# Wireshark Tutorial: Examining Qakbot Infections

**unit42.paloaltonetworks.com/tutorial-qakbot-infection/**

Brad Duncan February 13, 2020

By [Brad Duncan](https://unit42.paloaltonetworks.com/author/bduncan/)

February 13, 2020 at 6:00 AM

[Category: Tutorial,](https://unit42.paloaltonetworks.com/category/tutorial/) [Unit 42](https://unit42.paloaltonetworks.com/category/unit-42/)

Tags: [Cybercrime,](https://unit42.paloaltonetworks.com/tag/cybercrime/) [pcap,](https://unit42.paloaltonetworks.com/tag/pcap/) [Qakbot,](https://unit42.paloaltonetworks.com/tag/qakbot/) [Wireshark,](https://unit42.paloaltonetworks.com/tag/wireshark/) [Wireshark Tutorial](https://unit42.paloaltonetworks.com/tag/wireshark-tutorial/)


-----

This post is also available in: 日本語 [(Japanese)](https://unit42.paloaltonetworks.jp/tutorial-qakbot-infection/)

## Overview

[Qakbot is an information stealer also known as Qbot. This family of malware has been active](https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Win32%2FQakbot)
for years, and Qakbot generates distinct traffic patterns. This [Wireshark tutorial reviews a](https://www.wireshark.org/)
recent packet capture (pcap) from a Qakbot infection. Understanding these traffic patterns
can be critical for security professionals when detecting and investigating Qakbot infections.

Note: This tutorial assumes you have a basic knowledge of network traffic and Wireshark.
[We use a customized column display shown in this tutorial. You should also have experience](https://unit42.paloaltonetworks.com/unit42-customizing-wireshark-changing-column-display/)
[with Wireshark display filters as described in this additional tutorial.](https://unit42.paloaltonetworks.com/using-wireshark-display-filter-expressions/)

Please also note that the pcap used for this tutorial contains malware. You should review this
pcap in a non-Windows environment. If you are limited to a Windows computer, we suggest
reviewing the pcap within a virtual machine (VM) running any of the popular recent Linux
distros.

This tutorial will cover the following:

Qakbot distribution methods
Initial zip archive from link in an malspam
Windows executable for Qakbot
Post-infection HTTPS activity
Other post-infection traffic


-----

[The pcap used for this tutorial is located here. Download the zip archive named 2020-01-29-](https://www.malware-traffic-analysis.net/2020/01/29/index.html)
**_Qbot-infection-traffic.pcap.zip and extract the pcap. Figure 1 shows our pcap open in_**
Wireshark, ready to review.

Figure 1. The pcap for this tutorial.

## Qakbot Distribution Methods

Qakbot is most often distributed through malicious spam (malspam), but it also has been
[distributed through exploit kits as recently as November 2019. In some cases, Qakbot is a](https://www.malware-traffic-analysis.net/2019/11/25/index3.html)
[follow-up infection caused by different malware like Emotet as reported in](https://www.us-cert.gov/ncas/alerts/TA18-201A) this example from
March 2019.

Recent malspam-based distribution campaigns for Qakbot follow a chain of events shown in
Figure 2.


-----

Figure 2. Flow chart from recent Qakbot distribution campaigns.

### Initial Zip Archive from Link in Malspam

Recent malspam distributing Qakbot uses fake email chains that spoof legitimate email
addresses. One such example is shown in Figure 3.


-----

Figure 3. Recent malspam example pushing Qakbot.
URLs from these emails end with a short series of numbers followed by .zip. See Table 1 for
[a few examples of URLs from Qakbot malspam recently reported on URLhaus and](https://urlhaus.abuse.ch/browse/) [Twitter.](https://twitter.com/search?q=Qakbot%20zip&f=live)


**First**
**reported**


**URL for initial zip archive**


2019-12-27 hxxps://prajoon.000webhostapp[.]com/wpcontent/uploads/2019/12/last/033/033.zip

2019-12-27 hxxps://psi-uae[.]com/wp-content/uploads/2019/12/last/870853.zip

2019-12-27 hxxps://re365[.]com/wpcontent/uploads/2019/12/last/85944289/85944289.zip

