Hello everyone! Today we are going to do a quick analysis on Qakbot via a PCAP (Packet Capture) from Wireshark.
You can find the sample that i used and more via the the link here: https://www.malware-traffic-analysis.net/index.html
Qakbot — What is it?
Qakbot is a family of malware that allows unauthorized access to infected computers. It can steal sensitive information and can be downloaded/installed by other malware’s such as Emotet. Features of this malware include keystroke logging, getting IP addresses and host name, stealing cookies and certificates, stealing passwords from web browsers like Internet Explorer and much more.
Many Qakbot infections also usually start with cleverly disguised phishing/spam campaigns via email. Mail content usually includes a zip file as an attachment or via a link in which a victim will unexpectedly click on. Once the zip file/archive has been downloaded, a VBS file will drop the Qakbot payload and retrieve the malware. It will then copy itself to the infected computer and execute the malware binary to maintain persistence. After it will be able to usually steal sensitive information, allow an attacker to have remote access to the machine, download more malware and much more.
Analysis of PCAP
Let’s dive into the PCAP!
Reviewing the PCAP, we can first identify the domains that were used to download the initial Qakbot DLL near 2021–02–24 19:09 UTC time via the filter: (http.request or tls.handshake.type == 1). The filter tries to identify HTTP requests and domain names for HTTPS or SSL/TLS traffic.
These domains are:
- sumonpro.xyz: 22.214.171.124 port 80
- vngkinderopvang.nl: 126.96.36.199 port 80
- stadt-fuchs.net: 188.8.131.52 port 80
- hdmedia.pro: 184.108.40.206 port 80
- www[dot]fernway[dot]com: 220.127.116.11 port 80
We can also see that all traffic is coming from an infected computer with Source IP 10.2.24.101. All 5 hosts try to download a file: 44251798532407400000.dat
Following the TCP stream of one of the packets, we can see that this file is indeed an EXE/DLL file via ‘MZ’ as it is usually the first 2 bytes to commonly identify an EXE/DLL with ASCII characters. ‘This program cannot be run in DOS mode” also is usually an indication that this is an EXE or DLL file.
We can then extract this file via File → Extract Objects → HTTP… and save it. In this case i saved it in my Downloads folder.
On Windows (Since im using a windows VM) i can extract the SHA256 hash of the file via CertUtil.
Putting this hash into virustotal.com we can identify if this file is malware, which indeed it is.
We can also find the malicious emails that were used to infect the machine by filtering with the command ‘smtp.data.fragment’. Encrypted SMTP is on TCP port 465/587 and if encrypted we cannot see the contents. Fortunately, sometimes messages are sent via unencrypted SMTP via TCP port 25 and we can see the messages from the PCAP!
We can export these .EML files via File → Export Objects → IMF
IMF stands for Internet Message Format. We can see one of the email messages used here below via Notepad++ in which the message tries to phish a victim to download a file. You can use an email client like Thunderbird as well to view the emails.
Using an email client like Thunderbird, we can extract the zip attachments from the .EML files. We get numerous malicious .xls files.
2 Examples are: Cancellation_Letter_541411513–02242021.xls, Cancellation_Letter_2011050248–02242021.xls
These attachments are excel spreadsheets with most likely macros. The macros would then download the DLL/EXE file 44251798532407400000.dat and use it to infect the machine/system for persistence and other nefarious activities. We can check if these files are malicious by checking the SHA256 hash with CertUtil.
Other suspicious activities in the PCAP
We can also see several HTTPS traffic without any domains generated by the malware to suspicious IP’s. I did this via the filter: (http.request or tls.handshake.type == 1) && !(ssdp). Two examples are 18.104.22.168 and 22.214.171.124
Further analysis in the PCAP, we can also see that some of the certificates have been changed by Qakbot. Using the example of 126.96.36.199 above, we can find the certificate information obviously being tampered and not legitimate via the filter: (ip.addr == 188.8.131.52 && tls.handshake.type == 11).
Note: tls.handshake.type == 11 allows us to find certificate issuer data
That’s it! Hope you enjoyed my quick analysis on Qakbot via Wireshark. More blog posts will be hopefully coming soon!