Malware Analysis Report

2025-08-05 14:55

Sample ID 250704-v2cjyacp71
Target JaffaCakes118_1c6f459d6e5e2f0073bce58664d6c9ed
SHA256 41c15c115abe0077efa9e009ac4336aa57233134e14c3ad5d30d414c6e058064
Tags
qakbot obama103 1632477754 banker defense_evasion discovery execution persistence stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

41c15c115abe0077efa9e009ac4336aa57233134e14c3ad5d30d414c6e058064

Threat Level: Known bad

The file JaffaCakes118_1c6f459d6e5e2f0073bce58664d6c9ed was found to be: Known bad.

Malicious Activity Summary

qakbot obama103 1632477754 banker defense_evasion discovery execution persistence stealer trojan

Qakbot family

Windows security bypass

Qakbot/Qbot

Loads dropped DLL

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious behavior: MapViewOfSection

Modifies data under HKEY_USERS

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Scheduled Task/Job: Scheduled Task

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-07-04 17:28

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-07-04 17:28

Reported

2025-07-04 17:31

Platform

win10v2004-20250502-en

Max time kernel

147s

Max time network

139s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6f459d6e5e2f0073bce58664d6c9ed.dll,#1

Signatures

Qakbot family

qakbot

Qakbot/Qbot

trojan banker stealer qakbot

Windows security bypass

defense_evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\system32\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Diopuqvi = "0" C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\system32\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\Microsoft\Cmbfjuohgxa = "0" C:\Windows\system32\reg.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\explorer.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Mncikczukqwq C:\Windows\SysWOW64\explorer.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Mncikczukqwq\15ba75c2 = 1941eacc1f0356eb5654575abd9755cecd8637a985c016abfda5d028144d2b7ff2708f9cf53329e439a3a6d3cdd97d57b4677cded52e310a79ce71cb8df292e55e45b435a2bdf5f5cb4523d8c14ecfcdf3f7eeb1388d33f3 C:\Windows\SysWOW64\explorer.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Mncikczukqwq\9899c2e9 = 9cb3303ac1d9e45b623497910f1ef914ebae83534841ec5857722adfd92f0857ee0a12ebabad8ecb817e7691e77cf11d09b664c7ac3892a484347bf8e811d01f4261cae4a5b2ecdd2b4f6379ec8552f3d2191f41ee8ead9ee7ffa474e566c3d8266c7905f3 C:\Windows\SysWOW64\explorer.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Mncikczukqwq\e7d0ad1f = 6acf82194c6f69f752ccf0f2003dd0ed2d452c09e06cbb397e079f680ccdd11cb4e66f24cf9a65fa6cde5e0b87fbfaeb303a575a6d66581197d3999ddbd202010c66f48aaf4e18fed47a007173542a44758efed557ba112c84031e76262ab2861ede4fd41c753c7022aa47c1bc6f7febcca6e336d40e0e29 C:\Windows\SysWOW64\explorer.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Mncikczukqwq\e7d0ad1f = 6acf95194c6f5cbc7da34f892a04e956287b901025f7bbc10c21cee6a99bb246398cce1143a0907abd93d2b4cec6664375da66aad3c44bbc1c3173cf66e248ae45a887275b95e7507b9aea86faa57ccf3f722da00cf025f314bec5858387fadb403971 C:\Windows\SysWOW64\explorer.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Mncikczukqwq\d24f7d51 = 9bdd412edd324b4d0f788f05daf083dc7fc71716e4db4cb4825a1890f25255419f591805a3f1414f20562015193492376501a106b3ab62d26678548c911c3f6410d23335f703831d23f6123fbb82ff8de239193edd5cb71fadd3349eae2f035cccc913111d24f78654f94ab52b409c6f20bd9845f3a3ef7c391ea45fbb08c2346aa2048a9bd60c8913fa82cee2 C:\Windows\SysWOW64\explorer.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Mncikczukqwq\d00e5d2d = cc4e3998587baac05f681f395baae9c379b2b95d4afb1b C:\Windows\SysWOW64\explorer.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Mncikczukqwq\68b23a48 = 50f252cd7bbe520ef94fe85e3a8ef999026b77236023e8ee33602ff42729ae09fccde68a49bc38f0e60e769eb30f53b8f06f7be2d514d3fd163d56c4252dd89fe68f7c132fdffdcae250618134ae22260af2f85161a4bb6e4f37a0efc877d871763a3c97 C:\Windows\SysWOW64\explorer.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Mncikczukqwq\ad0612a7 = 528410d1d2256da8a30f5a36d7c3f0f3599229a91040032ae47cae1353fcf21801c7168ad64af8cf621b6c8e01378f2fb99d00a4e061f96b4dba352d358f5412e57f0440958e908f4846f721ce C:\Windows\SysWOW64\explorer.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Mncikczukqwq\6af31a34 = ffb73fe1a9da085808486fe2cdc0fc44156da10ea9069d5827c6eec7f88f4d4729970917031e6cbe7c88a3e8a7544fce2139e9add3c571909325a9d8 C:\Windows\SysWOW64\explorer.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5196 wrote to memory of 5076 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 5196 wrote to memory of 5076 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 5196 wrote to memory of 5076 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 5076 wrote to memory of 4076 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\explorer.exe
PID 5076 wrote to memory of 4076 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\explorer.exe
PID 5076 wrote to memory of 4076 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\explorer.exe
PID 5076 wrote to memory of 4076 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\explorer.exe
PID 5076 wrote to memory of 4076 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\explorer.exe
PID 4076 wrote to memory of 3672 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\schtasks.exe
PID 4076 wrote to memory of 3672 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\schtasks.exe
PID 4076 wrote to memory of 3672 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\schtasks.exe
PID 1016 wrote to memory of 4676 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1016 wrote to memory of 4676 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1016 wrote to memory of 4676 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4676 wrote to memory of 4760 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\explorer.exe
PID 4676 wrote to memory of 4760 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\explorer.exe
PID 4676 wrote to memory of 4760 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\explorer.exe
PID 4676 wrote to memory of 4760 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\explorer.exe
PID 4676 wrote to memory of 4760 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\explorer.exe
PID 4760 wrote to memory of 4816 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\system32\reg.exe
PID 4760 wrote to memory of 4816 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\system32\reg.exe
PID 4760 wrote to memory of 4800 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\system32\reg.exe
PID 4760 wrote to memory of 4800 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\system32\reg.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6f459d6e5e2f0073bce58664d6c9ed.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6f459d6e5e2f0073bce58664d6c9ed.dll,#1

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn vztfvjm /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6f459d6e5e2f0073bce58664d6c9ed.dll\"" /SC ONCE /Z /ST 17:30 /ET 17:42

C:\Windows\system32\regsvr32.exe

regsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6f459d6e5e2f0073bce58664d6c9ed.dll"

C:\Windows\SysWOW64\regsvr32.exe

-s "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6f459d6e5e2f0073bce58664d6c9ed.dll"

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\ProgramData\Microsoft\Cmbfjuohgxa" /d "0"

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Diopuqvi" /d "0"

Network

Country Destination Domain Proto
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.180.3:80 c.pki.goog tcp

Files

memory/5076-0-0x0000000010000000-0x0000000010119000-memory.dmp

memory/5076-1-0x0000000010077000-0x000000001007D000-memory.dmp

memory/5076-2-0x0000000010000000-0x0000000010119000-memory.dmp

memory/5076-3-0x0000000010000000-0x0000000010119000-memory.dmp

memory/4076-5-0x0000000001200000-0x0000000001221000-memory.dmp

memory/5076-6-0x0000000010000000-0x0000000010119000-memory.dmp

memory/4076-9-0x0000000001200000-0x0000000001221000-memory.dmp

memory/4076-11-0x0000000001200000-0x0000000001221000-memory.dmp

memory/4076-10-0x0000000001200000-0x0000000001221000-memory.dmp

memory/4076-13-0x0000000001200000-0x0000000001221000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6f459d6e5e2f0073bce58664d6c9ed.dll

MD5 1c6f459d6e5e2f0073bce58664d6c9ed
SHA1 b7c23db3ee48d62a5bbb56fa71ded2bd549087aa
SHA256 41c15c115abe0077efa9e009ac4336aa57233134e14c3ad5d30d414c6e058064
SHA512 d12fce1c711035de6042ba0d5a534d758db8df70883de99a0d7de5df2180602b408475482c126e37b5f20ef2b224cfc36dce3d6f4d09ae9cab9327d1fd860cdf

memory/4676-17-0x0000000010000000-0x0000000010119000-memory.dmp

memory/4676-18-0x0000000010000000-0x0000000010119000-memory.dmp

\??\PIPE\wkssvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/4676-21-0x0000000010000000-0x0000000010119000-memory.dmp

memory/4760-23-0x0000000000D80000-0x0000000000DA1000-memory.dmp

memory/4760-24-0x0000000000D80000-0x0000000000DA1000-memory.dmp

memory/4760-25-0x0000000000D80000-0x0000000000DA1000-memory.dmp