qakbot | ce2b4e250ac3c32f7a265f1a444386a07ec96cbcbb43510734c37b0b9da011e9

Analysis

max time kernel
136s
max time network
129s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
11/01/2025, 02:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_f4de3d851eb7dd7c361282901a5fa088.dll
Size

358KB
MD5

f4de3d851eb7dd7c361282901a5fa088
SHA1

9d8905df11662f6c1b4f39af47c1c8bb391f81c7
SHA256

ce2b4e250ac3c32f7a265f1a444386a07ec96cbcbb43510734c37b0b9da011e9
SHA512

7c55f49c9a5f2cc0b7dfcf56cb7af1d4a9ba9186cbe34e3a2d43cd2013247500e043e8f13e28a0a42b40fa89c8f81c52546db9b6ef5b164e0f24b89c6996b2dd
SSDEEP

6144:mm8HFmf2Ee5apzeJ4DSY7Dh6LUr+nxQNBO0fS:GjEuuDC1o

Score

10^/10

qakbot tr 1632730751 banker discovery evasion stealer trojan

Malware Config

Extracted

Family

qakbot

Version

402.343

Botnet

Campaign

1632730751

95.77.223.148:443

47.22.148.6:443

89.101.97.139:443

27.223.92.142:995

120.151.47.189:443

136.232.34.70:443

120.150.218.241:995

185.250.148.74:443

181.118.183.94:443

140.82.49.12:443

67.165.206.193:993

103.148.120.144:443

71.74.12.34:443

76.25.142.196:443

73.151.236.31:443

173.21.10.71:2222

75.188.35.168:443

2.178.88.145:61202

71.80.168.245:443

45.46.53.140:2222

Attributes

salt
jHxastDcds)oMc=jvh7wdUhxcsdt2

Signatures

Qakbot family
qakbot
Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot

Windows security bypass 2 TTPs 4 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\Microsoft\Ymcpd = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Ihriiknez = "0"	reg.exe

Loads dropped DLL 1 IoCs

pid	Process
2820	regsvr32.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe

Modifies data under HKEY_USERS 10 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Uizrrvguucki\4a156683 = daf76550375ec7276a7b86ce6783aacaf40598221ec526a5e214dd	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Uizrrvguucki\8fa14e6c = af74beb4707fe81a9bfcb51ac51c78e50f0a3d8cceb653e1e581dd2c9538fad311c65369d6c6c3b1fa9724c38d9bbcb492fd32879731e4dc5df0244f99db5760dd3222b3ab6c	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Uizrrvguucki\f0e8219a = e9a9f4db06acec4235c3123f9aad545bb876261eb43fb7a39514beea27743d4806e47d8275f83f39dcbf05	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Uizrrvguucki\7dcb96b1 = 335e5c4badb171806f20acaa996497ca2abc364115063ac45df836b5c4a698baea199392f436cc01faaf	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Uizrrvguucki\485446ff = 6b6c3c4bf6232a516a30a80800e4433b527eddc04a3f3a99cf1ae9c948c2746cc427b232fcf7dc95ddba9fa5c5671301709d4ab4dc08663c96afa8338108faebdf7826c4448b316bf644f1fb3736c6c5443b01faaca63e3137c73c0614350a28f5ad27509a361f1e1d27cb68ea9a51d34435e9bd	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Uizrrvguucki\371d2909 = f93c6a9fc0211c0e4b6d6c22478d81579db45ebf23b287f1981591ceda895d9f61b4c02bdee7db644c3bc01e7cebd4f92043e53334fb443d4bb79e49c418690c776559bc29e4cff5c2a8db4e28861188636f8ecfcdccf5c5bc8370ab2f556760cd61a648c9d9f7f59a779c	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Uizrrvguucki\282f947 = af3b03bf2d9a5b20b8f230427e7dcffcf6	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Uizrrvguucki\7dcb96b1 = 335e4b4badb14480478c31cea03c065fde209f03ea5c58733b8f9a6fc05b3c8c9d417fe74e3081b4c6323f1180d8f5515bc6fe197748374f12cb160b31811c	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Uizrrvguucki	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Uizrrvguucki\f2a901e6 = dccc74586c1868467ef541872c9abc50b5c5b7c14482fc98ba0376b3974c1095255563f1eece147ee1f81868bfbb320bbac6c28ccba05682aeb42a93dad3d7144b620834bccba6f80f00e806e63074ec4e437c87ef7198b5bcb005a466b0b4b2c4c035eab0a38ef1af23	explorer.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1980	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1268	rundll32.exe
2820	regsvr32.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
1268	rundll32.exe
2820	regsvr32.exe

Suspicious use of WriteProcessMemory 43 IoCs

description	pid	Process	procid_target
PID 1300 wrote to memory of 1268	1300	rundll32.exe	30
PID 1300 wrote to memory of 1268	1300	rundll32.exe	30
PID 1300 wrote to memory of 1268	1300	rundll32.exe	30
PID 1300 wrote to memory of 1268	1300	rundll32.exe	30
PID 1300 wrote to memory of 1268	1300	rundll32.exe	30
PID 1300 wrote to memory of 1268	1300	rundll32.exe	30
PID 1300 wrote to memory of 1268	1300	rundll32.exe	30
PID 1268 wrote to memory of 1796	1268	rundll32.exe	31
PID 1268 wrote to memory of 1796	1268	rundll32.exe	31
PID 1268 wrote to memory of 1796	1268	rundll32.exe	31
PID 1268 wrote to memory of 1796	1268	rundll32.exe	31
PID 1268 wrote to memory of 1796	1268	rundll32.exe	31
PID 1268 wrote to memory of 1796	1268	rundll32.exe	31
PID 1796 wrote to memory of 1980	1796	explorer.exe	32
PID 1796 wrote to memory of 1980	1796	explorer.exe	32
PID 1796 wrote to memory of 1980	1796	explorer.exe	32
PID 1796 wrote to memory of 1980	1796	explorer.exe	32
PID 2648 wrote to memory of 2728	2648	taskeng.exe	36
PID 2648 wrote to memory of 2728	2648	taskeng.exe	36
PID 2648 wrote to memory of 2728	2648	taskeng.exe	36
PID 2648 wrote to memory of 2728	2648	taskeng.exe	36
PID 2648 wrote to memory of 2728	2648	taskeng.exe	36
PID 2728 wrote to memory of 2820	2728	regsvr32.exe	37
PID 2728 wrote to memory of 2820	2728	regsvr32.exe	37
PID 2728 wrote to memory of 2820	2728	regsvr32.exe	37
PID 2728 wrote to memory of 2820	2728	regsvr32.exe	37
PID 2728 wrote to memory of 2820	2728	regsvr32.exe	37
PID 2728 wrote to memory of 2820	2728	regsvr32.exe	37
PID 2728 wrote to memory of 2820	2728	regsvr32.exe	37
PID 2820 wrote to memory of 1388	2820	regsvr32.exe	38
PID 2820 wrote to memory of 1388	2820	regsvr32.exe	38
PID 2820 wrote to memory of 1388	2820	regsvr32.exe	38
PID 2820 wrote to memory of 1388	2820	regsvr32.exe	38
PID 2820 wrote to memory of 1388	2820	regsvr32.exe	38
PID 2820 wrote to memory of 1388	2820	regsvr32.exe	38
PID 1388 wrote to memory of 1352	1388	explorer.exe	39
PID 1388 wrote to memory of 1352	1388	explorer.exe	39
PID 1388 wrote to memory of 1352	1388	explorer.exe	39
PID 1388 wrote to memory of 1352	1388	explorer.exe	39
PID 1388 wrote to memory of 1648	1388	explorer.exe	41
PID 1388 wrote to memory of 1648	1388	explorer.exe	41
PID 1388 wrote to memory of 1648	1388	explorer.exe	41
PID 1388 wrote to memory of 1648	1388	explorer.exe	41

