{
	"id": "185b44b6-fdd2-4a44-9942-68e963e3d176",
	"created_at": "2026-04-06T00:13:25.165365Z",
	"updated_at": "2026-04-10T13:12:34.385634Z",
	"deleted_at": null,
	"sha1_hash": "2ae09c320cba9d467bc7076b3423294a5b0264e7",
	"title": "QakBot CCs prioritization and new record types",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 98871,
	"plain_text": "QakBot CCs prioritization and new record types\r\nArchived: 2026-04-05 14:14:04 UTC\r\nOctober 30, 2022\r\nThis short article is about the QakBot new ability to prioritize its Command and Control servers and the new, for the\r\nmoment unused, Command and Control server record types.\r\nSummary\r\nQakBot CC record structures\r\nLegacy and modern CC record structures\r\nNew QakBot CC record structure\r\nLooking under the hood\r\nQakBot « explode_cc_list » function\r\nQakBot « build_cc_list » function\r\nQakBot CC prioritization\r\nNew QakBot CC record types\r\nThe three QakBot cc record types\r\nIs QakBot on the way to IPv6 ?\r\nSome QakBot old and new configurations\r\nQakBot CC record structures\r\nLegacy and modern CC record structures\r\nThere was a « legacy » QakBot text CC (Command and Control server) record structure, but for a while now QakBot CC\r\nrecord structure stored in the ciphered embedded configuration used to be the following :\r\ntypedef struct\r\n {\r\n BYTE record_type; // Always binary '01'\r\n BYTE ip_v4_address[4]; // IP v4 address\r\n WORD port_in_big_endian; // Port in big endian\r\n } QAKBOT_CC_ENTRY;\r\n// Note : structure and members names are mines.\r\nHere is for example the beginning of a deciphered QakBot Obama217 campaign cc list (built on the October 26, 2022) :\r\nOffset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F\r\n00000000 01 C5 CC 35 F2 01 BB 01 69 6A 3C 95 01 BB 01 66 .ÅÌ5ò.».ij\u003c•.».f\r\n00000010 9F 6E 4F 03 E3 01 40 CF ED 76 01 BB 01 9C D8 86 ŸnO.ã.@Ïív.».œØ†\r\n00000020 46 03 E3 01 B4 97 74 43 01 BB 01 BE C7 61 6C 03 F.ã.´—tC.».¾Çal.\r\n00000030 E1 01 CE 01 CB 00 01 BB 01 BA BC 60 C5 01 BB 01 á.Î.Ë..».º¼`Å.».\r\n00000040 CE 01 80 CB 01 BB 01 C9 F9 64 D0 03 E3 01 BE 4B Î.€Ë.».ÉùdÐ.ã.¾K\r\n00000050 97 42 08 AE 01 C6 02 33 F2 03 E1 01 5A A5 6D 04 —B.®.Æ.3ò.á.Z¥m.\r\n00000060 08 AE 01 47 C7 A8 B9 01 BB 01 B5 38 AB 03 03 E3 .®.GǨ¹.».µ8«..ã\r\n00000070 01 2B F1 9F 94 01 BB 01 29 67 01 10 01 BB 01 18 .+ñŸ”.».)g...»..\r\n00000080 CF 61 75 01 BB 01 69 9D 56 76 01 BB 01 C9 DF A9 Ïau.».i.Vv.».Éß©\r\n00000090 EE 7D 64 01 2F 0E E5 04 01 BB 01 46 3C 8E D6 08 î}d./.å..».F\u003cŽÖ.\r\n000000A0 AE 01 29 2F F9 B9 01 BB 01 8E B5 B7 2A 08 AE 01 ®.)/ù¹.».Žµ·*.®.\r\nhttps://www.securityhomework.net/articles/qakbot_ccs_prioritization_and_new_record_types/qakbot_ccs_prioritization_and_new_record_types.php\r\nPage 1 of 6\n\n000000B0 29 3E A5 98 01 BB 01 29 61 CD 60 01 BB 01 29 61 )\u003e¥˜.».)aÍ`.».)a\r\n000000C0 0E 3C 01 BB 01 97 D5 B7 8D 03 E3 01 4B 54 EA 44 .\u003c.».—Õ·..ã.KTêD\r\n000000D0 01 BB 01 BA 12 D2 10 01 BB 01 29 60 CC C4 01 BB .».º.Ò..».)`ÌÄ.»\r\nThis is from sample 81d5fd23e26eca131eaf4748c44a6485f84827f7448e9833b3c8b8fd975fe5db which can be downloaded on\r\ntria.ge.