2019-12-27 hxxps://liputanforex.web[.]id/wp-content/uploads/2019/12/last/794/794.zip

2020-01-06 hxxp://eps.icothanglong.edu[.]vn/forward/13078.zip

2020-01-22 hxxp://hitechrobo[.]com/wpcontent/uploads/2020/01/ahead/84296848/84296848.zip


-----

2020-01-22 hxxp://faithoasis.000webhostapp.com/wpcontent/uploads/2020/01/ahead/550889.zip

2020-01-27 hxxps://madisonclubbar[.]com/fast/invoice049740.zip

2020-01-29 hxxp://zhinengbao[.]wang/wp-content/uploads/2020/01/lane/00571.zip

2020-01-29 hxxp://bhatner[.]com/wp-content/uploads/2020/01/ahead/9312.zip

2020-02-03 hxxp://santedeplus[.]info/wpcontent/uploads/2020/02/ending/1582820/1582820.zip

_Table 1. URLs for the initial zip archive to kick off a Qakbot infection chain._

In our pcap, you can find the HTTP request for a zip archive using http.request.uri contains
**_.zip in the Wireshark filter as shown in Figure 4._**

Figure 4. Finding the URL for the initial zip archive.
Follow the TCP stream to confirm this is a zip archive as shown in Figure 5 and Figure 6,
then try to export the zip archive from the pcap as shown in Figure 7.


-----

Figure 5. Following the TCP stream for the HTTP request from our filter results.


-----

Figure 6. Indicators this URL returned a zip archive.

Figure 7. Exporting objects from HTTP traffic in the pcap.
In most cases, the menu for File → Export Objects → HTTP should export a zip archive
sent over HTTP. Unfortunately, as shown in Figure 8, we cannot export this file named
**_9312.zip because it is separated into hundreds of smaller parts within the export HTTP_**
objects list.


-----

Figure 8. 9312.zip is broken up into hundreds of objects within the list, so we cannot export it
this way.
Fortunately, we can export data from a TCP stream window and edit the binary in a hex
editor to remove any hxxP response headers. Use the following steps to extract the zip
archive from this pcap:

1.

1. Follow TCP stream for the HTTP request for 9312.zip.
2. Show only the response traffic in the TCP stream Window.
3. Change “Show and save data as” from ASCII to Raw.
4. Save the data as a binary (I chose to save it as: 9312.zip.bin)
5. Open the binary in a hex editor and remove the HTTP request headers before the

first two bytes of the zip archive (which show as PK in ASCII).
6. Save the file as a zip archive (I chose to save it as 9312.zip)
7. Check the file to make sure it’s a zip archive.

See Figures 9 through 14 for a visual guide of this process.


-----

Figure 9. Step 2 - When viewing the TCP stream, switch from viewing the entire conversation
to viewing only data returned from the server.


-----

Figure 10. Step 3 - Show and save data as Raw instead of ASCII.


-----

Figure 11. Step 4 - Save this raw data from the TCP stream as a binary.

Figure 12. Step 5 - Open your saved binary in a hex editor and remove any HTTP response
data before the first two bytes of the zip archive (that show as PK in ASCII).

Figure 13. Step 6 - Save your edited binary as a zip archive.


-----

Figure 14. Step 7 - Confirm the edited file is a zip archive, then extract the VBS file and
check the file hashes.
Figure 14 shows how to use a terminal window from a Debian-based Linux distro to check
the files. From our pcap, the zip archive should be the same as this file submitted to
VirusTotal. Our extracted VBS file should be the same as this file also submitted to
VirusTotal.

[A public sandbox analysis of our extracted VBS file indicates it generates the next Qakbot-](https://app.any.run/tasks/e2c36659-1070-4665-991c-245e900245b7)
related URL in our infection chain: a URL that returned a Windows executable for Qakbot.

## Windows Executable for Qakbot

These extracted VBS files generate URLs that return Windows executables for Qakbot.
Since December 2019, URLs for Qakbot executables have ended with 44444.png or
444444.png. See Table 2 for some recent examples of these Qakbot URLs we found using
our [AutoFocus Threat Intelligence service.](https://www.paloaltonetworks.com/cortex/autofocus)


**First**
**Seen**

2019-1227

2020-0106

2020-0115

2020-0117


**URL for Qakbot executable**

hxxp://centre-de-conduite-roannais[.]com/wpcontent/uploads/2019/12/last/444444.png

hxxp://newsinside[.]info/wp-content/uploads/2020/01/forward/44444.png

hxxp://iike.xolva[.]com/wp-content/themes/keenshot/fast/444444.png

hxxp://deccolab[.]com/fast/444444.png


-----

2020-0121

2020-0122

2020-0123

2020-0123

2020-0126

2020-0127

2020-0130

2020-0203


hxxp://myrestaurant.coupoly[.]com/wpcontent/uploads/2020/01/along/444444.png

hxxp://alphaenergyeng[.]com/wp-content/uploads/2020/01/ahead/444444.png

hxxp://claramohammedschoolstl[.]org/wpcontent/uploads/2020/01/upwards/444444.png

hxxp://creationzerodechet[.]com/choice/444444.png

hxxp://productsphotostudio[.]com/wpcontent/uploads/2020/01/lane/444444.png

hxxp://sophistproduction[.]com/wpcontent/uploads/2020/01/choice/444444.png

hxxp://uofnpress[.]ch/wp-content/uploads/2020/01/side/444444.png

hxxp://csrkanjiza[.]rs/wp-content/uploads/2020/02/ending/444444.png


_Table 2. URLs for Qakbot executables._

In our pcap, find the HTTP GET request for our Qakbot executable using hxxp.request.uri
**_contains .png in the Wireshark filter as shown in Figure 15._**

Figure 15. Finding the URL for our Qakbot executable.
Export this object from the pcap using the File → Export Objects → HTTP menu path as
shown in Figure 16 and check the results as shown in Figure 17.


-----

Figure 16. Exporting our Qakbot executable from the pcap.

Figure 17. Checking the exported file in a Debian-based Linux terminal window.
[From our pcap, the Qakbot executable should be this file submitted to VirusTotal. A](https://www.virustotal.com/gui/file/56ee803fa903ab477f939b3894af6771aebf0138abe38ae8e3c41cf96bbb0f2a) public
sandbox analysis of this file generated several Qakbot indicators (identified as Qbot).

## Post-infection HTTPS Activity

[Use your basic filter (covered in this previous WIreshark tutorial) for a quick view of web](https://unit42.paloaltonetworks.com/using-wireshark-display-filter-expressions/)
traffic in our pcap. Scroll down to activity after the HTTP GET request to
alphaenergyeng[.]com that returned our Qakbot executable. You should see several
indicators of HTTPS or SSL/TLS traffic to 68.1.115[.]106 with no associated domain as noted
in Figure 18.


-----

Figure 18. HTTPS or SSL/TLS traffic caused by Qakbot.
This traffic has unusual certificate issuer data commonly noted during Qakbot infections. We
[reviewed unusual certificate issuer data in our previous WIreshark tutorial about Ursnif, so](https://unit42.paloaltonetworks.com/using-wireshark-display-filter-expressions/)
this should be easy to find.

Let’s review our Qakbot certificate issuer data using the following Wireshark filter:

**_Ip.addr eq 68.1.115.186 and ssl.handshake.type eq 11_**

For Wireshark 3.0 or newer, use tls.handshake.type instead of ssl.handshake.type. Select
the first frame in your results and expand the frame details window until you find the
certificate issuer data as shown in Figure 19.


-----

Figure 19. Reviewing certificate issuer data from Qakbot traffic.
Patterns for the locality name, organization name, and common name are highly-unusual,
not normally found in certificates from legitimate HTTPS, SSL, or TLS traffic. Our example of
this issuer data is listed below:

id-at-countryName=ES
id-at-stateOrProvinceName=IA
id-at-localityName=Uorh Ofwa
id-at-organizationName=Coejdut Mavmtko Qxyemk Dxsjie LLC.
id-at-commonName=gaevietovp.mobi

### Other Post-infection Traffic

Our pcap contains other activity associated with a Qakbot infection. Each activity is not
inherently malicious on its own, but taken together with our previous findings, we can
assume a full Qakbot infection.

Another indicator of a Qakbot infection is HTTPS traffic to cdn.speedof[.]me. The domain
speedof[.]me is used by a legitimate Internet speed test service. Although this is not
malicious traffic, we frequently see traffic to cdn.speedof[.]me during Qakbot infections.
Figure 20 shows this activity from our pcap.


-----

Figure 20. The domain cdn.speedof[.]me within the Qakbot traffic.Qakbot also opens
windows from all browsers on an infected Windows host. At approximately 13 minutes and 5
[seconds into this sandbox analysis, the video playback shows Qakbot opening Chrome, then](https://app.any.run/tasks/fb9cffb1-7797-4827-8446-05fee3d6a3de)
Firefox, then Internet Explorer on a Windows 7 host. This analysis shows Qakbot generated
traffic to the following URLs:

hxxp://store.nvprivateoffice[.]com/redir_chrome.html
hxxp://store.nvprivateoffice[.]com/redir_ff.html
hxxp://store.nvprivateoffice[.]com/redir_ie.html

The domain nvprivateoffice[.]com has been registered through GoDaddy since 2012, and
store.nvprivateoffice[.]com shows a default web page for nginx on a Fedora server.

Our pcap for this tutorial is from a Qakbot infection on a Windows 10 host without Chrome or
Firefox installed. Our pcap only shows web traffic for Internet Explorer and the new
Chromium-based Microsoft Edge. Both times, the URL generated by Qakbot was
hxxp://store.nvprivateoffice[.]com/redir_ie.html.

To find this traffic, use the following Wireshark filter as shown in Figure 21:

**_http.request.full_uri contains store.nvprivateoffice_**


-----

Figure 21. Finding Qakbot traffic that opens web browsers on an infected Windows host.
Follow the TCP stream for each of the two HTTP GET requests ending in redir_ie.html. The
first request has a User-Agent in the HTTP headers for Internet Explorer as shown in Figure
22. The second request for the same URL has a User-Agent in the HTTP headers for the
new Chromium-based Microsoft Edge as noted in Figure 23.

Figure 22. Qakbot traffic to store.nvprivateoffice[.]com using Internet Explorer 11.


-----

Figure 23. Qakbot traffic to store.nvprivateoffice[.]com using the new Chromium-based
Microsoft Edge.Finally, our pcap from the Qakbot-infected host also has email-related TCP
traffic to various ports for various email protocols like SMTP, IMAP, and POP3. To get an idea
of this non-web-related traffic, use the following Wireshark filter as shown in Figure 25:
**_tcp.flags eq 0x0002 and !(tcp.port eq 80) and !(tcp.port eq 443)_**


-----

Figure 25. Getting an idea of the non-web-related traffic from this Qakbot infection.
Figure 25 shows TCP connections and attempted TCP connections to various ports like 25,
110,143, 465, 587, 993, and 995 commonly used by different email protocols. The first two
lines in the results show traffic to TCP port 65400, but reviewing the associated TCP streams
indicates this also email-related traffic.

Use the following Wireshark filter to get a better idea of email-related traffic from the infected
host as shown in Figure 26:

**_smtp or imap or pop_**


-----

Figure 26. Finding email-related traffic caused by Qakbot in this pcap.
Follow some of the TCP streams to get a better idea for this type of email traffic. We do not
normally see such unencrypted email traffic originating from a Windows client to public IP
addresses. Along with other indicators, this smtp or imap or pop filter may reveal Qakbot
activity.

## Conclusion

This tutorial provided tips for examining Windows infections with Qakbot malware. More
[pcaps with examples of Qakbot activity can be found at malware-traffic-analysis.net.](https://www.malware-traffic-analysis.net/)

For more help with Wireshark, see our previous tutorials:

**Get updates from**

**Palo Alto**

**Networks!**

Sign up to receive the latest news, cyber threat intelligence and research from us

[By submitting this form, you agree to our Terms of Use and acknowledge our Privacy](https://www.paloaltonetworks.com/legal-notices/terms-of-use)
Statement.


-----