qakbot | 8907a22252f61b0627d9c97eafcd22eb450e2a694da244e31c906a10c0d5b21f

General

Target

JaffaCakes118_5ae6f2a3c261fb2f4352c5635892e3d0.dll
Size

500KB
MD5

5ae6f2a3c261fb2f4352c5635892e3d0
SHA1

ac3ccabbc297efc42a563f75e8c9a508be39598c
SHA256

8907a22252f61b0627d9c97eafcd22eb450e2a694da244e31c906a10c0d5b21f
SHA512

b982a9f0e8d049c1e467f8b2aeb36a00532a755ab6e36f1e4d587d551fe94e1d8724e5d910b73edecca4fc78697d14447332ddba6c3a27878729f28eb5dd9c70
SSDEEP

6144:V2N8aCbpt5e3JVAfqX+2Rr+nxQDBO03fHEe:w87z5mvAfLfaE

Score

10^/10

qakbot obama115 1634197867 banker discovery evasion stealer trojan

Malware Config

Extracted

Family

qakbot

Version

402.363

Botnet

obama115

Campaign

1634197867

C2

91.178.126.51:995

220.255.25.28:2222

208.78.220.143:443

77.31.162.93:443

73.230.205.91:443

216.201.162.158:443

94.200.181.154:443

24.231.209.2:2222

89.137.52.44:443

140.82.49.12:443

65.100.174.110:32103

41.86.42.158:995

27.223.92.142:995

200.232.214.222:995

81.250.153.227:2222

217.17.56.163:465

122.60.71.201:995

120.150.218.241:995

41.228.22.180:443

69.30.186.190:443

Attributes

salt
jHxastDcds)oMc=jvh7wdUhxcsdt2

Signatures

Qakbot family
qakbot
Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot

Windows security bypass 2 TTPs 4 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\Microsoft\Vcuzeqqfeh = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Roidxyc = "0"	reg.exe

Loads dropped DLL 1 IoCs

pid	Process
4932	regsvr32.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe

Modifies data under HKEY_USERS 10 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Zynuupzwrwyt\e2d4a72d = c59dd2e5237b1491871da6b00e49310e9a0a5746a09c41178f3be05b5415b522e8f15d8fdcc7153726c619c99f822945ab938554f3e351a8caa0c0988abba61530b8afd6fb1b303a072b6431af9d19fb2f398b080db1d43f20b7d484d9cf97f2622570952d8712231922b69caba907b0f5cc08008b7296ea1666baeb11ce1ce9ed755e093eec5d0b6abc7b72144995d557a08f16a880757d3e4972588f3063b0677ddfcdef97c4a6a904f2dcff2ad1becc92374b795e	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Zynuupzwrwyt\5829e034 = f232d57368b0210163ffb0ea045222	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Zynuupzwrwyt\9d9dc8db = 12d1e319f44cbd148abb14bfd13139670dda9b9baa783bc6cc92eff8fcdf9fc84b17d6bb5032608b203bc4bbaaf68daeeac7320c90144c1ddbb67f	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Zynuupzwrwyt	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Zynuupzwrwyt\d74b7763 = 2b29e5e743acef7cba0df2b4cd51c571930aa825ab627ea26412e24cfbf16a56e165d3b3ce519321	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Zynuupzwrwyt\e0958751 = aa5ca1fa87afb142fd68adc35afcc149b645ad17e1908bb441a00d227e24bd8377bd743efa8a4ec36ad89dc538d8ac5ea473c7dd4e5274c06c27978ed4911e759b898ff1d51f8d716fcc5c5d579493610d363168f0e843c86ac221f5f0472507a8a34c1e71e0508e2a0ba4	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Zynuupzwrwyt\2521afbe = fa360a2c0303baf1aecf6799aa974b2f0ad0e8b844b62af7054100ac	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Zynuupzwrwyt\5a68c048 = fa6e02ba801a754acfa104e8310491f5bb98fe97af7857b2689f6137cf6a0ff3	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Zynuupzwrwyt\a8021895 = 2966456fafb9076ef1b2cd1a086e4ab448	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Zynuupzwrwyt\d74b7763 = 2b29f2e743acda383897cc3bf45567805658c173e616ad3ca9af275e78ea1cb3068e90d64acfb2aeac259249021bb3c9cdcac82c8d200c3a4a5021d265	explorer.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2340	schtasks.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2468	rundll32.exe
2468	rundll32.exe
4932	regsvr32.exe
4932	regsvr32.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
2468	rundll32.exe
4932	regsvr32.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 1460 wrote to memory of 2468	1460	rundll32.exe	82
PID 1460 wrote to memory of 2468	1460	rundll32.exe	82
PID 1460 wrote to memory of 2468	1460	rundll32.exe	82
PID 2468 wrote to memory of 4184	2468	rundll32.exe	83
PID 2468 wrote to memory of 4184	2468	rundll32.exe	83
PID 2468 wrote to memory of 4184	2468	rundll32.exe	83
PID 2468 wrote to memory of 4184	2468	rundll32.exe	83
PID 2468 wrote to memory of 4184	2468	rundll32.exe	83
PID 4184 wrote to memory of 2340	4184	explorer.exe	84
PID 4184 wrote to memory of 2340	4184	explorer.exe	84
PID 4184 wrote to memory of 2340	4184	explorer.exe	84
PID 2504 wrote to memory of 4932	2504	regsvr32.exe	96
PID 2504 wrote to memory of 4932	2504	regsvr32.exe	96
PID 2504 wrote to memory of 4932	2504	regsvr32.exe	96
PID 4932 wrote to memory of 668	4932	regsvr32.exe	97
PID 4932 wrote to memory of 668	4932	regsvr32.exe	97
PID 4932 wrote to memory of 668	4932	regsvr32.exe	97
PID 4932 wrote to memory of 668	4932	regsvr32.exe	97
PID 4932 wrote to memory of 668	4932	regsvr32.exe	97
PID 668 wrote to memory of 3920	668	explorer.exe	98
PID 668 wrote to memory of 3920	668	explorer.exe	98
PID 668 wrote to memory of 4636	668	explorer.exe	100
PID 668 wrote to memory of 4636	668	explorer.exe	100

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5ae6f2a3c261fb2f4352c5635892e3d0.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1460
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5ae6f2a3c261fb2f4352c5635892e3d0.dll,#1
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:2468
- - C:\Windows\SysWOW64\explorer.exe
    C:\Windows\SysWOW64\explorer.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4184
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn nbdopzd /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5ae6f2a3c261fb2f4352c5635892e3d0.dll\"" /SC ONCE /Z /ST 09:27 /ET 09:39
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:2340

C:\Windows\system32\regsvr32.exe
regsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5ae6f2a3c261fb2f4352c5635892e3d0.dll"
1⤵
- Suspicious use of WriteProcessMemory
PID:2504
- C:\Windows\SysWOW64\regsvr32.exe
  -s "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5ae6f2a3c261fb2f4352c5635892e3d0.dll"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:4932
- - C:\Windows\SysWOW64\explorer.exe
    C:\Windows\SysWOW64\explorer.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies data under HKEY_USERS
    - Suspicious use of WriteProcessMemory
    PID:668
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\ProgramData\Microsoft\Vcuzeqqfeh" /d "0"
      4⤵
      Windows security bypass
      PID:3920
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Roidxyc" /d "0"
      4⤵
      Windows security bypass
      PID:4636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Impair Defenses

1

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5ae6f2a3c261fb2f4352c5635892e3d0.dll

Filesize
500KB

MD5
5ae6f2a3c261fb2f4352c5635892e3d0

SHA1
ac3ccabbc297efc42a563f75e8c9a508be39598c

SHA256
8907a22252f61b0627d9c97eafcd22eb450e2a694da244e31c906a10c0d5b21f

SHA512
b982a9f0e8d049c1e467f8b2aeb36a00532a755ab6e36f1e4d587d551fe94e1d8724e5d910b73edecca4fc78697d14447332ddba6c3a27878729f28eb5dd9c70

Download Submit
memory/668-20-0x0000000000D70000-0x0000000000D91000-memory.dmp

Filesize
132KB

Download
memory/668-21-0x0000000000D70000-0x0000000000D91000-memory.dmp

Filesize
132KB

Download
memory/668-19-0x0000000000D70000-0x0000000000D91000-memory.dmp

Filesize
132KB

Download
memory/2468-5-0x0000000010000000-0x0000000010033000-memory.dmp

Filesize
204KB

Download
memory/2468-4-0x0000000002B20000-0x0000000002B53000-memory.dmp

Filesize
204KB

Download
memory/2468-0-0x0000000002B20000-0x0000000002B53000-memory.dmp

Filesize
204KB

Download
memory/2468-3-0x0000000010000000-0x000000001007F000-memory.dmp

Filesize
508KB

Download
memory/2468-1-0x0000000010000000-0x0000000010033000-memory.dmp

Filesize
204KB

Download
memory/4184-9-0x0000000000720000-0x0000000000741000-memory.dmp

Filesize
132KB

Download
memory/4184-10-0x0000000000720000-0x0000000000741000-memory.dmp

Filesize
132KB

Download
memory/4184-8-0x0000000000720000-0x0000000000741000-memory.dmp

Filesize
132KB

Download
memory/4184-11-0x0000000000720000-0x0000000000741000-memory.dmp

Filesize
132KB

Download
memory/4184-12-0x0000000000720000-0x0000000000741000-memory.dmp

Filesize
132KB

Download
memory/4184-2-0x0000000000720000-0x0000000000741000-memory.dmp

Filesize
132KB

Download
memory/4932-17-0x0000000010000000-0x000000001007F000-memory.dmp

Filesize
508KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads