qakbot | 679e6ffe4abc97f9ce1a4152daf960ee26545fa68c05e53ef7fcf3fe45e39926

General

Target

e838009e3a929fd62d0a091a31a35a0d_JaffaCakes118.dll
Size

378KB
MD5

e838009e3a929fd62d0a091a31a35a0d
SHA1

77e579a53e08068ff529745954ddd1d09d86f7a6
SHA256

679e6ffe4abc97f9ce1a4152daf960ee26545fa68c05e53ef7fcf3fe45e39926
SHA512

01123446a9d19beac86731be169358f465d4f7cf79fa56e5fb33d5909c23c39bcc21bb21f47f8a1bb38d3509c50278b277190a1f53a168f94503e810269d599e
SSDEEP

3072:Do6vBnby4Yx0XjFFzPQ0MslzERfQB24hLxBVi/b/9+PdpiWC35ol/uwfTuT2b2MW:vs6Xpq0H3Jhds/9+qC/zfTPLTw

Score

10^/10

qakbot obama104 1632729661 banker discovery evasion stealer trojan

Malware Config

Extracted

Family

qakbot

Version

402.343

Botnet

obama104

Campaign

1632729661

C2

95.77.223.148:443

47.22.148.6:443

89.101.97.139:443

27.223.92.142:995

120.151.47.189:443

136.232.34.70:443

120.150.218.241:995

185.250.148.74:443

181.118.183.94:443

140.82.49.12:443

67.165.206.193:993

103.148.120.144:443

71.74.12.34:443

76.25.142.196:443

73.151.236.31:443

173.21.10.71:2222

75.188.35.168:443

2.178.88.145:61202

71.80.168.245:443

45.46.53.140:2222

Attributes

salt
jHxastDcds)oMc=jvh7wdUhxcsdt2

Signatures

Qakbot family
qakbot
Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot

Windows security bypass 2 TTPs 4 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Dagzcsfa = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\Microsoft\Yyvrcb = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe

Loads dropped DLL 1 IoCs

pid	Process
1916	regsvr32.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe

Modifies data under HKEY_USERS 10 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Fyjgghzilsyn\c7346810 = 471d51c119390aa46079fe5a3a9bdd06100115d0986cdb4258eae34527c466cb29b1ee1bc67fbb48729f93c8760fa94c6e0b7b39996897a910853d983a33f3dbaeb2e3f2acaabe62727a1719fb8ff555f751ab61f8ae42b13b13b83abe4c38e2f1692fe88c8bc02cc2b1039083420632f9fceebb8f125eb43dc39af4605abfe14e293d067f282643a759d166177099c864b5d943ed081b51c4f8e90e80c7444b016b777daa10911855bf6e748681782245	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Fyjgghzilsyn\c575486c = 81ab75ad470c7918bfb13bc1537ce0e6cdc02b9b5348e2b0966396281e8c346526b9803e8222cf9f40ddec3752594fa6472b37b8902afbb08d	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Fyjgghzilsyn\c16083 = 2176b366654463804ee98b0c7f4f1ebee9ad46749bfabb3d74e75115500e2db4f1c140a065b01fdd785b7414f9a16372305aceca77d0f3982c1354f6	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Fyjgghzilsyn\8de2d7a8 = de98e0d0270937f9785e12575d99258ca78734142205fe58cd5860e2c91a9cd9428bd6473f7d1b4b8e5f47e2413890f919fda5a7a64af1be2bab605a91cd942d	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Fyjgghzilsyn\f2abb85e = 4f95ffab9b07a95551cc3ad1d4a4a5ba12ebcf10eaffa5ea5e61d9a6255a70b0271f0119cad064ad6f1827c4ad6533eadd788c132e3c4dbef22f0b30fe5c0a13768c50406570933ccb2868a30272ec0199c9ca625e979039a3c09b02736835	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Fyjgghzilsyn	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Fyjgghzilsyn\f2abb85e = 4f95e8ab9b079c50d8f4c8a400add670e2d4bb089dd4a7f6ea1c4607a89f56bbffae421f815bcfff0284b1326df879d94d4d7be8a881f84e1600ee30449611ad580e26ce7e47f51d01f8	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Fyjgghzilsyn\7f880f75 = 1916921f266a858a5adb1e304d047d42382509d7ba8c56d1522d9875d6413f8096c5ef373ee9b5670209c00f13ecfd5acb859bd8860b33901b3f6f334597bd58245d9c02144e7b720508e2a5338fc162f1f4a0d7c20e0e1dcaaae51541809a6919bda2	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Fyjgghzilsyn\7dc92f09 = 067d8c8c28da2f25b74a9f6a12c7ab3dd4c5a3a731f951adfd280bfdf6c5235c1b72b77c1db91ac049b2936fcef414a5cdf605895feb928c5a0a1bc36aad9b44b1ede59074afa62b709002e9fb6ba87b6d3c75e427deed290cd30bd227334f5a1e5e36bf5f7ca30588	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Fyjgghzilsyn\b87d07e6 = ecb9d8da4d42625b090fbe7a9fda0c20921d3fedb4559025ddeccac623bee9b3b4bd19430ae2eb164bd91931c67dadc25b886742cf081021f25e54e7b78e864106d10fb7e3a9ced395e709454ea0b66a01d962f48dbde2668ab401b4f90549cd38f832ea2d0f777da8633184	explorer.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1292	schtasks.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2780	rundll32.exe
2780	rundll32.exe
1916	regsvr32.exe
1916	regsvr32.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
2780	rundll32.exe
1916	regsvr32.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 5076 wrote to memory of 2780	5076	rundll32.exe	84
PID 5076 wrote to memory of 2780	5076	rundll32.exe	84
PID 5076 wrote to memory of 2780	5076	rundll32.exe	84
PID 2780 wrote to memory of 3768	2780	rundll32.exe	85
PID 2780 wrote to memory of 3768	2780	rundll32.exe	85
PID 2780 wrote to memory of 3768	2780	rundll32.exe	85
PID 2780 wrote to memory of 3768	2780	rundll32.exe	85
PID 2780 wrote to memory of 3768	2780	rundll32.exe	85
PID 3768 wrote to memory of 1292	3768	explorer.exe	86
PID 3768 wrote to memory of 1292	3768	explorer.exe	86
PID 3768 wrote to memory of 1292	3768	explorer.exe	86
PID 2744 wrote to memory of 1916	2744	regsvr32.exe	98
PID 2744 wrote to memory of 1916	2744	regsvr32.exe	98
PID 2744 wrote to memory of 1916	2744	regsvr32.exe	98
PID 1916 wrote to memory of 1528	1916	regsvr32.exe	99
PID 1916 wrote to memory of 1528	1916	regsvr32.exe	99
PID 1916 wrote to memory of 1528	1916	regsvr32.exe	99
PID 1916 wrote to memory of 1528	1916	regsvr32.exe	99
PID 1916 wrote to memory of 1528	1916	regsvr32.exe	99
PID 1528 wrote to memory of 1104	1528	explorer.exe	100
PID 1528 wrote to memory of 1104	1528	explorer.exe	100
PID 1528 wrote to memory of 2588	1528	explorer.exe	102
PID 1528 wrote to memory of 2588	1528	explorer.exe	102

