← Back to Index

LetsDefend - QakBot Malware

Created: 22/03/2024 10:37 Last Updated: 22/03/2024 11:53

**QakBot Malware** ![900c0f9a334d6b97000aeb32d0a69fc4.png](/resources/900c0f9a334d6b97000aeb32d0a69fc4.png)

During an incident, you find a Phishing Email with an email attachment that targets your organization. Your goal is analyzing this malicious attack and identifying Indicators of Compromise (IOCs).

File Link: Download Password: infected

Or you can directly connect to the machine.

File location: C:\Users\LetsDefend\Downloads\ Password: infected

Start Investigation

What is the file type inside the phishing email attachment?

We got 2 files to work with, first one is .one file which an extension of OneNote file and the second one is .msg which is an email itself 80dcac6ff86a9419bdcbb8dd1206ea6b.png There are a lot of NULL byte in msg file e1c75908391fdbcc03c62c6c267dfea9.png You can use Cyberchef to filter them out a5976c05e800198a86685583c3da99b4.png But I didn't want to search for the treasure in the sea, I went to encryptomatic an online email reader to find an attachment for me f1c3c54f5c016a60a106f94f50dc4c89.png So this phishing mail came with onenote file as expected

onenote

ApplicationReject_70161(Jan31).one designed to trick victim user click on which file type?

As soon as I opened onenote file with OneNote application, I saw a little icon there expected to be click which embbeded with hta file 8467ac300626d18a5830ddc71dbeaa2b.png

hta

What is the embedded URL?

I opened onenote file with Notepad++ to find HTML script embbeded a163f49f5daff4e6135052a64780a422.png and there it is 

http://103.214.71.45/86204.dat

What is the full path of the created registry key after the victim clicks on the attachment inside ApplicationReject_70161(Jan31).one?

f91206019ac32fe3c70699a7f254ba95.png

HKCU\SOFTWARE\Firm\Soft\Name

Identify the full file path metadata inside ApplicationReject_70161(Jan31).one attachment

Back to onenote application, when you move your cursor on an attachment, there is a metadata which are filename, inserted from and size a8ab9533b88ecbc1f3b518578175d98f.png Inserted from is what we needed

Z:\build\one\attachment.hta

What is the content of h1 tag inside ApplicationReject_70161(Jan31).one attachment?

Back to Notepad++, inside first script tag there is variable h1 there 0f64cbe0f90b577bfaa234f3aee81818.png

5cd5058bca53951ffa7801bcdf421651

Summary

This challenge familarize user with knowledge of OneNote file which is a medium that was used to be an initial access of a popular Qak Bot malware. We also learned that OneNote file can also embbeded with HTML, JavaScript and VBscript to download a second payload of the malware and do a lot of things that in power of those programming languages.

![5e832dbbb338bd8107b4ab072c655817.png](/resources/5e832dbbb338bd8107b4ab072c655817.png)