\r\nThe first cc structure 01 C5 CC 35 F2 01 BB can be decoded to :\r\n01 always 1;\r\nC5 CC 35 F2 ip = 197.204.53.242 ;\r\n01 BB port = 443\r\nNew QakBot CC record structure\r\nStarting with Obama218 campaign, the CC list seems to have evolved to a different structure.\r\nLooking to a deciphered Obama218 cc list (built on the October 27, 2022), we can see that the cc struct is now 8 bytes long\r\n(instead of 7). The extra byte seems to be some sort of boolean which values can be 0 or 1 :\r\n Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F\r\n 00000000 01 1B 6E 86 CA 03 E3 01 01 9C DC 2F 43 03 E1 00 ..n†Ê.ã..œÜ/C.á.\r\n 00000010 01 8E 73 54 58 08 AE 00 01 9C D8 86 46 03 E3 01 .ŽsTX.®..œØ†F.ã.\r\n 00000020 01 3A F7 73 7E 03 E3 01 01 18 09 DC A7 01 BB 01 .:÷s~.ã....ܧ.».\r\n 00000030 01 18 74 2D 79 01 BB 01 01 BA BC 50 86 01 BB 01 ..t-y.»..º¼P†.».\r\n 00000040 01 BE C7 65 25 08 AE 00 01 18 CE 1B 27 01 BB 01 .¾Çe%.®...Î.'.».\r\n 00000050 01 B5 A4 C2 E4 01 BB 01 01 69 60 C6 58 01 BB 00 .µ¤Âä.»..i`ÆX.».\r\n 00000060 01 70 8D B8 F6 03 E3 00 01 40 CF ED 76 01 BB 01 .p.¸ö.ã..@Ïív.».\r\n 00000070 01 76 C8 53 E2 01 BB 00 01 95 7E 9F E0 01 BB 01 .vÈSâ.»..•~Ÿà.».\r\n 00000080 01 B5 76 B7 7C 01 BB 00 01 90 CA 0F 3A 01 BB 01 .µv·|.»...Ê.:.».\r\n 00000090 01 AC 75 8B 8E 03 E3 01 01 C8 E9 6C 99 03 E3 01 .¬u‹Ž.ã..Èél™.ã.\r\n 000000A0 01 6D 88 AE C8 03 E3 00 01 C1 03 13 89 01 BB 01 .mˆ®È.ã..Á..‰.».\r\n 000000B0 01 C9 44 D1 2F 7D 65 01 01 2D 30 24 E2 08 27 00 .ÉDÑ/}e..-0$â.'.\r\n 000000C0 01 2D 23 61 2D 01 BB 00 01 A7 3A FE 55 01 BB 01 .-#a-.»..§:þU.».\r\n 000000D0 01 29 60 66 72 01 BB 00 01 29 C8 75 52 01 BB 00 .)`fr.»..)ÈuR.».\r\nThis is from sample 0dcd86692d92c058625ab343e472eef571514cc62d676288044ad26caa263fad which packed samples like\r\n9bea9743ed86d925f88d75077ef37b3a4a6a652bbdd2f0e516efdfbb94fb5e06 or\r\ncb5b8365be065ab9870b15a524decf7474575b0b14e796ee77d6f482dfb6d53c can be found on https://tria.ge/221027-\r\nttm52acgb4 or https://tria.ge/221031-jg24baadb3.\r\nBB04 fresh samples show the same new CC record structure. See for example\r\nb6e629128e9316820cfd5bdfe4d621d5a7435717879d554567df31352fb8558e on tria.ge.\r\nBeside the functionnal evolution, another objective pursued by the QakBot authors is achieved : at the time these lines are\r\nwritten, the configurations of these new samples are not or incorrectly extracted.\r\nThe new QakBot CC type 1 record structure looks like this :\r\n typedef struct\r\n {\r\n BYTE record_type; // Always binary '01'\r\n BYTE ip_v4_address[4]; // IP v4 address\r\n WORD port_in_big_endian; // Port in big endian\r\n BYTE field_7; // 0 = priority CC ?\r\n } QAKBOT_NEW_TYPE1_CC_ENTRY;\r\nhttps://www.securityhomework.net/articles/qakbot_ccs_prioritization_and_new_record_types/qakbot_ccs_prioritization_and_new_record_types.php\r\nPage 2 of 6\n\n// Note : structure and members names are mines.\r\nAs we will see below, the new field field_7 seems to be a priority level assigned to each CC. And there are also two new\r\nrecord types, just skipped for now.\r\nLooking under the hood\r\nQakBot « explode_cc_list » function\r\nThe function which « explodes » cc list has evolved in order to interpret the extra byte field_7 for type 1 records and to be\r\nable to manage three different record types. Here is what the function does :\r\n1. it parses all the records in order to count type 1 ones. It counts the type 1 with the new field with a 0 value and the\r\ntype 1 with the new field with a different value. The new types 2 and 3 are just skipped, respectively for 0x18 and\r\n0x14 bytes long ;\r\n2. it allocates two buffers to hold the type 1 with new field=0 and type1 with new field != 0 ;\r\n3. it fills these two tables with memory cc structures of according CC ;\r\n4. it randomizes the two tables to change the order of the CC in each of the two tables ;\r\n5. it returns pointers to the two tables and the number of CC in each table.\r\nThe memory structure of CC records stored in the two CC tables is as follows :\r\ntypedef struct\r\n {\r\n DWORD type; // 1 for IP v4 CC\r\n BYTE ip_v4_address[4]; // ip v4 address\r\n DWORD port; // port in little endian\r\n DWORD unknown1;\r\n DWORD unknown2;\r\n DWORD unknown3;\r\n DWORD unknown4;\r\n DWORD unknown5;\r\n BOOL field_7; // priority ?\r\n } QAKBOT_MEMORY_CC_ENTRY;\r\n// Note : structure and members names are mines.\r\nQakBot « build_cc_list » function\r\nThe function in charge of building CC list has also evolved. Here is what it does now :\r\n1. allocates a structure in order to store the CC lists which are about to be built ;\r\n2. tries to get the registry saved « supernodes » list from configuration variable CONFVAR_SUPERNODES (id=0x39) ;\r\n3. if supernodes have been retrieved, call the explode_cc_list() function to build two lists of CC ;\r\n4. load and decipher the configuration resource from the PE file which contains the embedded static CC list, then call\r\nthe explode_cc_list() function to build two other lists of CC ;\r\n5. removes duplicates CC from static configuration tables ;\r\n6. return a pointer to the structure holding the four CC lists.\r\nThe structure returned is this one :\r\ntypedef struct\r\n {\r\n QAKBOT_MEMORY_CC_ENTRY *lp_cc_table_field7_0_from_registry; // Table of priority CC from supernodes\r\nhttps://www.securityhomework.net/articles/qakbot_ccs_prioritization_and_new_record_types/qakbot_ccs_prioritization_and_new_record_types.php\r\nPage 3 of 6\n\nDWORD nb_cc_field7_0_from_registry; // Number of CC in the table\r\n QAKBOT_MEMORY_CC_ENTRY *lp_cc_table_field7_not_0_from_registry; // Table of non priority CC from supern\r\n DWORD nb_cc_field7_not_0_from_registry; // Number of CC in the table\r\n QAKBOT_MEMORY_CC_ENTRY *lp_cc_table_field7_0_from_configuration; // Table of priority CC from embedded c\r\n DWORD nb_cc_field7_0_from_registry; // Number of CC in the table\r\n QAKBOT_MEMORY_CC_ENTRY *lp_cc_table_field7_not_0_from_registry; // Table of non priority CC from embedd\r\n DWORD nb_cc_field7_not_0_from_registry; // Number of CC in the table\r\n } QAKBOT_CC_LISTS;\r\n// Note : structure and members names are mines.\r\nQakBot CC prioritization\r\nWhen looking for a CC, QakBot will now look in the four tables in this order :\r\n1. table of priority CC from supernodes ;\r\n2. table of priority CC from configuration ;\r\n3. table of non priority CC from supernodes ;\r\n4. table of non priority CC from configuration.\r\nSo, QakBot now manages to prioritize his CC.\r\nNew QakBot CC record types\r\nAside from prioritization, another evolution is the introduction of two new record types in the CC configuration list. The old\r\ntype still has id=1 and there are now types 2 and 3.\r\nThe three QakBot cc record types\r\nQakBot CC record types are now :\r\nID Length Content\r\n1 8 IP v4, port and priority cc informations\r\n2 24 ?\r\n3 20 IP v6 record ?\r\nAnd the new QakBot CC record structures are :\r\n typedef struct\r\n {\r\n BYTE ip_v4_address[4]; // IP v4 address\r\n WORD port_in_big_endian; // Port in big endian\r\n BYTE priority; // 0 = priority CC\r\n } QAKBOT_NEW_TYPE1_CC_RECORD;\r\n \r\n typedef struct\r\n {\r\n BYTE unknown[0x18];\r\n } QAKBOT_TYPE2_CC_RECORD;\r\n typedef struct\r\n {\r\n BYTE unknown[0x14];\r\n } QAKBOT_TYPE3_CC_RECORD;\r\nhttps://www.securityhomework.net/articles/qakbot_ccs_prioritization_and_new_record_types/qakbot_ccs_prioritization_and_new_record_types.php\r\nPage 4 of 6\n\ntypedef union\r\n {\r\n QAKBOT_NEW_TYPE1_CC_RECORD ipv4_record;\r\n QAKBOT_TYPE2_CC_RECORD type2_record;\r\n QAKBOT_TYPE3_CC_RECORD type3_record;\r\n } QAKBOT_CC_RECORDS;\r\n typedef struct\r\n {\r\n BYTE record_type; // 1 = IPv4 CC, 2 = ?, 3 = IPv6 CC ?\r\n QAKBOT_CC_RECORDS record;\r\n } QAKBOT_NEW_CC_ENTRY;\r\n// Note : structure and members names are mines.\r\nIs QakBot on the way to IPv6 ?\r\nWhen the configuration CC records are parsed in the explode_cc_list function, the records of types 2 and 3 are skipped. So,\r\nwhat can be the purpose of these new record types ?\r\nThe introduction of a prioritization capability for CC and these (for now) skipped new CC record types raises questions\r\nabout wether QakBot author is preparing IPv6 support ?\r\nThe type 3 has a length of 20 bytes. It could be a future IPv6 record like the one below (warning, this is a conjecture) :\r\ntypedef struct\r\n {\r\n BYTE record_type; // 1 byte (value = 3)\r\n WORD ip_v6_address[8]; // 16 bytes for IP v6 address\r\n WORD port_in_big_endian; // 2 bytes\r\n BYTE priority; // 1 byte\r\n } QAKBOT_CC_IPV6_ENTRY; // 20 bytes total !\r\n// Note : structure and members names are mines.\r\nWe have to wait for future QakBot samples to know what those new types really are.\r\nIn the past, when the CC record type was not the expected 01 value, the CC configuration parser skipped 17 bytes. So\r\nmaybe we will never know what these new record types were for !\r\nSome QakBot old and new configurations\r\nUnpacked sample\r\nQakBot\r\nversion\r\nCampaign\r\nID\r\nTimestamp Details F\r\n1ee5c674b64eee2406d7dc3620874459eaae6403cb05960bc6c7f05d7a33a067 404.30 obama223\r\n2022-11-18\r\n07:42:25\r\njson n\r\n322bf52085516358bd06bf6dcefef7cf93b281ac69b6c6c703477082c563f7f7 404.30 BB06\r\n2022-11-18\r\n06:25:05\r\njson n\r\n83f217438eb62ae5617a51bfc73f7e078ae30c9d500950fd6ae544605597ebeb 404.30 BB06\r\n2022-11-17\r\n07:35:10\r\njson n\r\n978d6ef0a1e6ec741405207fb53acf184490d26d7fd44b7f18473dbfaf8c0a3e 404.30 BB06\r\n2022-11-16\r\n14:57:52\r\njson n\r\nhttps://www.securityhomework.net/articles/qakbot_ccs_prioritization_and_new_record_types/qakbot_ccs_prioritization_and_new_record_types.php\r\nPage 5 of 6\n\nUnpacked sample\r\nQakBot\r\nversion\r\nCampaign\r\nID\r\nTimestamp Details F\r\ned175ae13525a1c4150ae0be57faebaea5b8d82e047991ec75907b2a278d9513 404.27 BB06\r\n2022-11-15\r\n06:05:08\r\njson n\r\n6440ddf20cd76372a19f2eb71148a0548607ab41677a0a9b3dcee4bc8b7629d3 404.27 BB06\r\n2022-11-14\r\n09:41:56\r\njson n\r\n83f5ae849f900a34a4d9e62c7c570728d934f8ae6f0b7887580359a3950e5caf 404.26 notset\r\n2022-11-08\r\n13:00:28\r\njson n\r\n00ccb81a87edee4c73b6f6984ddc4ae72d3372858bd1ae1cf4f8824746efe888 404.20 BB05\r\n2022-11-04\r\n06:32:02\r\njson n\r\n6b727c747e3b4fd742eeab3bf5b96e66b04168debcb8d01fd004f442b2c214f2 404.14 obama220\r\n2022-11-02\r\n07:21:10\r\njson n\r\n6f155626d54b775502453131796e739a894c3e40d073568f07a78f95b5a39fa0 404.20 gld03\r\n2022-11-01\r\n16:51:54\r\njson n\r\na9e975631d60cbff28ae17b12cce3d02bb39d2133dde693037f45352702b521b 404.14 gld02\r\n2022-10-31\r\n15:10:39\r\njson n\r\nb6343a93d7a5d1b1cf2bcc94bd096c3bc29c3bb9634f220f23f024545a9bd847 404.14 notset\r\n2022-10-31\r\n13:14:08\r\njson n\r\ndaa3557a9a632d9f897a8d7c1ef0e40a5715f0badc424f57f5ea50525fdd7122 404.14 BB05\r\n2022-10-31\r\n09:29:17\r\njson n\r\ne0d35c06970ef8979600e362d6d619b6ef27217a130d4120f38abe1f66f67f12 404.14 obama219\r\n2022-10-31\r\n06:46:32\r\njson n\r\n0dcd86692d92c058625ab343e472eef571514cc62d676288044ad26caa263fad 404.2 obama218\r\n2022-10-27\r\n11:41:26\r\njson n\r\nee1a401be2134b757ffabff69f7951cddc08c9e572d84271a6d8102e69b01b67 404.2 BB04\r\n2022-10-27\r\n09:46:15\r\njson n\r\nfc64f51c1e1ff1c4ccd717ed7eb8298c70640864e3abba9f2ee1836fd8b1aa53 403.1051 BB04\r\n2022-10-26\r\n09:28:17\r\njson o\r\nSource: https://www.securityhomework.net/articles/qakbot_ccs_prioritization_and_new_record_types/qakbot_ccs_prioritization_and_new_record_types.ph\r\np\r\nhttps://www.securityhomework.net/articles/qakbot_ccs_prioritization_and_new_record_types/qakbot_ccs_prioritization_and_new_record_types.php\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.securityhomework.net/articles/qakbot_ccs_prioritization_and_new_record_types/qakbot_ccs_prioritization_and_new_record_types.php"
	],
	"report_names": [
		"qakbot_ccs_prioritization_and_new_record_types.php"
	],
	"threat_actors": [],
	"ts_created_at": 1775434405,
	"ts_updated_at": 1775826754,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/2ae09c320cba9d467bc7076b3423294a5b0264e7.pdf",
		"text": "https://archive.orkl.eu/2ae09c320cba9d467bc7076b3423294a5b0264e7.txt",
		"img": "https://archive.orkl.eu/2ae09c320cba9d467bc7076b3423294a5b0264e7.jpg"
	}
}