31548f4714822494b3a76cb6d017c3e2e0a320f6a179309b78d1c065af	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Qpoeyuyaae\af1729b3 = 72a14e4c4fd546fc723de5095bb75c9a8b9462d80e857b5a7a73fb545590cf53f16f46dbfe551198d9eb8ec0fbb398450355e70e7c84efe2a215e190fad76577788b71c0a77b0b	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Qpoeyuyaae\17ab4ed6 = 8e3c9758b950b3524a95d05bede07fd81bcca2a4eff6a25e1d17d52a60a37bbba61d35b112f38d46ed838c57a7568426ca560f5d33cc0b386d492c4947051f5be6d9b7fdb5508d2492344abb9240	explorer.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2056	schtasks.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3332	rundll32.exe
3332	rundll32.exe
3444	regsvr32.exe
3444	regsvr32.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
3332	rundll32.exe
3444	regsvr32.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 4308 wrote to memory of 3332	4308	rundll32.exe	82
PID 4308 wrote to memory of 3332	4308	rundll32.exe	82
PID 4308 wrote to memory of 3332	4308	rundll32.exe	82
PID 3332 wrote to memory of 2488	3332	rundll32.exe	83
PID 3332 wrote to memory of 2488	3332	rundll32.exe	83
PID 3332 wrote to memory of 2488	3332	rundll32.exe	83
PID 3332 wrote to memory of 2488	3332	rundll32.exe	83
PID 3332 wrote to memory of 2488	3332	rundll32.exe	83
PID 2488 wrote to memory of 2056	2488	explorer.exe	84
PID 2488 wrote to memory of 2056	2488	explorer.exe	84
PID 2488 wrote to memory of 2056	2488	explorer.exe	84
PID 3180 wrote to memory of 3444	3180	regsvr32.exe	96
PID 3180 wrote to memory of 3444	3180	regsvr32.exe	96
PID 3180 wrote to memory of 3444	3180	regsvr32.exe	96
PID 3444 wrote to memory of 4284	3444	regsvr32.exe	97
PID 3444 wrote to memory of 4284	3444	regsvr32.exe	97
PID 3444 wrote to memory of 4284	3444	regsvr32.exe	97
PID 3444 wrote to memory of 4284	3444	regsvr32.exe	97
PID 3444 wrote to memory of 4284	3444	regsvr32.exe	97
PID 4284 wrote to memory of 5108	4284	explorer.exe	98
PID 4284 wrote to memory of 5108	4284	explorer.exe	98
PID 4284 wrote to memory of 3748	4284	explorer.exe	100
PID 4284 wrote to memory of 3748	4284	explorer.exe	100

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\9fe419c79d4bb8b6eb8443a3096e7017_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4308
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\9fe419c79d4bb8b6eb8443a3096e7017_JaffaCakes118.dll,#1
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:3332
- - C:\Windows\SysWOW64\explorer.exe
    C:\Windows\SysWOW64\explorer.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2488
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn glfjqdg /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Local\Temp\9fe419c79d4bb8b6eb8443a3096e7017_JaffaCakes118.dll\"" /SC ONCE /Z /ST 04:47 /ET 04:59
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:2056

C:\Windows\system32\regsvr32.exe
regsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\9fe419c79d4bb8b6eb8443a3096e7017_JaffaCakes118.dll"
1⤵
- Suspicious use of WriteProcessMemory
PID:3180
- C:\Windows\SysWOW64\regsvr32.exe
  -s "C:\Users\Admin\AppData\Local\Temp\9fe419c79d4bb8b6eb8443a3096e7017_JaffaCakes118.dll"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:3444
- - C:\Windows\SysWOW64\explorer.exe
    C:\Windows\SysWOW64\explorer.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies data under HKEY_USERS
    - Suspicious use of WriteProcessMemory
    PID:4284
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\ProgramData\Microsoft\Esjqjdbkyh" /d "0"
      4⤵
      Windows security bypass
      PID:5108
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Jrwuynr" /d "0"
      4⤵
      Windows security bypass
      PID:3748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Impair Defenses

1

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\9fe419c79d4bb8b6eb8443a3096e7017_JaffaCakes118.dll

Filesize
378KB

MD5
9fe419c79d4bb8b6eb8443a3096e7017

SHA1
ed72c7f756348c2194ef6ba10f44661cc61d83ce

SHA256
691f68e23ceb0e0b6b267e5dd05ab9ca77fc8f5535c18c86cbce8b864b3c90fa

SHA512
0ccd8662cf3a282fe4c8f11defaa2bbbc8e05683f1ebb3f58e0fc77a44d76a914f35be3df36cd549dcc28fb97fa9ce6ff2d62b1e8cca438863d5e4a5facdc299

Download Submit
memory/2488-10-0x0000000000AD0000-0x0000000000AF1000-memory.dmp

Filesize
132KB

Download
memory/2488-2-0x0000000000AD0000-0x0000000000AF1000-memory.dmp

Filesize
132KB

Download
memory/2488-12-0x0000000000AD0000-0x0000000000AF1000-memory.dmp

Filesize
132KB

Download
memory/2488-9-0x0000000000AD0000-0x0000000000AF1000-memory.dmp

Filesize
132KB

Download
memory/2488-8-0x0000000000AD0000-0x0000000000AF1000-memory.dmp

Filesize
132KB

Download
memory/3332-5-0x0000000010000000-0x0000000010042000-memory.dmp

Filesize
264KB

Download
memory/3332-4-0x00000000025F0000-0x0000000002632000-memory.dmp

Filesize
264KB

Download
memory/3332-0-0x00000000025F0000-0x0000000002632000-memory.dmp

Filesize
264KB

Download
memory/3332-3-0x0000000010000000-0x0000000010062000-memory.dmp

Filesize
392KB

Download
memory/3332-1-0x0000000010000000-0x0000000010042000-memory.dmp

Filesize
264KB

Download
memory/3444-17-0x0000000010000000-0x0000000010062000-memory.dmp

Filesize
392KB

Download
memory/4284-19-0x0000000000110000-0x0000000000131000-memory.dmp

Filesize
132KB

Download
memory/4284-20-0x0000000000110000-0x0000000000131000-memory.dmp

Filesize
132KB

Download
memory/4284-21-0x0000000000110000-0x0000000000131000-memory.dmp

Filesize
132KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads