Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows10_x64
  • resource
    win10
  • submitted
    02-08-2020 15:29

General

  • Target

    Kafan_Sample_b9c037384eaa82706baf7c3cd5e1550fe9ad24083edeb00e55d9da8198ea6ee3.exe

  • Size

    4.5MB

  • MD5

    57afe7c6eae81f93e3e6a085b6bd7961

  • SHA1

    6af9bb4cb10f0d765cf87b71f5dcfa3c5d7d61f6

  • SHA256

    b9c037384eaa82706baf7c3cd5e1550fe9ad24083edeb00e55d9da8198ea6ee3

  • SHA512

    ebd7a6029b72385d1667fa1013241dfeac19fedf2ccf1303b22105126e5de490f39af4e5a2f3dbaba462b919560fb8a421f3228c49bfb8bc569d9f8c16c40665

Malware Config

Extracted

Family

danabot

C2

192.236.161.25

93.115.21.108

173.234.155.181

2.56.212.137

45.153.240.84

rsa_pubkey.plain

Signatures

  • CryptBot

    A C++ stealer distributed widely in bundle with other software.

  • Danabot

    Danabot is a modular banking Trojan that has been linked with other malware.

  • Danabot x86 payload 5 IoCs

    Detection of Danabot x86 payload, mapped in memory during the execution of its loader.

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
  • Blocklisted process makes network request 13 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 3 IoCs
  • Checks BIOS information in registry 2 TTPs 6 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Identifies Wine through registry keys 2 TTPs 2 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

  • Loads dropped DLL 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 4 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 3 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 45 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Kafan_Sample_b9c037384eaa82706baf7c3cd5e1550fe9ad24083edeb00e55d9da8198ea6ee3.exe
    "C:\Users\Admin\AppData\Local\Temp\Kafan_Sample_b9c037384eaa82706baf7c3cd5e1550fe9ad24083edeb00e55d9da8198ea6ee3.exe"
    1⤵
    • Checks BIOS information in registry
    • Identifies Wine through registry keys
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3612
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\opwgvwbuwyal.vbs"
      2⤵
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:3284
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\opwgvwbuwyal.vbs"
        3⤵
        • Blocklisted process makes network request
        PID:1832
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\pwxgdnyciegq.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3144
      • C:\Users\Admin\AppData\Local\Temp\pwxgdnyciegq.exe
        "C:\Users\Admin\AppData\Local\Temp\pwxgdnyciegq.exe"
        3⤵
        • Executes dropped EXE
        • Checks BIOS information in registry
        • Checks processor information in registry
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of WriteProcessMemory
        PID:2976
        • C:\Windows\system32\cmd.exe
          "C:\Windows\system32\cmd.exe" /c rd /s /q C:\Users\Admin\AppData\Local\Temp\J07mtSQegJyL & timeout 2 & del /f /q "C:\Users\Admin\AppData\Local\Temp\pwxgdnyciegq.exe"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:864
          • C:\Windows\system32\timeout.exe
            timeout 2
            5⤵
            • Delays execution with timeout.exe
            PID:1268
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\mifcripvc.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1640
      • C:\Users\Admin\AppData\Local\Temp\mifcripvc.exe
        "C:\Users\Admin\AppData\Local\Temp\mifcripvc.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:1824
        • C:\Windows\SysWOW64\regsvr32.exe
          C:\Windows\system32\regsvr32.exe -s C:\Users\Admin\AppData\Local\Temp\MIFCRI~1.DLL f1 C:\Users\Admin\AppData\Local\Temp\MIFCRI~1.EXE@1824
          4⤵
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:2968
          • C:\Windows\SysWOW64\rundll32.exe
            C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\MIFCRI~1.DLL,f0
            5⤵
            • Blocklisted process makes network request
            • Loads dropped DLL
            PID:3384
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\xruvjfdkx.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2428
      • C:\Users\Admin\AppData\Local\Temp\xruvjfdkx.exe
        "C:\Users\Admin\AppData\Local\Temp\xruvjfdkx.exe"
        3⤵
        • Executes dropped EXE
        • Checks BIOS information in registry
        • Identifies Wine through registry keys
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2784
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\system32\cmd.exe" /c rd /s /q C:\ProgramData\nbqtslico & timeout 2 & del /f /q "C:\Users\Admin\AppData\Local\Temp\xruvjfdkx.exe"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:492
          • C:\Windows\SysWOW64\timeout.exe
            timeout 2
            5⤵
            • Delays execution with timeout.exe
            PID:2172
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\system32\cmd.exe" /c rd /s /q C:\ProgramData\nbqtslico & timeout 2 & del /f /q "C:\Users\Admin\AppData\Local\Temp\xruvjfdkx.exe"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:2100
          • C:\Windows\SysWOW64\timeout.exe
            timeout 2
            5⤵
            • Delays execution with timeout.exe
            PID:3764

Network

MITRE ATT&CK Matrix ATT&CK v6

Defense Evasion

Virtualization/Sandbox Evasion

2
T1497

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

5
T1012

Virtualization/Sandbox Evasion

2
T1497

System Information Discovery

3
T1082

Collection

Data from Local System

2
T1005

Command and Control

Web Service

1
T1102

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\nbqtslico\46173476.txt
  • C:\ProgramData\nbqtslico\8372422.txt
  • C:\ProgramData\nbqtslico\Files\_INFOR~1.TXT
  • C:\ProgramData\nbqtslico\NL_202~1.ZIP
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C954CE05407CAD0B91F1461CBC854DCE
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E49827401028F7A0F97B5576C77A26CB_7CE95D8DCA26FE957E7BD7D76F353B08
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C954CE05407CAD0B91F1461CBC854DCE
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E49827401028F7A0F97B5576C77A26CB_7CE95D8DCA26FE957E7BD7D76F353B08
  • C:\Users\Admin\AppData\Local\Temp\J07mtSQegJyL\4ljk.tmp
  • C:\Users\Admin\AppData\Local\Temp\J07mtSQegJyL\CVAFMR~1.ZIP
    MD5

    aa72e39056988aec3b29a8083d6c918a

    SHA1

    0ff4aaf9a8f327022fd2c92988a8011a3279abdf

    SHA256

    0d765c48674354494c78690a6abb12cedde64fa58404b9d29c53116e1403be5e

    SHA512

    5cefb5da9a9c12dd298f3835bd0d1fbad401a714172778f59bd9f08c4431584792e9a831815f2df24416dac9145c63c5511b9384eab94b115bf16928fafa006b

  • C:\Users\Admin\AppData\Local\Temp\J07mtSQegJyL\EDTIt.tmp
  • C:\Users\Admin\AppData\Local\Temp\J07mtSQegJyL\SI3RTP~1.ZIP
  • C:\Users\Admin\AppData\Local\Temp\J07mtSQegJyL\WUtf.tmp
  • C:\Users\Admin\AppData\Local\Temp\J07mtSQegJyL\_Files\_INFOR~1.TXT
  • C:\Users\Admin\AppData\Local\Temp\J07mtSQegJyL\_Files\_SCREE~1.JPE
  • C:\Users\Admin\AppData\Local\Temp\J07mtSQegJyL\files_\SCREEN~1.JPG
  • C:\Users\Admin\AppData\Local\Temp\J07mtSQegJyL\files_\SYSTEM~1.TXT
  • C:\Users\Admin\AppData\Local\Temp\J07mtSQegJyL\jwS0.tmp
  • C:\Users\Admin\AppData\Local\Temp\J07mtSQegJyL\qhC2c.tmp
  • C:\Users\Admin\AppData\Local\Temp\J07mtSQegJyL\ucQZ.tmp
  • C:\Users\Admin\AppData\Local\Temp\MIFCRI~1.DLL
    MD5

    179a440bc1d21ec457943af4aea08472

    SHA1

    497b2672b1ba31be72395ac7eb96d0c8fd3381e4

    SHA256

    597294bbd3de0c920a54c1ce70f854d52536718c2f1173a62a75b271739c78a9

    SHA512

    89ccd609ed684a0f1d67119db55f908cb41c2dd430911377af1398763278569759bfd6d3c23aef59cbef14cf3a589e5cb58d977a5141be9d537ddfc705160fd8

  • C:\Users\Admin\AppData\Local\Temp\mifcripvc.exe
  • C:\Users\Admin\AppData\Local\Temp\mifcripvc.exe
  • C:\Users\Admin\AppData\Local\Temp\opwgvwbuwyal.vbs
    MD5

    acd6ab8c45911dcb632eef36a70b5d0c

    SHA1

    717809496e2229a11ad3cbc4c5fb8cd2f22b2692

    SHA256

    1bd77358b8973852e07982f02b86db9100713d7871941b182f56c655bfd95ec2

    SHA512

    c8ce51d09262cda17ca5acd309c4a58b2634c7fc58ad19d0885738c831713030550fe3d0c7f594cf69f00c21679c5d04c55a0cd576c1ac9c575f520cbf925816

  • C:\Users\Admin\AppData\Local\Temp\pwxgdnyciegq.exe
    MD5

    64d3edf1a6cd37e9e2193c0e1fc50220

    SHA1

    9e5863b0e717030db247fa3ff6dead07710d5ab5

    SHA256

    b56d450c7ccbccb915ca8006bfc0fc41037cd850dd799c77275eab397ef61772

    SHA512

    0ff5c9fef715ba203de9c239d53e99baff932e35a03b94f21369410d425f4deed0c4a7f17f6d483ffaee2acf706c031cca62b0f86f31d94c6bf704d996f68abb

  • C:\Users\Admin\AppData\Local\Temp\pwxgdnyciegq.exe
    MD5

    64d3edf1a6cd37e9e2193c0e1fc50220

    SHA1

    9e5863b0e717030db247fa3ff6dead07710d5ab5

    SHA256

    b56d450c7ccbccb915ca8006bfc0fc41037cd850dd799c77275eab397ef61772

    SHA512

    0ff5c9fef715ba203de9c239d53e99baff932e35a03b94f21369410d425f4deed0c4a7f17f6d483ffaee2acf706c031cca62b0f86f31d94c6bf704d996f68abb

  • C:\Users\Admin\AppData\Local\Temp\xruvjfdkx.exe
  • C:\Users\Admin\AppData\Local\Temp\xruvjfdkx.exe
  • \Users\Admin\AppData\Local\Temp\MIFCRI~1.DLL
    MD5

    179a440bc1d21ec457943af4aea08472

    SHA1

    497b2672b1ba31be72395ac7eb96d0c8fd3381e4

    SHA256

    597294bbd3de0c920a54c1ce70f854d52536718c2f1173a62a75b271739c78a9

    SHA512

    89ccd609ed684a0f1d67119db55f908cb41c2dd430911377af1398763278569759bfd6d3c23aef59cbef14cf3a589e5cb58d977a5141be9d537ddfc705160fd8

  • \Users\Admin\AppData\Local\Temp\MIFCRI~1.DLL
    MD5

    179a440bc1d21ec457943af4aea08472

    SHA1

    497b2672b1ba31be72395ac7eb96d0c8fd3381e4

    SHA256

    597294bbd3de0c920a54c1ce70f854d52536718c2f1173a62a75b271739c78a9

    SHA512

    89ccd609ed684a0f1d67119db55f908cb41c2dd430911377af1398763278569759bfd6d3c23aef59cbef14cf3a589e5cb58d977a5141be9d537ddfc705160fd8

  • \Users\Admin\AppData\Local\Temp\MIFCRI~1.DLL
    MD5

    179a440bc1d21ec457943af4aea08472

    SHA1

    497b2672b1ba31be72395ac7eb96d0c8fd3381e4

    SHA256

    597294bbd3de0c920a54c1ce70f854d52536718c2f1173a62a75b271739c78a9

    SHA512

    89ccd609ed684a0f1d67119db55f908cb41c2dd430911377af1398763278569759bfd6d3c23aef59cbef14cf3a589e5cb58d977a5141be9d537ddfc705160fd8

  • \Users\Admin\AppData\Local\Temp\MIFCRI~1.DLL
    MD5

    179a440bc1d21ec457943af4aea08472

    SHA1

    497b2672b1ba31be72395ac7eb96d0c8fd3381e4

    SHA256

    597294bbd3de0c920a54c1ce70f854d52536718c2f1173a62a75b271739c78a9

    SHA512

    89ccd609ed684a0f1d67119db55f908cb41c2dd430911377af1398763278569759bfd6d3c23aef59cbef14cf3a589e5cb58d977a5141be9d537ddfc705160fd8

  • memory/492-50-0x0000000000000000-mapping.dmp
  • memory/864-11-0x0000000000000000-mapping.dmp
  • memory/1268-24-0x0000000000000000-mapping.dmp
  • memory/1640-29-0x0000000000000000-mapping.dmp
  • memory/1824-31-0x0000000000000000-mapping.dmp
  • memory/1824-30-0x0000000000000000-mapping.dmp
  • memory/1824-42-0x0000000002B30000-0x0000000002B31000-memory.dmp
    Filesize

    4KB

  • memory/1832-4-0x0000000000000000-mapping.dmp
  • memory/2100-56-0x0000000000000000-mapping.dmp
  • memory/2172-55-0x0000000000000000-mapping.dmp
  • memory/2428-35-0x0000000000000000-mapping.dmp
  • memory/2784-36-0x0000000000000000-mapping.dmp
  • memory/2784-40-0x00000000049C0000-0x00000000049C1000-memory.dmp
    Filesize

    4KB

  • memory/2784-41-0x00000000051C0000-0x00000000051C1000-memory.dmp
    Filesize

    4KB

  • memory/2784-37-0x0000000000000000-mapping.dmp
  • memory/2968-43-0x0000000000000000-mapping.dmp
  • memory/2976-6-0x0000000000000000-mapping.dmp
  • memory/2976-7-0x0000000000000000-mapping.dmp
  • memory/2976-10-0x0000018DF8C80000-0x0000018DF8C81000-memory.dmp
    Filesize

    4KB

  • memory/3144-5-0x0000000000000000-mapping.dmp
  • memory/3284-2-0x0000000000000000-mapping.dmp
  • memory/3384-47-0x0000000000000000-mapping.dmp
  • memory/3612-1-0x0000000005680000-0x0000000005681000-memory.dmp
    Filesize

    4KB

  • memory/3612-0-0x0000000004E80000-0x0000000004E81000-memory.dmp
    Filesize

    4KB

  • memory/3764-57-0x0000000000000000-mapping.dmp