danabot | d2a6216f8222981c57145891441d757286e945977e20df57fa6f83bbbe4f799c

Analysis

max time kernel
143s
max time network
123s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
07-04-2024 08:09

Target

e476a9b5d996a26fea7435e9a84d2177_JaffaCakes118.dll
Size

1.3MB
MD5

e476a9b5d996a26fea7435e9a84d2177
SHA1

e29ff0b1dcce3ee52d66b951c6e5512b2b95141c
SHA256

d2a6216f8222981c57145891441d757286e945977e20df57fa6f83bbbe4f799c
SHA512

158c08381f7ecb5363c02a2e665386c5bd9b765af9a0d82f2babfe04e86e64fad7b8a8e60c95c8080edaf4014214a81f05b96977e927d8b57ae73aef206c9dd0
SSDEEP

24576:h8pWEmpmXXwr8gxKmuasnXbWeLy4j61ehNTmnxfC:ChHaoWeN6iTmxf

Score

10^/10

Family

danabot

Botnet

23.229.29.48:443

192.210.222.81:443

Attributes

rsa_pubkey.plain

rsa_privkey.plain

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Danabot Loader Component 15 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2768-0-0x0000000000A80000-0x0000000000BE2000-memory.dmp	DanabotLoader2021
behavioral1/memory/2768-1-0x0000000000A80000-0x0000000000BE2000-memory.dmp	DanabotLoader2021
behavioral1/memory/2768-2-0x0000000000A80000-0x0000000000BE2000-memory.dmp	DanabotLoader2021
behavioral1/memory/2768-3-0x0000000000A80000-0x0000000000BE2000-memory.dmp	DanabotLoader2021
behavioral1/memory/2768-4-0x0000000000A80000-0x0000000000BE2000-memory.dmp	DanabotLoader2021
behavioral1/memory/2768-5-0x0000000000A80000-0x0000000000BE2000-memory.dmp	DanabotLoader2021
behavioral1/memory/2768-6-0x0000000000A80000-0x0000000000BE2000-memory.dmp	DanabotLoader2021
behavioral1/memory/2768-7-0x0000000000A80000-0x0000000000BE2000-memory.dmp	DanabotLoader2021
behavioral1/memory/2768-8-0x0000000000A80000-0x0000000000BE2000-memory.dmp	DanabotLoader2021
behavioral1/memory/2768-9-0x0000000000A80000-0x0000000000BE2000-memory.dmp	DanabotLoader2021
behavioral1/memory/2768-10-0x0000000000A80000-0x0000000000BE2000-memory.dmp	DanabotLoader2021
behavioral1/memory/2768-11-0x0000000000A80000-0x0000000000BE2000-memory.dmp	DanabotLoader2021
behavioral1/memory/2768-12-0x0000000000A80000-0x0000000000BE2000-memory.dmp	DanabotLoader2021
behavioral1/memory/2768-13-0x0000000000A80000-0x0000000000BE2000-memory.dmp	DanabotLoader2021
behavioral1/memory/2768-14-0x0000000000A80000-0x0000000000BE2000-memory.dmp	DanabotLoader2021

Blocklisted process makes network request 1 IoCs

Processes:

rundll32.exe

flow pid process

2 2768 rundll32.exe

flow	pid	process
2	2768	rundll32.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 2688 wrote to memory of 2768	2688	rundll32.exe	rundll32.exe
PID 2688 wrote to memory of 2768	2688	rundll32.exe	rundll32.exe
PID 2688 wrote to memory of 2768	2688	rundll32.exe	rundll32.exe
PID 2688 wrote to memory of 2768	2688	rundll32.exe	rundll32.exe
PID 2688 wrote to memory of 2768	2688	rundll32.exe	rundll32.exe
PID 2688 wrote to memory of 2768	2688	rundll32.exe	rundll32.exe
PID 2688 wrote to memory of 2768	2688	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\e476a9b5d996a26fea7435e9a84d2177_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2688

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\e476a9b5d996a26fea7435e9a84d2177_JaffaCakes118.dll,#1
2⤵
- Blocklisted process makes network request
PID:2768

memory/2768-0-0x0000000000A80000-0x0000000000BE2000-memory.dmp

Filesize
1.4MB

Download
memory/2768-1-0x0000000000A80000-0x0000000000BE2000-memory.dmp

Filesize
1.4MB

Download
memory/2768-2-0x0000000000A80000-0x0000000000BE2000-memory.dmp

Filesize
1.4MB

Download
memory/2768-3-0x0000000000A80000-0x0000000000BE2000-memory.dmp

Filesize
1.4MB

Download
memory/2768-4-0x0000000000A80000-0x0000000000BE2000-memory.dmp

Filesize
1.4MB

Download
memory/2768-5-0x0000000000A80000-0x0000000000BE2000-memory.dmp

Filesize
1.4MB

Download
memory/2768-6-0x0000000000A80000-0x0000000000BE2000-memory.dmp

Filesize
1.4MB

Download
memory/2768-7-0x0000000000A80000-0x0000000000BE2000-memory.dmp

Filesize
1.4MB

Download
memory/2768-8-0x0000000000A80000-0x0000000000BE2000-memory.dmp

Filesize
1.4MB

Download
memory/2768-9-0x0000000000A80000-0x0000000000BE2000-memory.dmp

Filesize
1.4MB

Download
memory/2768-10-0x0000000000A80000-0x0000000000BE2000-memory.dmp

Filesize
1.4MB

Download
memory/2768-11-0x0000000000A80000-0x0000000000BE2000-memory.dmp

Filesize
1.4MB

Download
memory/2768-12-0x0000000000A80000-0x0000000000BE2000-memory.dmp

Filesize
1.4MB

Download
memory/2768-13-0x0000000000A80000-0x0000000000BE2000-memory.dmp

Filesize
1.4MB

Download
memory/2768-14-0x0000000000A80000-0x0000000000BE2000-memory.dmp

Filesize
1.4MB

Download