danabot | 4fbb399e44f5e84cbc719d8e99028029adf60f524ebebab04d22513daf3bce9c

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
03-04-2024 21:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a77a0a1e3e245240b2f827d031ba4510_JaffaCakes118.exe
Size

1.2MB
MD5

a77a0a1e3e245240b2f827d031ba4510
SHA1

6bfaeef8171e2f3b3d6d5abd9a7b02450ab22d42
SHA256

4fbb399e44f5e84cbc719d8e99028029adf60f524ebebab04d22513daf3bce9c
SHA512

332d42de83f2b6d7bb0410951ce7aff372b4133974a4909e6231d2fb8fb585987974b4491a393f54a6c87a63743e042e2321379d996b482f65eed7cec17c195a
SSDEEP

24576:J1VqL5OBAbNy307nscZDFigU1XJUJgfUR05G3E0tqN+TUx7cB44bYrhs3c:D4fs4sZgv325G3E0QNcK4bYrh

Score

10^/10

danabot 4 banker trojan

Malware Config

Extracted

Family

danabot

Botnet

192.119.110.73:443

192.236.147.159:443

192.210.222.88:443

Attributes

embedded_hash
F4711E27D559B4AEB1A081A1EB0AC465
type
loader

rsa_pubkey.plain

rsa_privkey.plain

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Danabot Loader Component 10 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\A77A0A~1.EXE.dll	DanabotLoader2021
behavioral2/memory/3212-10-0x0000000000400000-0x0000000000562000-memory.dmp	DanabotLoader2021
behavioral2/memory/3212-18-0x0000000000400000-0x0000000000562000-memory.dmp	DanabotLoader2021
behavioral2/memory/3212-19-0x0000000000400000-0x0000000000562000-memory.dmp	DanabotLoader2021
behavioral2/memory/3212-20-0x0000000000400000-0x0000000000562000-memory.dmp	DanabotLoader2021
behavioral2/memory/3212-21-0x0000000000400000-0x0000000000562000-memory.dmp	DanabotLoader2021
behavioral2/memory/3212-22-0x0000000000400000-0x0000000000562000-memory.dmp	DanabotLoader2021
behavioral2/memory/3212-23-0x0000000000400000-0x0000000000562000-memory.dmp	DanabotLoader2021
behavioral2/memory/3212-24-0x0000000000400000-0x0000000000562000-memory.dmp	DanabotLoader2021
behavioral2/memory/3212-25-0x0000000000400000-0x0000000000562000-memory.dmp	DanabotLoader2021

Blocklisted process makes network request 1 IoCs

Processes:

rundll32.exe

flow pid process

36 3212 rundll32.exe
Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

3212 rundll32.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4872 3056 WerFault.exe a77a0a1e3e245240b2f827d031ba4510_JaffaCakes118.exe

flow	pid	process
36	3212	rundll32.exe

pid	process
3212	rundll32.exe

pid	pid_target	process	target process
4872	3056	WerFault.exe	a77a0a1e3e245240b2f827d031ba4510_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

a77a0a1e3e245240b2f827d031ba4510_JaffaCakes118.exe

description	pid	process	target process
PID 3056 wrote to memory of 3212	3056	a77a0a1e3e245240b2f827d031ba4510_JaffaCakes118.exe	rundll32.exe
PID 3056 wrote to memory of 3212	3056	a77a0a1e3e245240b2f827d031ba4510_JaffaCakes118.exe	rundll32.exe
PID 3056 wrote to memory of 3212	3056	a77a0a1e3e245240b2f827d031ba4510_JaffaCakes118.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\a77a0a1e3e245240b2f827d031ba4510_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a77a0a1e3e245240b2f827d031ba4510_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3056

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\A77A0A~1.DLL,s C:\Users\Admin\AppData\Local\Temp\A77A0A~1.EXE
2⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:3212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3056 -s 500
2⤵
- Program crash
PID:4872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3056 -ip 3056
1⤵
PID:3028

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\A77A0A~1.EXE.dll
Filesize
1.3MB

MD5
edecbc2e00573f19302006332d20500e

SHA1
18dc265d56d7a0ede9d5e0889d1fad643b57346d

SHA256
1de35fdc06ba39a59988f8221e314062f9026406beb8988221a06ff3be735685

SHA512
d588daa67af59f68175f8258ef054a6bac4239091dd5da1fd0bd477a8a061c758be65cd38685e8bbb46dde12ab2814cb4d2b21e474908103fa463bbe97bf4937

Download Submit
memory/3056-1-0x00000000034D0000-0x00000000035CE000-memory.dmp

Filesize
1016KB

Download
memory/3056-2-0x0000000003690000-0x0000000003796000-memory.dmp

Filesize
1.0MB

Download
memory/3056-7-0x0000000000400000-0x00000000017A0000-memory.dmp

Filesize
19.6MB

Download
memory/3056-8-0x0000000000400000-0x00000000017A0000-memory.dmp

Filesize
19.6MB

Download
memory/3056-9-0x0000000003690000-0x0000000003796000-memory.dmp

Filesize
1.0MB

Download
memory/3212-10-0x0000000000400000-0x0000000000562000-memory.dmp

Filesize
1.4MB

Download
memory/3212-18-0x0000000000400000-0x0000000000562000-memory.dmp

Filesize
1.4MB

Download
memory/3212-19-0x0000000000400000-0x0000000000562000-memory.dmp

Filesize
1.4MB

Download
memory/3212-20-0x0000000000400000-0x0000000000562000-memory.dmp

Filesize
1.4MB

Download
memory/3212-21-0x0000000000400000-0x0000000000562000-memory.dmp

Filesize
1.4MB

Download
memory/3212-22-0x0000000000400000-0x0000000000562000-memory.dmp

Filesize
1.4MB

Download
memory/3212-23-0x0000000000400000-0x0000000000562000-memory.dmp

Filesize
1.4MB

Download
memory/3212-24-0x0000000000400000-0x0000000000562000-memory.dmp

Filesize
1.4MB

Download
memory/3212-25-0x0000000000400000-0x0000000000562000-memory.dmp

Filesize
1.4MB

Download