Decrypting Qakbot’s Encrypted Registry Keys

Since the return of the Qakbot Trojan in early September 2021, especially through SquirrelWaffle malicious spam campaigns, we’ve received a few Qakbot samples to analyze from our Trustwave DFIR and Global Threats Operations teams.

Qakbot is a banking Trojan that has been around since 2007. It has been continually developed, with new capabilities introduced such as lateral movement, the ability to exfiltrate email and browser data, and to install additional malware. One new skill is to insert encrypted data into the registry. One of the requests we received from Trustwave’s DFIR and Global Threats Operations teams is for us to decrypt the registry data that Qakbot created.  We duly jumped into this task, and, as it was a bit of fun, decided to blog about it.

Figure 1. A sample of an encrypted registry key that Qakbot creates

There are only a few good detailed analyses of Qakbot out there (see here, here, and here) but in them we didn’t really find any technical details on how to decrypt these registry keys. In this blog, we will do our best to explain that trick and we hope this will help fellow malware reversers.

The Flow

For those who don't have time to read the whole blog, we’ve prepared a graph below to show the decryption flow:

Figure 2. Qakbot's registry data decryption flow.

Key generation

Initially, system information is gathered by Qakbot from the infected host, including:

1. Computer Name (using GetComputerNameW)
2. Volume Serial Number (using GetVolumeInformationW)
3. User Account Name (using LookUpAccountSidW)

Let's take, for example, our infected machine's information:

This information is then concatenated to form a password:

The password is then hashed using a modified CRC32_shift4 algorithm.

Figure 3. Modified CRC32 shift4 function.

The resulting hash in this example is AC E9 B5 8D -  we will call this PASSWORDHASH.

Configuration ID

Each registry key value name that the Qakbot malware created is a configuration field defined by a one-byte ID. This ID is also used to salt the PASSWORDHASH.

Joining both the ID and PASSWORDHASH, then hashing them with the SHA1 algorithm, will get a derived key, that we will call  DERIVED_KEY.

Let's take for example: ID = 0Eh and PASSWORDHASH = \xac\xe9\xb5\x8d

The SHA1 hash result will be used as a derived key to decrypt the registry key value data respective to the ID using the RC4 algorithm.

Decrypting the Registry:

To determine which specific registry key value name it will decrypt the ID and DERIVED_KEY are joined together and hashed using the CRC32_shift4 algorithm to obtain the registry value name.

The screenshot below shows the specific registry key value name (6aae40dd) that can be decrypted with RC4 Algorithm using the DERIVED_KEY:

Applying the RC4 algorithm to decrypt the registry key-value data from the value name "6aae40dd" reveals the configuration containing the malware installation timestamp.

Decryption Tool:

We wrote a decryption tool to aid this process and it is available in our Github account repository. This tool may help malware reversers and security researchers decrypt Qakbot’s registry keys.

Usage: qakbot-registry-decrypt.py [options]
Options:
  -h, --help            show this help message and exit
  -r REGISTRY_PATH, --regpath=REGISTRY_PATH
                        registry path where Qakbot's encrypted data is stored.
                        (e.g. 'HKEY_CURRENT_USER\SOFTWARE\Microsoft\Efwramsn')
  -p PASSWORD, --password=PASSWORD
                        password (optional)

Example Usage:

Figure 4. Qakbot registry decryptor tool

IOCs:

Qakbot DLL

MD5: 90aac91ba4336bdb252dee699d32d78d
MD5: a53c130fe120348b9bfa188ab93b6ad4