Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

JaffaCakes...d0.dll

windows7-x64

10

JaffaCakes...d0.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    126s
  • max time network
    144s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07/01/2025, 09:25 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_5ae6f2a3c261fb2f4352c5635892e3d0.dll

  • Size

    500KB

  • MD5

    5ae6f2a3c261fb2f4352c5635892e3d0

  • SHA1

    ac3ccabbc297efc42a563f75e8c9a508be39598c

  • SHA256

    8907a22252f61b0627d9c97eafcd22eb450e2a694da244e31c906a10c0d5b21f

  • SHA512

    b982a9f0e8d049c1e467f8b2aeb36a00532a755ab6e36f1e4d587d551fe94e1d8724e5d910b73edecca4fc78697d14447332ddba6c3a27878729f28eb5dd9c70

  • SSDEEP

    6144:V2N8aCbpt5e3JVAfqX+2Rr+nxQDBO03fHEe:w87z5mvAfLfaE

Score
10/10
qakbotobama1151634197867bankerdiscoveryevasionstealertrojan

Malware Config

Extracted

Family

qakbot

Version

402.363

Botnet

obama115

Campaign

1634197867

C2

91.178.126.51:995

220.255.25.28:2222

208.78.220.143:443

77.31.162.93:443

73.230.205.91:443

216.201.162.158:443

94.200.181.154:443

24.231.209.2:2222

89.137.52.44:443

140.82.49.12:443

65.100.174.110:32103

41.86.42.158:995

27.223.92.142:995

200.232.214.222:995

81.250.153.227:2222

217.17.56.163:465

122.60.71.201:995

120.150.218.241:995

41.228.22.180:443

69.30.186.190:443
Attributes
  • salt

    jHxastDcds)oMc=jvh7wdUhxcsdt2

Signatures

  • Qakbot family
    qakbot
  • Qakbot/Qbot

    Qbot or Qakbot is a sophisticated worm with banking capabilities.

    trojanbankerstealerqakbot
  • Windows security bypass 2 TTPs 4 IoCs
    evasiontrojan
  • Loads dropped DLL 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies data under HKEY_USERS 10 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5ae6f2a3c261fb2f4352c5635892e3d0.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1460
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5ae6f2a3c261fb2f4352c5635892e3d0.dll,#1
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:2468
      • C:\Windows\SysWOW64\explorer.exe
        C:\Windows\SysWOW64\explorer.exe
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4184
        • C:\Windows\SysWOW64\schtasks.exe
          "C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn nbdopzd /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5ae6f2a3c261fb2f4352c5635892e3d0.dll\"" /SC ONCE /Z /ST 09:27 /ET 09:39
          4⤵
          • System Location Discovery: System Language Discovery
          • Scheduled Task/Job: Scheduled Task
          PID:2340
  • C:\Windows\system32\regsvr32.exe
    regsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5ae6f2a3c261fb2f4352c5635892e3d0.dll"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2504
    • C:\Windows\SysWOW64\regsvr32.exe
      -s "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5ae6f2a3c261fb2f4352c5635892e3d0.dll"
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:4932
      • C:\Windows\SysWOW64\explorer.exe
        C:\Windows\SysWOW64\explorer.exe
        3⤵
        • System Location Discovery: System Language Discovery
        • Modifies data under HKEY_USERS
        • Suspicious use of WriteProcessMemory
        PID:668
        • C:\Windows\system32\reg.exe
          C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\ProgramData\Microsoft\Vcuzeqqfeh" /d "0"
          4⤵
          • Windows security bypass
          PID:3920
        • C:\Windows\system32\reg.exe
          C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Roidxyc" /d "0"
          4⤵
          • Windows security bypass
          PID:4636

Network

  • flag-us
    DNS
    28.118.140.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    28.118.140.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    8.153.16.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    8.153.16.2.in-addr.arpa
    IN PTR
    Response
    8.153.16.2.in-addr.arpa
    IN PTR
    a2-16-153-8deploystaticakamaitechnologiescom
  • flag-us
    DNS
    76.32.126.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    76.32.126.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    196.249.167.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    196.249.167.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    200.163.202.172.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    200.163.202.172.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    241.42.69.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    241.42.69.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    166.190.18.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    166.190.18.2.in-addr.arpa
    IN PTR
    Response
    166.190.18.2.in-addr.arpa
    IN PTR
    a2-18-190-166deploystaticakamaitechnologiescom
  • flag-us
    DNS
    172.210.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.210.232.199.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    30.243.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    30.243.111.52.in-addr.arpa
    IN PTR
    Response
No results found
  • 8.8.8.8:53
    28.118.140.52.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    28.118.140.52.in-addr.arpa

