qakbot | ce2b4e250ac3c32f7a265f1a444386a07ec96cbcbb43510734c37b0b9da011e9

General

Target

JaffaCakes118_f4de3d851eb7dd7c361282901a5fa088.dll
Size

358KB
MD5

f4de3d851eb7dd7c361282901a5fa088
SHA1

9d8905df11662f6c1b4f39af47c1c8bb391f81c7
SHA256

ce2b4e250ac3c32f7a265f1a444386a07ec96cbcbb43510734c37b0b9da011e9
SHA512

7c55f49c9a5f2cc0b7dfcf56cb7af1d4a9ba9186cbe34e3a2d43cd2013247500e043e8f13e28a0a42b40fa89c8f81c52546db9b6ef5b164e0f24b89c6996b2dd
SSDEEP

6144:mm8HFmf2Ee5apzeJ4DSY7Dh6LUr+nxQNBO0fS:GjEuuDC1o

Score

10^/10

qakbot tr 1632730751 banker discovery evasion stealer trojan

Malware Config

Extracted

Family

qakbot

Version

402.343

Botnet

tr

Campaign

1632730751

C2

95.77.223.148:443

47.22.148.6:443

89.101.97.139:443

27.223.92.142:995

120.151.47.189:443

136.232.34.70:443

120.150.218.241:995

185.250.148.74:443

181.118.183.94:443

140.82.49.12:443

67.165.206.193:993

103.148.120.144:443

71.74.12.34:443

76.25.142.196:443

73.151.236.31:443

173.21.10.71:2222

75.188.35.168:443

2.178.88.145:61202

71.80.168.245:443

45.46.53.140:2222

Attributes

salt
jHxastDcds)oMc=jvh7wdUhxcsdt2

Signatures

Qakbot family
qakbot
Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot

Windows security bypass 2 TTPs 4 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\Microsoft\Djoiiwkinlux = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Gieiuk = "0"	reg.exe

Loads dropped DLL 1 IoCs

pid	Process
464	regsvr32.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe

Modifies data under HKEY_USERS 10 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Hwidemcsgu\9c82a1f5 = 0f8cf63d901f0b6c72467b15	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Hwidemcsgu\5936891a = e7729e4e4a2c36db02cc267b381807682c6a839754185cfde86347de5165ccdabe9b1be0	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Hwidemcsgu\6ca95954 = 1c05a1cde7408dc0755a4ca6d3e9f14c49899de5ec4b7600a9ead9f2111c8668e966eef4f34d324319d914b2ff85db4e6798df0fceaa871881093541c3ec51cea883783824eb1a2b1732fb4fe1c18527704f583602ddf50b39aec18880c15c3c0386ec5b09e552c5fde0	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Hwidemcsgu\13e036a2 = 886ef69d746156d19afa154868be5f833122a185c5410e6606361886b75078b9590707aa3293c4bf3e41e2cf6600cf56ac2385b8c574aa6e735cc27a69ff7868f79526e6ce885a222a38f93df551c5187a105880518669ec419fe4b2ac91af	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Hwidemcsgu\267fe6ec = b147f52c3b1d12d0ac413d9557c1396ca46b3afefbc8cc89056ce550425f4ee5b6418e406a16998764cbb3cf9b293af3b562272146a88a1f080628710ea167407df32ae61422c03e33459c68af85e9fa4246bea5f0161c6b6bf634137126db7e1dc8ecc91a198d28303dda19874a4327ff3e5d80579ce6c319af32ff9b58550adcee0ec480f12ef10714ea30169fdee8a4441113afa89ea8f7	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Hwidemcsgu\e18aee7f = 16a6ccd7613994aa3147d3aeda4e936da2ca3c4e95b7858ae642c597c8e5d2015034b391f300ad450c2637b380cec1332e1375b9eb2e900ecaf02eaa5aaafeb6dc42e1f59cc06c	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Hwidemcsgu\9ec38189 = c9200152cf320e0b2edf644d6437f668ceaa48e59931abf5543ce12b11357e37822008d9e2b24c2487dc3493f0660b0dd0e75857c3b3d30d38d8337a6486da4f0aec2673dc9b6a8af55bb713a95ffdc4306738b15f3634ecf0a232c0b1d0d80b781fa1879360ae8c	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Hwidemcsgu\13e036a2 = 886ee19d746163935cecc5aebc5be9d4275c82e5e9d9b552133780e0e50ea9b51f83a60819b50fa1c43161cdc9537f41e22da61314d1ea56cc4460f8329bed5b48aabe276e61fd879db38b7a1e2977d31bd64d798e40982402a7007f658240929ae992f03d808c6de5e21ffa5bd45cc636e574b9	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Hwidemcsgu	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Hwidemcsgu\243ec690 = 0c92b76a3d61f458468743744084b783e1d96a3535ce379fcddeda6427ed3b80461df1127dbcaab17e48a253ad7aba15977ccfaf9d27af4083a79b88f6456de98f6588ce7f6c	explorer.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4000	schtasks.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3036	rundll32.exe
3036	rundll32.exe
464	regsvr32.exe
464	regsvr32.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
3036	rundll32.exe
464	regsvr32.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 1068 wrote to memory of 3036	1068	rundll32.exe	82
PID 1068 wrote to memory of 3036	1068	rundll32.exe	82
PID 1068 wrote to memory of 3036	1068	rundll32.exe	82
PID 3036 wrote to memory of 4604	3036	rundll32.exe	83
PID 3036 wrote to memory of 4604	3036	rundll32.exe	83
PID 3036 wrote to memory of 4604	3036	rundll32.exe	83
PID 3036 wrote to memory of 4604	3036	rundll32.exe	83
PID 3036 wrote to memory of 4604	3036	rundll32.exe	83
PID 4604 wrote to memory of 4000	4604	explorer.exe	84
PID 4604 wrote to memory of 4000	4604	explorer.exe	84
PID 4604 wrote to memory of 4000	4604	explorer.exe	84
PID 4932 wrote to memory of 464	4932	regsvr32.exe	96
PID 4932 wrote to memory of 464	4932	regsvr32.exe	96
PID 4932 wrote to memory of 464	4932	regsvr32.exe	96
PID 464 wrote to memory of 3880	464	regsvr32.exe	97
PID 464 wrote to memory of 3880	464	regsvr32.exe	97
PID 464 wrote to memory of 3880	464	regsvr32.exe	97
PID 464 wrote to memory of 3880	464	regsvr32.exe	97
PID 464 wrote to memory of 3880	464	regsvr32.exe	97
PID 3880 wrote to memory of 1580	3880	explorer.exe	98
PID 3880 wrote to memory of 1580	3880	explorer.exe	98
PID 3880 wrote to memory of 3008	3880	explorer.exe	100
PID 3880 wrote to memory of 3008	3880	explorer.exe	100

