qakbot | e709bd31b9d0f340605499771a33521a09ba3f9b17d19706ecb7748fea93dae5

General

Target

JaffaCakes118_c12d474142ae599f4b7d3c3decca27c0.dll
Size

512KB
MD5

c12d474142ae599f4b7d3c3decca27c0
SHA1

86326c7cae713774ddf65a90be20a49a86c0a11d
SHA256

e709bd31b9d0f340605499771a33521a09ba3f9b17d19706ecb7748fea93dae5
SHA512

0b4cdf6986fe985d5a9260760e398694315d45b86a33693c851f357a59083c100cc5b88c62e05cf29159b467bef3dc47aa39230cadf79cf62aa7b515b2ec58e3
SSDEEP

6144:bHEeraRbpt5e3JVAfqX+2Rr+nxQDBO03yDLC:rEk6z5mvAfLf0

Score

10^/10

qakbot star01 1634935795 banker discovery evasion stealer trojan

Malware Config

Extracted

Family

qakbot

Version

402.363

Botnet

star01

Campaign

1634935795

C2

45.9.20.200:443

96.246.158.154:995

67.165.206.193:993

207.246.112.221:443

37.208.181.198:61202

77.255.12.88:443

79.160.207.214:443

216.201.162.158:443

185.53.147.51:443

187.250.109.250:443

173.21.10.71:2222

108.4.67.252:443

93.175.84.127:443

84.117.135.69:443

87.64.241.207:995

207.246.112.221:995

188.50.34.167:995

73.25.109.183:2222

213.177.130.71:443

176.63.117.1:443

Attributes

salt
jHxastDcds)oMc=jvh7wdUhxcsdt2

Signatures

Qakbot family
qakbot
Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot

Windows security bypass 2 TTPs 4 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\Microsoft\Atxranrnds = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Nmosmmn = "0"	reg.exe

Loads dropped DLL 1 IoCs

pid	Process
1076	regsvr32.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe

Modifies data under HKEY_USERS 10 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Quougguxb\6fa4510c = 9afd1e9160eedc9e6651402e9417220fbd52d3dcfa9006fb77bd4a6bbb621b86816020a943ce119b25e068157906e5d946255b	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Quougguxb\5a3b8142 = 63f57e5f19bd7a455b4747d6ce70e9e99c9690c7d700f66067cdfb8bd4d10df642605fec7c7f64084797714a001c5559732fc992fa42031f05ea05e238d095150bb1953b9c00b9fc2720aedc6b097988016a81d9e6742e9c271aa09ff56a2b207184e913843a71ed5ff2553d148e5546d2545e1205e5252b0d65310ec04e93b397dcb7683b8d4c055252310b18b3ab24ca2fdd234b53aef7c1bfeed532af72a7ec	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Quougguxb\587aa13e = f535b3c94486859a88a2c1f96a819bef1027fe7dfd6f5d6a8f59d240b95c412b20fb045bada9	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Quougguxb\e0c6c65b = 7cbe47e4f44c3cb843e5b342473a70665c88555b1922716ab259d4254436a2726725179ecd9b6a6dc1a5399633	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Quougguxb\e287e627 = cc23be47ce9d652f89b8e70e29cded64848034b4597acedce66026a0850547ae0a3b96024d2317b0ace1a90164af647b8ac5dcfa5d22d0d5cc7374254e52090eb17b7fc0cfea13	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Quougguxb	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Quougguxb\9dce89d1 = 62483788f094e52c29c81e1707a6703de55113aeb5443c219d4b414b3ca2ca37af1f676bcc36b7da6d95587baa1fb7285a16643a47a3d617f151a422d3f28f07	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Quougguxb\2572eeb4 = 86a64c05a4ab284375bb501fd81949a5ac9e7b26d0e2d376c71a52b14cd5	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Quougguxb\10ed3efa = 96cc6f25b040cfc559453a90237de571a135cd647f9b9b36746360b297f7569aa4a2f730b2ac65aaf5608fcb0d706b3a23fbda1e2b13772a199ee43b4b441afa95c60f30c6da312a	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Quougguxb\6fa4510c = 9afd099160eee95f9d4593fcb1281273c445ec21a8e334f4219668d67f55a69dfb5dd6c9d4706980fecdef130650ce519cfc76ab36707ce51098173eba1c20f9914ed2e2d1515e8a	explorer.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3500	schtasks.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3484	rundll32.exe
3484	rundll32.exe
1076	regsvr32.exe
1076	regsvr32.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
3484	rundll32.exe
1076	regsvr32.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 4388 wrote to memory of 3484	4388	rundll32.exe	82
PID 4388 wrote to memory of 3484	4388	rundll32.exe	82
PID 4388 wrote to memory of 3484	4388	rundll32.exe	82
PID 3484 wrote to memory of 4924	3484	rundll32.exe	83
PID 3484 wrote to memory of 4924	3484	rundll32.exe	83
PID 3484 wrote to memory of 4924	3484	rundll32.exe	83
PID 3484 wrote to memory of 4924	3484	rundll32.exe	83
PID 3484 wrote to memory of 4924	3484	rundll32.exe	83
PID 4924 wrote to memory of 3500	4924	explorer.exe	84
PID 4924 wrote to memory of 3500	4924	explorer.exe	84
PID 4924 wrote to memory of 3500	4924	explorer.exe	84
PID 1772 wrote to memory of 1076	1772	regsvr32.exe	96
PID 1772 wrote to memory of 1076	1772	regsvr32.exe	96
PID 1772 wrote to memory of 1076	1772	regsvr32.exe	96
PID 1076 wrote to memory of 4688	1076	regsvr32.exe	97
PID 1076 wrote to memory of 4688	1076	regsvr32.exe	97
PID 1076 wrote to memory of 4688	1076	regsvr32.exe	97
PID 1076 wrote to memory of 4688	1076	regsvr32.exe	97
PID 1076 wrote to memory of 4688	1076	regsvr32.exe	97
PID 4688 wrote to memory of 1188	4688	explorer.exe	98
PID 4688 wrote to memory of 1188	4688	explorer.exe	98
PID 4688 wrote to memory of 3884	4688	explorer.exe	100
PID 4688 wrote to memory of 3884	4688	explorer.exe	100