  • 8.8.8.8:53
    8.153.16.2.in-addr.arpa
    dns
    69 B
     131 B
     1
    1

    DNS Request

    8.153.16.2.in-addr.arpa

  • 8.8.8.8:53
    76.32.126.40.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    76.32.126.40.in-addr.arpa

  • 8.8.8.8:53
    95.221.229.192.in-addr.arpa
    dns
    73 B
     144 B
     1
    1

    DNS Request

    95.221.229.192.in-addr.arpa

  • 8.8.8.8:53
    196.249.167.52.in-addr.arpa
    dns
    73 B
     147 B
     1
    1

    DNS Request

    196.249.167.52.in-addr.arpa

  • 8.8.8.8:53
    200.163.202.172.in-addr.arpa
    dns
    74 B
     160 B
     1
    1

    DNS Request

    200.163.202.172.in-addr.arpa

  • 8.8.8.8:53
    241.42.69.40.in-addr.arpa
    dns
    71 B
     145 B
     1
    1

    DNS Request

    241.42.69.40.in-addr.arpa

  • 8.8.8.8:53
    166.190.18.2.in-addr.arpa
    dns
    71 B
     135 B
     1
    1

    DNS Request

    166.190.18.2.in-addr.arpa

  • 8.8.8.8:53
    172.210.232.199.in-addr.arpa
    dns
    74 B
     128 B
     1
    1

    DNS Request

    172.210.232.199.in-addr.arpa

  • 8.8.8.8:53
    30.243.111.52.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    30.243.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5ae6f2a3c261fb2f4352c5635892e3d0.dll
    Filesize

    500KB

    MD5

    5ae6f2a3c261fb2f4352c5635892e3d0

    SHA1

    ac3ccabbc297efc42a563f75e8c9a508be39598c

    SHA256

    8907a22252f61b0627d9c97eafcd22eb450e2a694da244e31c906a10c0d5b21f

    SHA512

    b982a9f0e8d049c1e467f8b2aeb36a00532a755ab6e36f1e4d587d551fe94e1d8724e5d910b73edecca4fc78697d14447332ddba6c3a27878729f28eb5dd9c70

    Download Submit

  • memory/668-20-0x0000000000D70000-0x0000000000D91000-memory.dmp

    Filesize

    132KB

    Download

  • memory/668-21-0x0000000000D70000-0x0000000000D91000-memory.dmp

    Filesize

    132KB

    Download

  • memory/668-19-0x0000000000D70000-0x0000000000D91000-memory.dmp

    Filesize

    132KB

    Download

  • memory/2468-5-0x0000000010000000-0x0000000010033000-memory.dmp

    Filesize

    204KB

    Download

  • memory/2468-4-0x0000000002B20000-0x0000000002B53000-memory.dmp

    Filesize

    204KB

    Download

  • memory/2468-0-0x0000000002B20000-0x0000000002B53000-memory.dmp

    Filesize

    204KB

    Download

  • memory/2468-3-0x0000000010000000-0x000000001007F000-memory.dmp

    Filesize

    508KB

    Download

  • memory/2468-1-0x0000000010000000-0x0000000010033000-memory.dmp

    Filesize

    204KB

    Download

  • memory/4184-9-0x0000000000720000-0x0000000000741000-memory.dmp

    Filesize

    132KB

    Download

  • memory/4184-10-0x0000000000720000-0x0000000000741000-memory.dmp

    Filesize

    132KB

    Download

  • memory/4184-8-0x0000000000720000-0x0000000000741000-memory.dmp

    Filesize

    132KB

    Download

  • memory/4184-11-0x0000000000720000-0x0000000000741000-memory.dmp

    Filesize

    132KB

    Download

  • memory/4184-12-0x0000000000720000-0x0000000000741000-memory.dmp

    Filesize

    132KB

    Download

  • memory/4184-2-0x0000000000720000-0x0000000000741000-memory.dmp

    Filesize

    132KB

    Download

  • memory/4932-17-0x0000000010000000-0x000000001007F000-memory.dmp

    Filesize

    508KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.