Analyzing Qakbot — w/ Wireshark

Hello everyone! Today we are going to do a quick analysis on Qakbot via a PCAP (Packet Capture) from Wireshark.

You can find the sample that i used and more via the the link here: https://www.malware-traffic-analysis.net/index.html

Qakbot — What is it?

Many Qakbot infections also usually start with cleverly disguised phishing/spam campaigns via email. Mail content usually includes a zip file as an attachment or via a link in which a victim will unexpectedly click on. Once the zip file/archive has been downloaded, a VBS file will drop the Qakbot payload and retrieve the malware. It will then copy itself to the infected computer and execute the malware binary to maintain persistence. After it will be able to usually steal sensitive information, allow an attacker to have remote access to the machine, download more malware and much more.

Analysis of PCAP

Reviewing the PCAP, we can first identify the domains that were used to download the initial Qakbot DLL near 2021–02–24 19:09 UTC time via the filter: (http.request or tls.handshake.type == 1). The filter tries to identify HTTP requests and domain names for HTTPS or SSL/TLS traffic.

These domains are:

  1. sumonpro.xyz: 207.244.235.57 port 80
  2. vngkinderopvang.nl: 185.182.57.107 port 80
  3. stadt-fuchs.net: 136.243.123.152 port 80
  4. hdmedia.pro: 128.199.91.194 port 80
  5. www[dot]fernway[dot]com: 162.241.252.38 port 80

We can also see that all traffic is coming from an infected computer with Source IP 10.2.24.101. All 5 hosts try to download a file: 44251798532407400000.dat

Following the TCP stream of one of the packets, we can see that this file is indeed an EXE/DLL file via ‘MZ’ as it is usually the first 2 bytes to commonly identify an EXE/DLL with ASCII characters. ‘This program cannot be run in DOS mode” also is usually an indication that this is an EXE or DLL file.

Indicates file is an Executable or DLL file.

We can then extract this file via File → Extract Objects → HTTP… and save it. In this case i saved it in my Downloads folder.

On Windows (Since im using a windows VM) i can extract the SHA256 hash of the file via CertUtil.

Extracting Hash of 44251798532407400000.dat via CertUtil

Putting this hash into virustotal.com we can identify if this file is malware, which indeed it is.

Checking Hash via VirusTotal

We can also find the malicious emails that were used to infect the machine by filtering with the command ‘smtp.data.fragment’. Encrypted SMTP is on TCP port 465/587 and if encrypted we cannot see the contents. Fortunately, sometimes messages are sent via unencrypted SMTP via TCP port 25 and we can see the messages from the PCAP!

SMTP Traffic Captured

We can export these .EML files via File → Export Objects → IMF

IMF stands for Internet Message Format. We can see one of the email messages used here below via Notepad++ in which the message tries to phish a victim to download a file. You can use an email client like Thunderbird as well to view the emails.

Email that is trying to make a victim download a malicious file.

Using an email client like Thunderbird, we can extract the zip attachments from the .EML files. We get numerous malicious .xls files.

2 Examples are: Cancellation_Letter_541411513–02242021.xls, Cancellation_Letter_2011050248–02242021.xls

These attachments are excel spreadsheets with most likely macros. The macros would then download the DLL/EXE file 44251798532407400000.dat and use it to infect the machine/system for persistence and other nefarious activities. We can check if these files are malicious by checking the SHA256 hash with CertUtil.

Extracting Hash of Cancellation_Letter_541411513–02242021.xls via CertUtil
Indeed Malicious as seen above

Other suspicious activities in the PCAP

71.117.132.169 traffic
76.25.142.196 traffic

Further analysis in the PCAP, we can also see that some of the certificates have been changed by Qakbot. Using the example of 76.25.142.196 above, we can find the certificate information obviously being tampered and not legitimate via the filter: (ip.addr == 76.25.142.196 && tls.handshake.type == 11).

Note: tls.handshake.type == 11 allows us to find certificate issuer data

Certificate Data Modified

That’s it! Hope you enjoyed my quick analysis on Qakbot via Wireshark. More blog posts will be hopefully coming soon!

--

--

I focus on Malware, RE, DFIR. This blog is used to improve my understanding of these concepts and show my progress.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Ben Lee

I focus on Malware, RE, DFIR. This blog is used to improve my understanding of these concepts and show my progress.