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_f4de3d851eb7dd7c361282901a5fa088.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1300
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_f4de3d851eb7dd7c361282901a5fa088.dll,#1
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:1268
- - C:\Windows\SysWOW64\explorer.exe
    C:\Windows\SysWOW64\explorer.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1796
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn oxdtxvlq /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_f4de3d851eb7dd7c361282901a5fa088.dll\"" /SC ONCE /Z /ST 02:45 /ET 02:57
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:1980

C:\Windows\system32\taskeng.exe
taskeng.exe {BFD0FAF1-31B5-448B-B5C8-2FF418B1AFEE} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:2648
- C:\Windows\system32\regsvr32.exe
  regsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_f4de3d851eb7dd7c361282901a5fa088.dll"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2728
- - C:\Windows\SysWOW64\regsvr32.exe
    -s "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_f4de3d851eb7dd7c361282901a5fa088.dll"
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:2820
  - - C:\Windows\SysWOW64\explorer.exe
      C:\Windows\SysWOW64\explorer.exe
      4⤵
      System Location Discovery: System Language Discovery
      Modifies data under HKEY_USERS
      Suspicious use of WriteProcessMemory
      PID:1388
    - - C:\Windows\system32\reg.exe
        
        C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\ProgramData\Microsoft\Ymcpd" /d "0"
        5⤵
        Windows security bypass
        
        PID:1352
    - - C:\Windows\system32\reg.exe
        
        C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Ihriiknez" /d "0"
        5⤵
        Windows security bypass
        
        PID:1648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_f4de3d851eb7dd7c361282901a5fa088.dll

Filesize
358KB

MD5
f4de3d851eb7dd7c361282901a5fa088

SHA1
9d8905df11662f6c1b4f39af47c1c8bb391f81c7

SHA256
ce2b4e250ac3c32f7a265f1a444386a07ec96cbcbb43510734c37b0b9da011e9

SHA512
7c55f49c9a5f2cc0b7dfcf56cb7af1d4a9ba9186cbe34e3a2d43cd2013247500e043e8f13e28a0a42b40fa89c8f81c52546db9b6ef5b164e0f24b89c6996b2dd

Download Submit
memory/1268-4-0x0000000010000000-0x0000000010055000-memory.dmp

Filesize
340KB

Download
memory/1268-1-0x0000000010000000-0x0000000010043000-memory.dmp

Filesize
268KB

Download
memory/1268-0-0x00000000007E0000-0x0000000000823000-memory.dmp

Filesize
268KB

Download
memory/1268-5-0x00000000007E0000-0x0000000000823000-memory.dmp

Filesize
268KB

Download
memory/1268-6-0x0000000010000000-0x0000000010043000-memory.dmp

Filesize
268KB

Download
memory/1388-22-0x0000000000080000-0x00000000000A1000-memory.dmp

Filesize
132KB

Download
memory/1388-24-0x0000000000080000-0x00000000000A1000-memory.dmp

Filesize
132KB

Download
memory/1388-23-0x0000000000080000-0x00000000000A1000-memory.dmp

Filesize
132KB

Download
memory/1796-9-0x00000000000C0000-0x00000000000E1000-memory.dmp

Filesize
132KB

Download
memory/1796-11-0x00000000000C0000-0x00000000000E1000-memory.dmp

Filesize
132KB

Download
memory/1796-10-0x00000000000C0000-0x00000000000E1000-memory.dmp

Filesize
132KB

Download
memory/1796-13-0x00000000000C0000-0x00000000000E1000-memory.dmp

Filesize
132KB

Download
memory/1796-2-0x00000000000F0000-0x00000000000F2000-memory.dmp

Filesize
8KB

Download
memory/1796-3-0x00000000000C0000-0x00000000000E1000-memory.dmp

Filesize
132KB

Download
memory/2820-20-0x0000000010000000-0x0000000010055000-memory.dmp

Filesize
340KB

Download