Home / malware Backdoor:Win32/Qakbot.gen!A
First posted on 09 November 2017.
Source: MicrosoftAliases :
There are no other names known for Backdoor:Win32/Qakbot.gen!A.
Explanation :
Backdoor:Win32/Qakbot.gen!A is a generic detection for a trojan backdoor that connects to a remote server, allowing an attacker to access the infected system. By allowing remote access, this backdoor trojan can perform several actions including stealing information and logging user keystrokes. Some variants of this malware may attempt to spread to open shares across a network, including the default shares C$ and Admin$.
Installation
Backdoor:Win32/Qakbot.gen!A may be downloaded and installed by other malware. It may be hosted on a number of malicious domains as the following file:/cgi-bin/jl/jloader.pl?u=u/_qbotinj.exe where is the malicious domain. Upon execution, it creates the mutex '_qbot.*' to ensure that only one instance of itself is currently running. Backdoor:Win32/Qakbot.gen!A creates the following files, which are all detected as Backdoor:Win32/Qakbot.gen!A: The registry is commonly modified to execute one of the backdoor components at each Windows start, for example: Modifies value: "
- %ALLUSERSPROFILE%\qbothome\qbotinj.exe
- %ALLUSERSPROFILE%\qbothome\qbotnti.exe
- %ALLUSERSPROFILE%\qbothome\qbot.dll
- %ALLUSERSPROFILE%\qbothome\q1.
"
With data: ""%ALLUSERSPROFILE%\qbothome\qbotinj.exe" "%ALLUSERSPROFILE%\qbothome\qbot.dll" /c """
To subkey: HKLM\Microsoft\Windows\CurrentVersion\Run whereis the name of a legitimate program and is the legitimate data for that particular program in the registry. The malware creates a batch script pointing to the installed copy of Win32/Qakbot as the following: %USERPROFILE%\Start Menu\Programs\Startup\startup.bat. When Windows starts, the file 'startup.bat' executes Win32/Qakbot.
Payload
Performs backdoor functionality
Backdoor:Win32/Qakbot.gen!A attempts to connect to a remote server to receive command instructions from an attacker. Commands could include any of the following actions:Some of the observed domains this backdoor connects to are 'w1.webinspector.biz' and 'cdcdcdcdc2121cdsfdfd.com'. Downloads Malware
- Log keystrokes
- Get the host's IP address and name
- Steal cookies and certificates
- Monitor Favorites and visited URLs
- Steal passwords from Internet Explorer, MSN Messenger, and Outlook
- Steal Autocomplete information
Win32/Qakbot attempts to download additional files or updates from predefined remote servers. Updates may be requested as password protected ZIP archives. In the wild, this trojan was observed to request an update as "qa.zip" from a malicious site. The malware also downloads configuration files with filenames such as the following: crontab.cbupdates.cbupdates1.cbupdates_new.cb_qbot.cb
Analysis by Huzefa MogriLast update 09 November 2017