Qakbot is a banking trojan that has wreaked havoc for years across the world. Most recently it has been mostly delivered to vulnerable targets by TA542, also known as MUMMY SPIDER, as a third-party add-on to their own malicious campaigns.
If you're interested in the "how-to" of this process, check out my previous blog post - "Malware Headliners: Dridex"
INITIAL ANALYSIS
For analysis purposes, I have renamed the original file to phish1
TrID gives us the following percentage breakdown for what kind of file this is:
Exiftool shows us some additional metadata. Some of the values are written using Cyrillic characters, possibly indicating the geographical region of origin.
LOOKING UNDER THE HOOD
Moving on to leveraging zipdump, we get the following initial output:
I normally select the workbook stream first when conducting this type of analysis. In spreadsheets, the workbook is the "root element for the main document part," according to Microsoft. Below is the output when I select index 3:
While we can derive a few items that provide context, the overall output is not very human readable. The question mark icons indicate that this may be in Unicode format. If we pass the right parameter to zipdump, it does the heavy lifting for us and clears things up:
Here we see "Tiposa," rIds, and "Auto_Open." The latter means that the code will execute upon the document being opened.
We continue down the list of streams, and in index 4 we have the relationships table. This shows the relationship IDs for the workbook. Piping it to xmldump with the "pretty" parameter gives us the following output; this is information we could likely reference later in our analysis.
Looking at index 8, we get an output that seems to be in Unicode; piping it to strings with the encoding parameter gives us some useful information:
We now have a list of potential C2 IPs, along with evidence of the spreadsheet downloading and writing files (UrlDownloadToFileA).
Index 15 shows us that .ocx files are also involved. These files are ActiveX control files, and can be leveraged for nefarious purposes such as observing a user's browsing habits, keylogging, or downloading additional malware. We don't know what their exact purpose is in this circumstance, but we know that they play a part in this malware's greater picture. We also see "regsvr32" in fragments, which is used to register the ActiveX controls.
In Index 17, we see the following:
.dat, or data files, are part of this ne'er-do-well mixture.
WHAT A PERFECT SIGHT
The following output may make you wonder why we even did all of the above. It's worth mentioning that it won't always pan out this way. In my previous analysis with Dridex, I didn't get this "whole picture" of an output, but I did get some data. XLMDeobfuscator knocked it out of the park here.
Note: If you are trying to replicate this process and run into issues, make sure to update your instance of XLMDeobfuscator to the latest version. I received an error prior to update and got zero data, but post data I got the following:
WHAT'S HAPPENING HERE?
In the XLMDeobfuscator screenshots, we see the code is reaching out to the IPs and pulling down a .dat file. Upon download, it's naming it as a "Dotr*.ocx" where the wildcard can be replaced with a number 1-6. From there, it uses regsvr32 to register the ActiveX controls for follow-on activity.
IOCs FOR THIS ITERATION OF QAKBOT
File Hash:
SHA-256: 62bb4d89d905a988f154fcb9bd60a376cca42c1343e03b03a897d039eb8d4036
IPs:
46.105.81[.]76
185.82.127[.]219
101.99.90[.]108
Filenames:
Pattern: 44575.516********.dat
44575.51608796296.dat
44575.51611111111.dat
44575.51613425926.dat
44575.51615740741.dat2
44575.516180555554.dat2
44575.5162037037.dat2
File Paths:
C:\ProgramData\Dotr1.ocx
C:\ProgramData\Dotr2.ocx
C:\ProgramData\Dotr3.ocx
C:\ProgramData\Dotr4.ocx
C:\ProgramData\Dotr5.ocx
C:\ProgramData\Dotr6.ocx
Comments