-
Notifications
You must be signed in to change notification settings - Fork 25
/
2022-11-28-IOCs-for-BB08-Qakbot-with-Cobalt-Strike.txt
83 lines (62 loc) · 2.64 KB
/
2022-11-28-IOCs-for-BB08-Qakbot-with-Cobalt-Strike.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
2022-11-28 (MONDAY) - BB08 DISTRIBUTION QAKBOT (QBOT) WITH COBALT STRIKE
REFERENCES FOR INITIAL QAKBOT MALWARE:
- https://twitter.com/pr0xylife/status/1597224425753309186
- https://bazaar.abuse.ch/sample/7d1d7d196b3932e4e3e7cc1159f0e3ebab252f6a5f1ed6000f78d2133052a0de/
INFECTION CHAIN:
- email --> link --> password-protected zip --> extracted iso --> .js --> .ps1 creates/runs Qakbot DLL from Base64 text --> Qakbot C2 --> Cobalt Strike
ZIP ARCHIVE AND EXTRACTED ISO IMAGE:
- SHA256 hash: 7d1d7d196b3932e4e3e7cc1159f0e3ebab252f6a5f1ed6000f78d2133052a0de
- File size: 435,392 bytes
- File name: AFL27.zip
- File description: Password-protected zip archive downloaded from link in email
- Password: P32M
- SHA256 hash: 3da1cb0608f3709bf1331c4088fb258daf0200740b9b67afc6eec68a7f4b111a
- File size: 759,808 bytes
- File name: AFL27.iso
- File description: ISO disk image extracted from the above zip archive
CONTENTS OF ISO IMAGE:
- SHA256 hash: d0f396309db14bbe988e8ae6ba6dfb4451fc9db830484dcb7dec830b74d8467a
- File size: 9,491 byte
- File location\name: AS.js
- File location\name: peseta\flours.js
- File description: Script used to run PowerShell script at peseta\gratiae.ps1
- SHA256 hash: e6f4fe47c6e08c3b995b5e69efee09a853426607d64715bb1cf215640f785d58
- File size: 367 bytes
- File location\name: peseta\gratiae.ps1
- File description: Powershell script used to convert base64 text at peseta\data.txt to a Qakbot DLL and run it
- SHA256 hash: 9a6a43b0cdd989c911896933202401b848d2502db0219632f3aaa04a2e4687a4
- File size: 645,120 bytes
- File location\name: peseta\data.txt
- File description: base64 text representing Qakbot DLL
QAKBOT DLL GENERATED BY CONTENTS OF ISO IMAGE:
- SHA256 hash: 9546ad96dd59612da1ea20637613ad0c1154e599b3c5a37b5404f4301cf78348
- File size: 483,840 bytes
- File location: C:\Users\Public\test1.txt
- File description: 32-bit DLL for BB08 distribution Qakbot
- Run method: rundll32.exe [filename],DrawThemeIcon
QAKBOT C2 ACTIVITY:
- 108.162.6[.]34:443 - HTTPS traffic
- 86.159.48[.]25:2222 - HTTPS traffic
QAKBOT TRAFFIC TO LEGITIMATE DOMAINS:
- cisco.com
- www.cisco.com
- broadcom.com
- www.broadcom.com
- google.com
- www.google.com
- irs.gov
- www.irs.gov
- linkedin.com
- www.linkedin.com
- microsoft.com
- www.microsoft.com
- oracle.com
- www.oracle.com
- xfinity.com
- www.xfinity.com
NOTES:
- The above are legitimate domains used by Qakbot as a connectivity check before each C2 connection.
- Qakbot malware implemented this method as early as 2022-10-31.
- Could be an anti-analysis method for isolated Windows hosts without Internet connectivity
COBALT STRIKE C2 ACTIVITY:
- 108.177.235[.]29:443 - jesofidiwi[.]com - HTTPS traffic