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_f4de3d851eb7dd7c361282901a5fa088.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1068
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_f4de3d851eb7dd7c361282901a5fa088.dll,#1
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:3036
- - C:\Windows\SysWOW64\explorer.exe
    C:\Windows\SysWOW64\explorer.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4604
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn jrvekth /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_f4de3d851eb7dd7c361282901a5fa088.dll\"" /SC ONCE /Z /ST 02:45 /ET 02:57
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:4000

C:\Windows\system32\regsvr32.exe
regsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_f4de3d851eb7dd7c361282901a5fa088.dll"
1⤵
- Suspicious use of WriteProcessMemory
PID:4932
- C:\Windows\SysWOW64\regsvr32.exe
  -s "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_f4de3d851eb7dd7c361282901a5fa088.dll"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:464
- - C:\Windows\SysWOW64\explorer.exe
    C:\Windows\SysWOW64\explorer.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies data under HKEY_USERS
    - Suspicious use of WriteProcessMemory
    PID:3880
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\ProgramData\Microsoft\Djoiiwkinlux" /d "0"
      4⤵
      Windows security bypass
      PID:1580
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Gieiuk" /d "0"
      4⤵
      Windows security bypass
      PID:3008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Impair Defenses

1

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_f4de3d851eb7dd7c361282901a5fa088.dll

Filesize
358KB

MD5
f4de3d851eb7dd7c361282901a5fa088

SHA1
9d8905df11662f6c1b4f39af47c1c8bb391f81c7

SHA256
ce2b4e250ac3c32f7a265f1a444386a07ec96cbcbb43510734c37b0b9da011e9

SHA512
7c55f49c9a5f2cc0b7dfcf56cb7af1d4a9ba9186cbe34e3a2d43cd2013247500e043e8f13e28a0a42b40fa89c8f81c52546db9b6ef5b164e0f24b89c6996b2dd

Download Submit
memory/464-17-0x0000000010000000-0x0000000010055000-memory.dmp

Filesize
340KB

Download
memory/3036-4-0x0000000001150000-0x0000000001193000-memory.dmp

Filesize
268KB

Download
memory/3036-0-0x0000000001150000-0x0000000001193000-memory.dmp

Filesize
268KB

Download
memory/3036-3-0x0000000010000000-0x0000000010055000-memory.dmp

Filesize
340KB

Download
memory/3036-5-0x0000000010000000-0x0000000010043000-memory.dmp

Filesize
268KB

Download
memory/3036-1-0x0000000010000000-0x0000000010043000-memory.dmp

Filesize
268KB

Download
memory/3880-19-0x0000000000720000-0x0000000000741000-memory.dmp

Filesize
132KB

Download
memory/3880-20-0x0000000000720000-0x0000000000741000-memory.dmp

Filesize
132KB

Download
memory/3880-21-0x0000000000720000-0x0000000000741000-memory.dmp

Filesize
132KB

Download
memory/4604-8-0x0000000001030000-0x0000000001051000-memory.dmp

Filesize
132KB

Download
memory/4604-10-0x0000000001030000-0x0000000001051000-memory.dmp

Filesize
132KB

Download
memory/4604-9-0x0000000001030000-0x0000000001051000-memory.dmp

Filesize
132KB

Download
memory/4604-12-0x0000000001030000-0x0000000001051000-memory.dmp

Filesize
132KB

Download
memory/4604-2-0x0000000001030000-0x0000000001051000-memory.dmp

Filesize
132KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads