{
	"id": "63338270-c4c6-460d-ab17-d9fbbba868ca",
	"created_at": "2026-04-06T00:16:30.887477Z",
	"updated_at": "2026-04-10T03:21:20.646566Z",
	"deleted_at": null,
	"sha1_hash": "5b91dfb465fde6e0cd31ce396c53ff6111bbd834",
	"title": "Qakbot Series: Process Injection",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 442263,
	"plain_text": "Qakbot Series: Process Injection\r\nPublished: 2022-04-16 · Archived: 2026-04-05 16:09:27 UTC\r\nIn late March 2022, I was requested to analyze a software artifact. It was an instance of Qakbot, a modular\r\ninformation stealer known since 2007. Differently to other analyses I do as part of my daily job, in this particular\r\ncase I can disclose wide parts of it with you readers. I’m addressing them in a post series. Here, I’ll discuss about\r\nthe Qakbot process injection techinque based on this specific sample.\r\nFigure 1\r\n-\r\nThe API trace shows that Qakbot scans the process names on the infected system\r\nThe API logs for the sample show an interesting pattern. The malware seems to enumerate all the processes\r\nrunning on the infected system and compare their name with the name of some security processes. Figure 15\r\nreports an excerpt from the API log that I gathered by running the malware in a controlled environment. You can\r\nsee that the Chrome process name is compared with the name of several security processes.\r\nI investigated the malware to find a motivation for that observed behavior and I realized that it is doing a security\r\nassessment of the just infected system. The aim of such an assessment consists in understanding if there are\r\nsecurity products running in the system and what are those products. As I will discuss in a while, the malware\r\ndecides what process to inject based on the outcome of this security assessment.\r\nFlag Process(es)\r\n0x1 ccSvcHst.exe\r\nhttps://www.malwarology.com/2022/04/qakbot-series-process-injection/\r\nPage 1 of 4\n\nFlag Process(es)\r\n0x2 avgcsrvx.exe, avgsvcx.exe, avgcsrva.exe\r\n0x4 MsMpEng.exe\r\n0x8 mcshield.exe\r\n0x10 avp.exe, kavtray.exe\r\n0x20 egui.exe, ekrn.exe\r\n0x40 bdagent.exe, vsserv.exe, vsservppl.exe\r\n0x80 AvastSvc.exe\r\n0x100 coreServiceShell.exe, PccNTMon.exe, NTRTScan.exe\r\n0x200 SAVAdminService.exe, SavService.exe\r\n0x400 fshoster32.exe\r\n0x800 WRSA.exe\r\n0x1000 vkise.exe, isesrv.exe, cmdagent.exe\r\n0x2000 ByteFence.exe\r\n0x4000 MBAMService.exe, mbamgui.exe\r\n0x8000 fmon.exe\r\n0x10000 dwengine.exe, dwarkdaemon.exe, dwwatcher.exe\r\nTable 1\r\n-\r\nMapping between security processes and boolean flags used during the security assessment of the infected system\r\nThe sample groups security processes mostly by vendor. As an example, I observed that the malware developers\r\ndefined a group containing some processes related to the Dr.Web vendor: dwengine.exe, dwarkdaemon.exe and\r\ndwwatcher.exe. This group has been recently included since it isn’t documented in a detailed analysis of a similar\r\nspecimen published in 2021 (Trung Kien - 2021). A flag is assigned to each group. The flag for a given group is\r\ntrue if and only if at least one of the processes belonging to that group has been found on the infected system. The\r\nsecurity state of a system is defined by the disgiunction of all the flags. What i call security assessment is\r\nimplemented in a function located at 0xb2f3a9. This function defines the mapping between groups and flags. As\r\nyou may notice from Table 1, reporting the mapping between groups and flags, a group is represented as a string\r\nhttps://www.malwarology.com/2022/04/qakbot-series-process-injection/\r\nPage 2 of 4\n\ncomposed of comma-separated process names. However, those strings are obfuscated as discussed in the first post\r\nof the Qakbot series.\r\nFigure 2\r\n-\r\nProcess enumeration function to update the security state of the system\r\nThe core of the security assessment algorithm is implemented in a function located at 0xb2dad3. As you may\r\nnotice from the listing of Figure 2, that function is responsible for the process scan observed in the API calls logs.\r\nThe malware invokes CreateToolhelp32Snapshot, Process32First, Process32Next to iterate across the processes\r\nrunning on the system. Those API calls are protected by an API hashing technique I’ll discuss about in a dedicated\r\npost. The function update_security_state is responsible for checking if the name of a process on the infected\r\nsystem is included in some group. If that is the case, then it activates the flag for that specific group. The security\r\nstate is updated by or-ing itself with the flag of the active group.\r\nhttps://www.malwarology.com/2022/04/qakbot-series-process-injection/\r\nPage 3 of 4\n\nQakbot scans the processes on the infected system to understand if there are security products among them. This\r\nassessment is crucial for the malware because it influences the processes chosen as targets for the injection. The\r\nfunction implementing the target selection logic is located at 0xb2d84b and it always return three targets according\r\nto some rules. As an example, consider the following list of processes: coreServiceShell.exe, PccNTMon.exe,\r\nNTRTScan.exe, SAVAdminService.exe, SavService.exe, bdagent.exe, vsserv.exe, vsservppl.exe, avp.exe,\r\nkavtray.exe, avgcsrvx.exe, avgsvcx.exe, and avgcsrva.exe. If any of those processes is running on the infected\r\nsystem, then the second decision driver is whether the malware is running on an x64 processor (or under the\r\nWOW64 Microsoft subsystem). If that is the case, then the target processes are:\r\n%SystemRoot%\\SysWOW64\\mobsync.exe\r\n%SystemRoot%\\SysWOW64\\explorer.exe\r\n%ProgramFiles(x86)%\\Internet Explorer\\iexplore.exe\r\nOtherwise, if at least one of the processes has been found and the malware is running on an x86 processor, then\r\nthe targets become:\r\n%SystemRoot%\\System32\\mobsync.exe\r\n%SystemRoot%\\explorer.exe\r\n%ProgramFiles%\\Internet Explorer\\iexplore.exe\r\nThe fact that Qakbot targets mobsync and explorer is well known (Trung Kien - 2021). What I discovered with\r\nthis sample is that now Qakbot may also target msra and OneDriveSetup. That happens, for example, if none of\r\nthe processes listed before are running on the system and the malware is running on a x86 processor. Indeed, given\r\nthose conditions, the targets become:\r\n%SystemRoot%\\explorer.exe\r\n%SystemRoot%\\System32\\msra.exe\r\n%SystemRoot%\\System32\\OneDriveSetup.exe\r\nOnce obtained the targets, the sample attempts to inject code into them. The overall injection process is\r\nimplemented in the function located at 0xb2d6c4. That function iterates over the designated targets and for each of\r\nthem tries to spawn a new process in suspended state by using the target path as the application name. If the\r\ncreation succeeds then the function located at 0xb2d976 is invoked. That function is responsible for the actual\r\ninjection. The injection prologue is implemented in function 0xb2d446 and it follows the following pattern:\r\nNtCreateSection, NtMapViewOfSection on the malware process, NtMapViewOfSection1 on the target process,\r\nand NtWriteProcessMemory to copy the Qakbot payload into the newly created memory area. Next, the sample\r\ntries to insert a trampoline to the payload at the entry point of the targeted process. To do so, it invokes\r\nGetThreadContext, NtProtectVirtualMemory, and NtWriteVirtualMemory. Finally, the malware awakens the\r\nprocess in suspended state.\r\nAs always, if you want to share comments or feedbacks (rigorously in broken Italian or broken English) do not\r\nesitate to drop me a message at admin[@]malwarology.com.\r\nSource: https://www.malwarology.com/2022/04/qakbot-series-process-injection/\r\nhttps://www.malwarology.com/2022/04/qakbot-series-process-injection/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.malwarology.com/2022/04/qakbot-series-process-injection/"
	],
	"report_names": [
		"qakbot-series-process-injection"
	],
	"threat_actors": [],
	"ts_created_at": 1775434590,
	"ts_updated_at": 1775791280,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/5b91dfb465fde6e0cd31ce396c53ff6111bbd834.pdf",
		"text": "https://archive.orkl.eu/5b91dfb465fde6e0cd31ce396c53ff6111bbd834.txt",
		"img": "https://archive.orkl.eu/5b91dfb465fde6e0cd31ce396c53ff6111bbd834.jpg"
	}
}