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\e838009e3a929fd62d0a091a31a35a0d_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:5076
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\e838009e3a929fd62d0a091a31a35a0d_JaffaCakes118.dll,#1
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:2780
- - C:\Windows\SysWOW64\explorer.exe
    C:\Windows\SysWOW64\explorer.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3768
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn cmmhtezdbt /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Local\Temp\e838009e3a929fd62d0a091a31a35a0d_JaffaCakes118.dll\"" /SC ONCE /Z /ST 20:51 /ET 21:03
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:1292

C:\Windows\system32\regsvr32.exe
regsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\e838009e3a929fd62d0a091a31a35a0d_JaffaCakes118.dll"
1⤵
- Suspicious use of WriteProcessMemory
PID:2744
- C:\Windows\SysWOW64\regsvr32.exe
  -s "C:\Users\Admin\AppData\Local\Temp\e838009e3a929fd62d0a091a31a35a0d_JaffaCakes118.dll"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:1916
- - C:\Windows\SysWOW64\explorer.exe
    C:\Windows\SysWOW64\explorer.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies data under HKEY_USERS
    - Suspicious use of WriteProcessMemory
    PID:1528
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\ProgramData\Microsoft\Yyvrcb" /d "0"
      4⤵
      Windows security bypass
      PID:1104
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Dagzcsfa" /d "0"
      4⤵
      Windows security bypass
      PID:2588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Impair Defenses

1

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\e838009e3a929fd62d0a091a31a35a0d_JaffaCakes118.dll

Filesize
378KB

MD5
e838009e3a929fd62d0a091a31a35a0d

SHA1
77e579a53e08068ff529745954ddd1d09d86f7a6

SHA256
679e6ffe4abc97f9ce1a4152daf960ee26545fa68c05e53ef7fcf3fe45e39926

SHA512
01123446a9d19beac86731be169358f465d4f7cf79fa56e5fb33d5909c23c39bcc21bb21f47f8a1bb38d3509c50278b277190a1f53a168f94503e810269d599e

Download Submit
memory/1528-21-0x0000000000B40000-0x0000000000B61000-memory.dmp

Filesize
132KB

Download
memory/1528-20-0x0000000000B40000-0x0000000000B61000-memory.dmp

Filesize
132KB

Download
memory/1528-19-0x0000000000B40000-0x0000000000B61000-memory.dmp

Filesize
132KB

Download
memory/1916-17-0x0000000010000000-0x0000000010062000-memory.dmp

Filesize
392KB

Download
memory/2780-4-0x0000000002E60000-0x0000000002EA2000-memory.dmp

Filesize
264KB

Download
memory/2780-5-0x0000000010000000-0x0000000010042000-memory.dmp

Filesize
264KB

Download
memory/2780-0-0x0000000002E60000-0x0000000002EA2000-memory.dmp

Filesize
264KB

Download
memory/2780-3-0x0000000010000000-0x0000000010062000-memory.dmp

Filesize
392KB

Download
memory/2780-1-0x0000000010000000-0x0000000010042000-memory.dmp

Filesize
264KB

Download
memory/3768-10-0x0000000000D80000-0x0000000000DA1000-memory.dmp

Filesize
132KB

Download
memory/3768-8-0x0000000000D80000-0x0000000000DA1000-memory.dmp

Filesize
132KB

Download
memory/3768-12-0x0000000000D80000-0x0000000000DA1000-memory.dmp

Filesize
132KB

Download
memory/3768-9-0x0000000000D80000-0x0000000000DA1000-memory.dmp

Filesize
132KB

Download
memory/3768-2-0x0000000000D80000-0x0000000000DA1000-memory.dmp

Filesize
132KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads