Open in app

Sign in

Write

Sign in

Analyzing Qakbot — w/ Wireshark

Ben Lee
5 min readApr 16, 2021

Hello everyone! Today we are going to do a quick analysis on Qakbot via a PCAP (Packet Capture) from Wireshark.

You can find the sample that i used and more via the the link here: https://www.malware-traffic-analysis.net/index.html

Qakbot — What is it?

Qakbot is a family of malware that allows unauthorized access to infected computers. It can steal sensitive information and can be downloaded/installed by other malware’s such as Emotet. Features of this malware include keystroke logging, getting IP addresses and host name, stealing cookies and certificates, stealing passwords from web browsers like Internet Explorer and much more.

Many Qakbot infections also usually start with cleverly disguised phishing/spam campaigns via email. Mail content usually includes a zip file as an attachment or via a link in which a victim will unexpectedly click on. Once the zip file/archive has been downloaded, a VBS file will drop the Qakbot payload and retrieve the malware. It will then copy itself to the infected computer and execute the malware binary to maintain persistence. After it will be able to usually steal sensitive information, allow an attacker to have remote access to the machine, download more malware and much more.

Analysis of PCAP

Let’s dive into the PCAP!

Reviewing the PCAP, we can first identify the domains that were used to download the initial Qakbot DLL near 2021–02–24 19:09 UTC time via the filter: (http.request or tls.handshake.type == 1). The filter tries to identify HTTP requests and domain names for HTTPS or SSL/TLS traffic.

These domains are:

  1. sumonpro.xyz: 207.244.235.57 port 80
  2. vngkinderopvang.nl: 185.182.57.107 port 80
  3. stadt-fuchs.net: 136.243.123.152 port 80
  4. hdmedia.pro: 128.199.91.194 port 80
  5. www[dot]fernway[dot]com: 162.241.252.38 port 80

We can also see that all traffic is coming from an infected computer with Source IP 10.2.24.101. All 5 hosts try to download a file: 44251798532407400000.dat

Following the TCP stream of one of the packets, we can see that this file is indeed an EXE/DLL file via ‘MZ’ as it is usually the first 2 bytes to commonly identify an EXE/DLL with ASCII characters. ‘This program cannot be run in DOS mode” also is usually an indication that this is an EXE or DLL file.

Indicates file is an Executable or DLL file.

We can then extract this file via File → Extract Objects → HTTP… and save it. In this case i saved it in my Downloads folder.

On Windows (Since im using a windows VM) i can extract the SHA256 hash of the file via CertUtil.

Extracting Hash of 44251798532407400000.dat via CertUtil

Putting this hash into virustotal.com we can identify if this file is malware, which indeed it is.

Checking Hash via VirusTotal

We can also find the malicious emails that were used to infect the machine by filtering with the command ‘smtp.data.fragment’. Encrypted SMTP is on TCP port 465/587 and if encrypted we cannot see the contents. Fortunately, sometimes messages are sent via unencrypted SMTP via TCP port 25 and we can see the messages from the PCAP!

SMTP Traffic Captured

We can export these .EML files via File → Export Objects → IMF

IMF stands for Internet Message Format. We can see one of the email messages used here below via Notepad++ in which the message tries to phish a victim to download a file. You can use an email client like Thunderbird as well to view the emails.

Email that is trying to make a victim download a malicious file.

Using an email client like Thunderbird, we can extract the zip attachments from the .EML files. We get numerous malicious .xls files.

2 Examples are: Cancellation_Letter_541411513–02242021.xls, Cancellation_Letter_2011050248–02242021.xls

These attachments are excel spreadsheets with most likely macros. The macros would then download the DLL/EXE file 44251798532407400000.dat and use it to infect the machine/system for persistence and other nefarious activities. We can check if these files are malicious by checking the SHA256 hash with CertUtil.

Extracting Hash of Cancellation_Letter_541411513–02242021.xls via CertUtil
Indeed Malicious as seen above

Other suspicious activities in the PCAP

We can also see several HTTPS traffic without any domains generated by the malware to suspicious IP’s. I did this via the filter: (http.request or tls.handshake.type == 1) && !(ssdp). Two examples are 71.117.132.169 and 76.25.142.196

71.117.132.169 traffic
76.25.142.196 traffic

Further analysis in the PCAP, we can also see that some of the certificates have been changed by Qakbot. Using the example of 76.25.142.196 above, we can find the certificate information obviously being tampered and not legitimate via the filter: (ip.addr == 76.25.142.196 && tls.handshake.type == 11).

Note: tls.handshake.type == 11 allows us to find certificate issuer data

Certificate Data Modified

That’s it! Hope you enjoyed my quick analysis on Qakbot via Wireshark. More blog posts will be hopefully coming soon!

--

--

Ben Lee

Written by Ben Lee

17 Followers

I focus on Malware, RE, DFIR. This blog is used to improve my understanding of these concepts and show my progress.

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams