Recently, we have host machine that been infected with QBot/QakBot. Upon investigation, we found that it added a registry with some random name.

Based on Googling, I found this article – Decrypting Qakbot’s Encrypted Registry Keys which explain in details the encryption routine and how to decode the encrypted registry.

But I wondered.. How to decode the registry when we have only the artifacts e.g. NTUSER.dat, SOFTWARE registry hive collected.

Key Generation

Initially, system information is gathered by Qakbot from the infected host, including:
1. Computer Name (using GetComputerNameW)
2. Volume Serial Number (using GetVolumeInformationW)
3. User Account Name (using LookUpAccountSidW)

Let’s take, for example, our infected machine’s information:
Computer name: DESKTOP-4NQG47A (converted to UPPERCASE)
Volume Serial: 2797280851 (converted from the hexadecimal serial number A6BB1E53)
User Account Name: SECRET ACCOUNT (converted to UPPERCASE)

This information is then concatenated to form a password:
DESKTOP-4NQG47A2797280851SECRET ACCOUNT

The password is then hashed using a modified CRC32_shift4 algorithm.

Getting Ready

Typically, during case investigation, we usually have Computer Name and User Account Name info. But we missing the Volume Serial Number. To get that, run Powershell cmd below to get that serial number on infected host:

PS C:\ > Get-WmiObject Win32_volume | Format-table Name, @{Label = "SerialNumber"; Expression = {"{0:X}" -f $_.SerialNumber}}  -auto
Name                                        SerialNumber
----                                        ------------
C:\                                          CE6EB0A8

Next, convert the serial number from hex to decimal at https://www.rapidtables.com/convert/number/hex-to-decimal.html

CE6EB0A8 –> 3463360680

Now, we have the details of infected host:

W7VM39DKGH
3463360680 (from hex CE6EB0A8)
MAX_MAXIMUS

Next, we going to use this script below to decrypt the registry:
https://github.com/drole/qakbot-registry-decrypt

* Please note that this script needs to be run using Python 3+ and on Windows OS as it uses winreg library.
* Please setup this on your VM as we require to load/add the encrypted registry file to local machine.


Download the script and ensure required library and modules are installed in your VM.

Next, export the encrypted registry. In this example, I’m extracting the encrypted registry from NTUSER.dat:

To export it, open the NTUSER.dat file using Registry Explorer. Then, go to the encrypted registry path; in this case, its on SOFTWARE\Microsoft\Cjxgyfyefv. Then, right click on the key Cjxgyfyefv, select Export –> Key –> To .reg format. Choose your file name and location to save.

Copy the exported reg file to your VM. After that, double click the saved/exported .reg file to load/add it on your VM:

Click Yes to load/add the registry.

Check whether the registry is loaded or not via regedit:

Next, we going to decrypt the registry.

Before running the script, we need to do some modification. Comment the line 52 until 63:

Then, add the following: computer_name, volume_serial_number with the converted hexa number and user_account_name of the infected machine. Refer screenshot above.

After that, run the Python script to decrypt the registry:

python qakbot-registry-decrypt.py -r HKEY_CURRENT_USER\SOFTWARE\Microsoft\Cjxgyfyefv

Remember to include also path to the encrypted registry key; in this case its HKEY_CURRENT_USER\SOFTWARE\Microsoft\Cjxgyfyefv

As you can see, we able to decode the registry and read the content. We see the possible C2 IP; 85.86.242.245, the .dll name, location and the time of execution.

Check in VT for the C2 IP – https://www.virustotal.com/gui/ip-address/85.86.242.245/detection

Seems like the IP is also noted as QBot/QakBot related IP from various sources.

That’s all from me. Hope you enjoy reading the article. 🙂

By zam

Any Comments?

This site uses Akismet to reduce spam. Learn how your comment data is processed.