Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

JaffaCakes...0e.dll

windows7-x64

10

JaffaCakes...0e.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    142s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08/01/2025, 07:52 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_94128f783ebffa5f5203389d3dc26a0e.dll

  • Size

    890KB

  • MD5

    94128f783ebffa5f5203389d3dc26a0e

  • SHA1

    577840a380a9b4f7aeddd00fa21b15a4926755be

  • SHA256

    1a8c6286a51023a2c737ea6e18eaeb044d726c4d9f1ed64dd70d9b80d8998cfe

  • SHA512

    94afeb12874513354fbf0d23cd7589b962e88efc45a669f01f3f04bde31562b304cd80cdf5d47e75925d4d37292bbe563c0d2f2999e8758520d1858dc4e1765b

  • SSDEEP

    24576:EvmCkg3miQH9ZfSCFEzkuViMKvb/o2ggJcW0eQRqg:EvmC3m1jSCFMKvjjXJcF9qg

Score
10/10
qakbotbiden541634810637bankerdiscoveryevasionstealertrojan

Malware Config

Extracted

Family

qakbot

Version

402.363

Botnet

biden54

Campaign

1634810637

C2

136.143.11.232:443

63.143.92.99:995

182.176.180.73:443

136.232.34.70:443

123.252.190.14:443

216.201.162.158:443

37.208.181.198:61200

140.82.49.12:443

197.89.144.102:443

89.137.52.44:443

109.12.111.14:443

78.191.24.189:995

105.198.236.99:995

196.207.140.40:995

41.235.69.115:443

2.222.167.138:443

117.198.156.56:443

24.231.209.2:6881

27.223.92.142:995

96.246.158.154:995
Attributes
  • salt

    jHxastDcds)oMc=jvh7wdUhxcsdt2

Signatures

  • Qakbot family
    qakbot
  • Qakbot/Qbot

    Qbot or Qakbot is a sophisticated worm with banking capabilities.

    trojanbankerstealerqakbot
  • Windows security bypass 2 TTPs 4 IoCs
    evasiontrojan
  • Loads dropped DLL 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies data under HKEY_USERS 10 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_94128f783ebffa5f5203389d3dc26a0e.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4264
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_94128f783ebffa5f5203389d3dc26a0e.dll,#1
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:3628
      • C:\Windows\SysWOW64\explorer.exe
        C:\Windows\SysWOW64\explorer.exe
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:5020
        • C:\Windows\SysWOW64\schtasks.exe
          "C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn cyfzrfttv /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_94128f783ebffa5f5203389d3dc26a0e.dll\"" /SC ONCE /Z /ST 07:55 /ET 08:07
          4⤵
          • System Location Discovery: System Language Discovery
          • Scheduled Task/Job: Scheduled Task
          PID:3904
  • C:\Windows\system32\regsvr32.exe
    regsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_94128f783ebffa5f5203389d3dc26a0e.dll"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2720
    • C:\Windows\SysWOW64\regsvr32.exe
      -s "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_94128f783ebffa5f5203389d3dc26a0e.dll"
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:1708
      • C:\Windows\SysWOW64\explorer.exe
        C:\Windows\SysWOW64\explorer.exe
        3⤵
        • System Location Discovery: System Language Discovery
        • Modifies data under HKEY_USERS
        • Suspicious use of WriteProcessMemory
        PID:3900
        • C:\Windows\system32\reg.exe
          C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\ProgramData\Microsoft\Avryerygw" /d "0"
          4⤵
          • Windows security bypass
          PID:2212
        • C:\Windows\system32\reg.exe
          C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Azonsbxdtsbl" /d "0"
          4⤵
          • Windows security bypass
          PID:1808

Network

  • flag-us
    DNS
    149.220.183.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    149.220.183.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    23.159.190.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    23.159.190.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    28.118.140.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    28.118.140.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    200.163.202.172.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    200.163.202.172.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    15.164.165.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    15.164.165.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    172.210.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.210.232.199.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    21.49.80.91.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    21.49.80.91.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    85.49.80.91.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    85.49.80.91.in-addr.arpa
    IN PTR
    Response
No results found
  • 8.8.8.8:53
    149.220.183.52.in-addr.arpa
    dns
    73 B
     147 B
     1
    1

