Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Services
Capture
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

twi-managed-portal-color
Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

twi-briefcase-color-svg
Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

tw-laptop-data
Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

twi-database-color-svg
Database Security

Prevent unauthorized access and exceed compliance requirements.

twi-email-color-svg
Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

tw-officer
Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

tw-network
Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

Decrypting Qakbot’s Encrypted Registry Keys

Since the return of the Qakbot Trojan in early September 2021, especially through SquirrelWaffle malicious spam campaigns, we’ve received a few Qakbot samples to analyze from our Trustwave DFIR and Global Threats Operations teams.

Qakbot is a banking Trojan that has been around since 2007. It has been continually developed, with new capabilities introduced such as lateral movement, the ability to exfiltrate email and browser data, and to install additional malware. One new skill is to insert encrypted data into the registry. One of the requests we received from Trustwave’s DFIR and Global Threats Operations teams is for us to decrypt the registry data that Qakbot created.  We duly jumped into this task, and, as it was a bit of fun, decided to blog about it.

18408_picture2

Figure 1. A sample of an encrypted registry key that Qakbot creates

There are only a few good detailed analyses of Qakbot out there (see here, here, and here) but in them we didn’t really find any technical details on how to decrypt these registry keys. In this blog, we will do our best to explain that trick and we hope this will help fellow malware reversers.

The Flow

For those who don't have time to read the whole blog, we’ve prepared a graph below to show the decryption flow:

18409_picture3

Figure 2. Qakbot's registry data decryption flow.

Key generation

Initially, system information is gathered by Qakbot from the infected host, including:

  1. Computer Name (using GetComputerNameW)
  2. Volume Serial Number (using GetVolumeInformationW)
  3. User Account Name (using LookUpAccountSidW)

Let's take, for example, our infected machine's information:

Computer name:     DESKTOP-4NQG47A (converted to UPPERCASE)
Volume Serial:     2797280851 (converted from the hexadecimal serial number A6BB1E53)
User Account Name: SECRET ACCOUNT (converted to UPPERCASE)

This information is then concatenated to form a password:

DESKTOP-4NQG47A2797280851SECRET ACCOUNT

The password is then hashed using a modified CRC32_shift4 algorithm.

18410_picture4

Figure 3. Modified CRC32 shift4 function.

The resulting hash in this example is AC E9 B5 8D -  we will call this PASSWORDHASH.

PASSWORD = "DESKTOP-4NQG47A2797280851SECRET ACCOUNT"

mit_crc32_shift4(PASSWORD) // returned value  “\xac\xe9\xb5\x8d”

PASSWORDHASH = “\xac\xe9\xb5\x8d”

Configuration ID

Each registry key value name that the Qakbot malware created is a configuration field defined by a one-byte ID. This ID is also used to salt the PASSWORDHASH.

Joining both the ID and PASSWORDHASH, then hashing them with the SHA1 algorithm, will get a derived key, that we will call  DERIVED_KEY.

SHA1(<1 bytes ID>  + <3 byte \x00 padding> + < 4 bytesCRC32 Hash KEY_B>) = DERIVED_KEY

Let's take for example: ID = 0Eh and PASSWORDHASH = \xac\xe9\xb5\x8d

SHA1(“\x0e” + ”\x00\x00\x00” + “\xac\xe9\xb5\x8d”) = \x7a\x2b\x30\xb1\xaf\x46\xeb\xc0\xe3\xc7\xf6\x9b\xf1\x97\x2b\x05\xd5\xca\x06\x8f

The SHA1 hash result will be used as a derived key to decrypt the registry key value data respective to the ID using the RC4 algorithm.

Decrypting the Registry:

To determine which specific registry key value name it will decrypt the ID and DERIVED_KEY are joined together and hashed using the CRC32_shift4 algorithm to obtain the registry value name.

mit_crc32_shift4("\x0e\x00\x00\x00" + " \xac\xe9\xb5\x8d") -> "\x6a\xae\x40\xdd" 

The screenshot below shows the specific registry key value name (6aae40dd) that can be decrypted with RC4 Algorithm using the DERIVED_KEY:

\x7a\x2b\x30\xb1\xaf\x46\xeb\xc0\xe3\xc7\xf6\x9b\xf1\x97\x2b\x05\xd5\xca\x06\x8f

Applying the RC4 algorithm to decrypt the registry key-value data from the value name "6aae40dd" reveals the configuration containing the malware installation timestamp.

6aae40dd id=14 (0x0e)

03 01 16 00 00 00 35 3b 31 3b 30 7c 33 3b 32 31  | ......5;1;0|3;2
3b 31 36 33 38 37 35 32 30 35 35 00 8e 53 03 0b  | 1;1638752055..S.
df e5 f0 2d bf 42 cb 70 bf 1d 62 d1 d8 ec 1a c5  | ....-.B.p..b....
a8 f4 cf d8 e1 c4 bd 52 18 d6 68 a6 e2 95 03 f8  | ........R..h....
c8 c9 a3 41 7a ff 6b 69 11 2b 1b 9b 60 d4 19 49  | ....Az.ki.+..`..
00 eb f5 7f 08 24 86 c0 10 6d 55 d7 bd ce 2c 23  | I.....$...mU...,
e9 d7 91 b1                                      | #....

Decryption Tool:

We wrote a decryption tool to aid this process and it is available in our Github account repository. This tool may help malware reversers and security researchers decrypt Qakbot’s registry keys.

Usage: qakbot-registry-decrypt.py [options]
Options:
  -h, --help            show this help message and exit
  -r REGISTRY_PATH, --regpath=REGISTRY_PATH
                        registry path where Qakbot's encrypted data is stored.
                        (e.g. 'HKEY_CURRENT_USER\SOFTWARE\Microsoft\Efwramsn')
  -p PASSWORD, --password=PASSWORD
                        password (optional)

Example Usage:

18411_picture5

Figure 4. Qakbot registry decryptor tool

IOCs:

Qakbot DLL

MD5: 90aac91ba4336bdb252dee699d32d78d
MD5: a53c130fe120348b9bfa188ab93b6ad4

Latest SpiderLabs Blogs

Welcome to Adventures in Cybersecurity: The Defender Series

I’m happy to say I’m done chasing Microsoft certifications (AZ104/AZ500/SC100), and as a result, I’ve had the time to put some effort into a blog series that hopefully will entertain and inform you...

Read More

Trustwave SpiderLabs: Insights and Solutions to Defend Educational Institutions Against Cyber Threats

Security teams responsible for defending educational institutions at higher education and primary school levels often find themselves facing harsh lessons from threat actors who exploit the numerous...

Read More

Breakdown of Tycoon Phishing-as-a-Service System

Just weeks after Trustwave SpiderLabs reported on the Greatness phishing-as-a-service (PaaS) framework, SpiderLabs’ Email Security team is tracking another PaaS called Tycoon Group.

Read More