SweetOrange ExploitKit and Qakbot

July 12, 2014

The Dell SonicWALL Threats Research Team has recently encountered an example of the Qakbot malware family. This long lived malware family was seen being dropped by a SweetOrange Exploit Kit. This bot has many features and capabilities and is a danger to sensitive networks and data.

Infection Cycle

This sample of Qakbot is self contained and, besides log and config files, only drops identical copies of itself to disk. Multiple stages of unpacking are required to reveal the full capabilities of the sample. After the initial execution, the original file is deleted with a typical invocation of cmd.exe: [cmd /c ping -n 10 localhost && del "C:windowstempfile.exe"]

Once the original file is melted via cmd.exe and the malware is unpacked in memory, it injects into numerous processes, particularly applications that stay resident in the system tray.

Qakbot Process Injection

In this case, the main injection target was Skype process that was then used to beacon out to a command and control server.

The injected Skype process is connected to a C&C server

This C&C traffic is very simple and serves as a beacon to let the attackers know that a new machine has been infected. The IP address of the infected machine and the malware-generated host identifier are the primary contents.

The beacon traffic contains only basic information

In addition to the beacon traffic, this malware also sends a record of the user's browsing behavior in real time.

Browsing behavior is sent out to a C&C server in encoded HTTP requests

The data is only URL-escaped and can be easily decoded to show the true nature of the HTTP traffic:

The decoded C&C traffic clearly shows the user's browsing behavior

Indicators of Compromise

In order to persist upon reboot, the malware creates multiple run keys. Our analysis included one that uses the malware's "/c" flag to execute and inject a target application.

The malware auto-runs itself and piggy-backs on a normal start-up application

The following randomized mutexes were seen during analysis and are used to prevent unnecessary reinfection and to manage the different infection threads.

  • Sessions1BaseNamedObjectsfilea
  • Sessions1BaseNamedObjectsizbtitjv
  • Sessions1BaseNamedObjectskyeuyya
  • BaseNamedObjectskyeuyy
  • BaseNamedObjectstlkpito
  • BaseNamedObjectsdiges
  • BaseNamedObjectsfrxikyn


Overall, the purpose of this malware is to gain control of and gather information from the target machine. Qakbot has a variety of functionality and will steal banking information and other personal data and credentials. Dell SonicWall Gateway Anti-Virus provides protection against this threat with the following signature:

  • GAV: Qbot.BH