    DNS Request

    149.220.183.52.in-addr.arpa

  • 8.8.8.8:53
    23.159.190.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    23.159.190.20.in-addr.arpa

  • 8.8.8.8:53
    95.221.229.192.in-addr.arpa
    dns
    73 B
     144 B
     1
    1

    DNS Request

    95.221.229.192.in-addr.arpa

  • 8.8.8.8:53
    28.118.140.52.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    28.118.140.52.in-addr.arpa

  • 8.8.8.8:53
    200.163.202.172.in-addr.arpa
    dns
    74 B
     160 B
     1
    1

    DNS Request

    200.163.202.172.in-addr.arpa

  • 8.8.8.8:53
    15.164.165.52.in-addr.arpa
    dns
    72 B
     146 B
     1
    1

    DNS Request

    15.164.165.52.in-addr.arpa

  • 8.8.8.8:53
    172.210.232.199.in-addr.arpa
    dns
    74 B
     128 B
     1
    1

    DNS Request

    172.210.232.199.in-addr.arpa

  • 8.8.8.8:53
    21.49.80.91.in-addr.arpa
    dns
    70 B
     145 B
     1
    1

    DNS Request

    21.49.80.91.in-addr.arpa

  • 8.8.8.8:53
    85.49.80.91.in-addr.arpa
    dns
    70 B
     145 B
     1
    1

    DNS Request

    85.49.80.91.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_94128f783ebffa5f5203389d3dc26a0e.dll
    Filesize

    890KB

    MD5

    94128f783ebffa5f5203389d3dc26a0e

    SHA1

    577840a380a9b4f7aeddd00fa21b15a4926755be

    SHA256

    1a8c6286a51023a2c737ea6e18eaeb044d726c4d9f1ed64dd70d9b80d8998cfe

    SHA512

    94afeb12874513354fbf0d23cd7589b962e88efc45a669f01f3f04bde31562b304cd80cdf5d47e75925d4d37292bbe563c0d2f2999e8758520d1858dc4e1765b

    Download Submit

  • memory/1708-18-0x00000000750A0000-0x0000000075193000-memory.dmp

    Filesize

    972KB

    Download

  • memory/1708-20-0x00000000750A0000-0x0000000075193000-memory.dmp

    Filesize

    972KB

    Download

  • memory/1708-17-0x00000000750A0000-0x0000000075193000-memory.dmp

    Filesize

    972KB

    Download

  • memory/3628-1-0x000000007520F000-0x0000000075215000-memory.dmp

    Filesize

    24KB

    Download

  • memory/3628-2-0x0000000075130000-0x0000000075223000-memory.dmp

    Filesize

    972KB

    Download

  • memory/3628-3-0x0000000075130000-0x0000000075223000-memory.dmp

    Filesize

    972KB

    Download

  • memory/3628-0-0x0000000075130000-0x0000000075223000-memory.dmp

    Filesize

    972KB

    Download

  • memory/3628-6-0x0000000075130000-0x0000000075223000-memory.dmp

    Filesize

    972KB

    Download

  • memory/3900-23-0x00000000001C0000-0x00000000001E1000-memory.dmp

    Filesize

    132KB

    Download

  • memory/3900-24-0x00000000001C0000-0x00000000001E1000-memory.dmp

    Filesize

    132KB

    Download

  • memory/3900-22-0x00000000001C0000-0x00000000001E1000-memory.dmp

    Filesize

    132KB

    Download

  • memory/5020-5-0x0000000000370000-0x0000000000391000-memory.dmp

    Filesize

    132KB

    Download

  • memory/5020-13-0x0000000000370000-0x0000000000391000-memory.dmp

    Filesize

    132KB

    Download

  • memory/5020-11-0x0000000000370000-0x0000000000391000-memory.dmp

    Filesize

    132KB

    Download

  • memory/5020-10-0x0000000000370000-0x0000000000391000-memory.dmp

    Filesize

    132KB

    Download

  • memory/5020-9-0x0000000000370000-0x0000000000391000-memory.dmp

    Filesize

    132KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.