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c12d474142ae599f4b7d3c3decca27c0.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4388
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c12d474142ae599f4b7d3c3decca27c0.dll,#1
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:3484
- - C:\Windows\SysWOW64\explorer.exe
    C:\Windows\SysWOW64\explorer.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4924
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn buogdwure /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c12d474142ae599f4b7d3c3decca27c0.dll\"" /SC ONCE /Z /ST 06:29 /ET 06:41
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:3500

C:\Windows\system32\regsvr32.exe
regsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c12d474142ae599f4b7d3c3decca27c0.dll"
1⤵
- Suspicious use of WriteProcessMemory
PID:1772
- C:\Windows\SysWOW64\regsvr32.exe
  -s "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c12d474142ae599f4b7d3c3decca27c0.dll"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:1076
- - C:\Windows\SysWOW64\explorer.exe
    C:\Windows\SysWOW64\explorer.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies data under HKEY_USERS
    - Suspicious use of WriteProcessMemory
    PID:4688
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\ProgramData\Microsoft\Atxranrnds" /d "0"
      4⤵
      Windows security bypass
      PID:1188
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Nmosmmn" /d "0"
      4⤵
      Windows security bypass
      PID:3884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Impair Defenses

1

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c12d474142ae599f4b7d3c3decca27c0.dll

Filesize
512KB

MD5
c12d474142ae599f4b7d3c3decca27c0

SHA1
86326c7cae713774ddf65a90be20a49a86c0a11d

SHA256
e709bd31b9d0f340605499771a33521a09ba3f9b17d19706ecb7748fea93dae5

SHA512
0b4cdf6986fe985d5a9260760e398694315d45b86a33693c851f357a59083c100cc5b88c62e05cf29159b467bef3dc47aa39230cadf79cf62aa7b515b2ec58e3

Download Submit
memory/1076-17-0x0000000010000000-0x0000000010084000-memory.dmp

Filesize
528KB

Download
memory/3484-3-0x0000000010000000-0x0000000010084000-memory.dmp

Filesize
528KB

Download
memory/3484-0-0x0000000000CA0000-0x0000000000CD3000-memory.dmp

Filesize
204KB

Download
memory/3484-5-0x0000000010000000-0x0000000010033000-memory.dmp

Filesize
204KB

Download
memory/3484-4-0x0000000000CA0000-0x0000000000CD3000-memory.dmp

Filesize
204KB

Download
memory/3484-1-0x0000000010000000-0x0000000010033000-memory.dmp

Filesize
204KB

Download
memory/4688-19-0x0000000001620000-0x0000000001641000-memory.dmp

Filesize
132KB

Download
memory/4688-20-0x0000000001620000-0x0000000001641000-memory.dmp

Filesize
132KB

Download
memory/4688-21-0x0000000001620000-0x0000000001641000-memory.dmp

Filesize
132KB

Download
memory/4924-8-0x0000000000D50000-0x0000000000D71000-memory.dmp

Filesize
132KB

Download
memory/4924-10-0x0000000000D50000-0x0000000000D71000-memory.dmp

Filesize
132KB

Download
memory/4924-9-0x0000000000D50000-0x0000000000D71000-memory.dmp

Filesize
132KB

Download
memory/4924-12-0x0000000000D50000-0x0000000000D71000-memory.dmp

Filesize
132KB

Download
memory/4924-2-0x0000000000D50000-0x0000000000D71000-memory.dmp

Filesize
132KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads