danabot | e7906395b858d072a6edba11e045a52761cff40aeb97268cddf99ba9d70c66e4

Analysis

max time kernel
140s
max time network
119s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
04-04-2024 10:58

Target

b685d84d71de2f4753106d3b439c4a37_JaffaCakes118.dll
Size

1.3MB
MD5

b685d84d71de2f4753106d3b439c4a37
SHA1

17cbff6d38a4d83018c36c6b96ef77ffb6c639aa
SHA256

e7906395b858d072a6edba11e045a52761cff40aeb97268cddf99ba9d70c66e4
SHA512

d1b1a1f9250623b758285e8b8e7c6ece8e01023979a5b36b746fbe74b8c114c7775029a3eb77718dad34a11d6c0c4759382152e9f777d8556d81a510cc82d3e8
SSDEEP

24576:x8FGMpHdFpe260FF+GlerIW1wK5//KIBtfTOGekn1:yJdNl2IWqKdiufTxeW

Score

10^/10

Family

danabot

Botnet

192.119.110.73:443

192.236.147.159:443

192.210.222.88:443

Attributes

rsa_pubkey.plain

rsa_privkey.plain

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Danabot Loader Component 15 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2348-0-0x0000000000970000-0x0000000000AD0000-memory.dmp	DanabotLoader2021
behavioral1/memory/2348-1-0x0000000000970000-0x0000000000AD0000-memory.dmp	DanabotLoader2021
behavioral1/memory/2348-2-0x0000000000970000-0x0000000000AD0000-memory.dmp	DanabotLoader2021
behavioral1/memory/2348-3-0x0000000000970000-0x0000000000AD0000-memory.dmp	DanabotLoader2021
behavioral1/memory/2348-4-0x0000000000970000-0x0000000000AD0000-memory.dmp	DanabotLoader2021
behavioral1/memory/2348-5-0x0000000000970000-0x0000000000AD0000-memory.dmp	DanabotLoader2021
behavioral1/memory/2348-6-0x0000000000970000-0x0000000000AD0000-memory.dmp	DanabotLoader2021
behavioral1/memory/2348-7-0x0000000000970000-0x0000000000AD0000-memory.dmp	DanabotLoader2021
behavioral1/memory/2348-8-0x0000000000970000-0x0000000000AD0000-memory.dmp	DanabotLoader2021
behavioral1/memory/2348-9-0x0000000000970000-0x0000000000AD0000-memory.dmp	DanabotLoader2021
behavioral1/memory/2348-10-0x0000000000970000-0x0000000000AD0000-memory.dmp	DanabotLoader2021
behavioral1/memory/2348-11-0x0000000000970000-0x0000000000AD0000-memory.dmp	DanabotLoader2021
behavioral1/memory/2348-12-0x0000000000970000-0x0000000000AD0000-memory.dmp	DanabotLoader2021
behavioral1/memory/2348-13-0x0000000000970000-0x0000000000AD0000-memory.dmp	DanabotLoader2021
behavioral1/memory/2348-14-0x0000000000970000-0x0000000000AD0000-memory.dmp	DanabotLoader2021

Blocklisted process makes network request 1 IoCs

Processes:

rundll32.exe

flow pid process

2 2348 rundll32.exe

flow	pid	process
2	2348	rundll32.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 2344 wrote to memory of 2348	2344	rundll32.exe	rundll32.exe
PID 2344 wrote to memory of 2348	2344	rundll32.exe	rundll32.exe
PID 2344 wrote to memory of 2348	2344	rundll32.exe	rundll32.exe
PID 2344 wrote to memory of 2348	2344	rundll32.exe	rundll32.exe
PID 2344 wrote to memory of 2348	2344	rundll32.exe	rundll32.exe
PID 2344 wrote to memory of 2348	2344	rundll32.exe	rundll32.exe
PID 2344 wrote to memory of 2348	2344	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\b685d84d71de2f4753106d3b439c4a37_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2344

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\b685d84d71de2f4753106d3b439c4a37_JaffaCakes118.dll,#1
2⤵
- Blocklisted process makes network request
PID:2348

memory/2348-0-0x0000000000970000-0x0000000000AD0000-memory.dmp

Filesize
1.4MB

Download
memory/2348-1-0x0000000000970000-0x0000000000AD0000-memory.dmp

Filesize
1.4MB

Download
memory/2348-2-0x0000000000970000-0x0000000000AD0000-memory.dmp

Filesize
1.4MB

Download
memory/2348-3-0x0000000000970000-0x0000000000AD0000-memory.dmp

Filesize
1.4MB

Download
memory/2348-4-0x0000000000970000-0x0000000000AD0000-memory.dmp

Filesize
1.4MB

Download
memory/2348-5-0x0000000000970000-0x0000000000AD0000-memory.dmp

Filesize
1.4MB

Download
memory/2348-6-0x0000000000970000-0x0000000000AD0000-memory.dmp

Filesize
1.4MB

Download
memory/2348-7-0x0000000000970000-0x0000000000AD0000-memory.dmp

Filesize
1.4MB

Download
memory/2348-8-0x0000000000970000-0x0000000000AD0000-memory.dmp

Filesize
1.4MB

Download
memory/2348-9-0x0000000000970000-0x0000000000AD0000-memory.dmp

Filesize
1.4MB

Download
memory/2348-10-0x0000000000970000-0x0000000000AD0000-memory.dmp

Filesize
1.4MB

Download
memory/2348-11-0x0000000000970000-0x0000000000AD0000-memory.dmp

Filesize
1.4MB

Download
memory/2348-12-0x0000000000970000-0x0000000000AD0000-memory.dmp

Filesize
1.4MB

Download
memory/2348-13-0x0000000000970000-0x0000000000AD0000-memory.dmp

Filesize
1.4MB

Download
memory/2348-14-0x0000000000970000-0x0000000000AD0000-memory.dmp

Filesize
1.4MB

Download