Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
07-04-2024 08:09
Behavioral task
behavioral1
Sample
e476a9b5d996a26fea7435e9a84d2177_JaffaCakes118.dll
Resource
win7-20240221-en
4 signatures
150 seconds
General
-
Target
e476a9b5d996a26fea7435e9a84d2177_JaffaCakes118.dll
-
Size
1.3MB
-
MD5
e476a9b5d996a26fea7435e9a84d2177
-
SHA1
e29ff0b1dcce3ee52d66b951c6e5512b2b95141c
-
SHA256
d2a6216f8222981c57145891441d757286e945977e20df57fa6f83bbbe4f799c
-
SHA512
158c08381f7ecb5363c02a2e665386c5bd9b765af9a0d82f2babfe04e86e64fad7b8a8e60c95c8080edaf4014214a81f05b96977e927d8b57ae73aef206c9dd0
-
SSDEEP
24576:h8pWEmpmXXwr8gxKmuasnXbWeLy4j61ehNTmnxfC:ChHaoWeN6iTmxf
Malware Config
Extracted
Family
danabot
Botnet
4
C2
23.229.29.48:443
192.210.222.81:443
Attributes
-
embedded_hash
0E1A7A1479C37094441FA911262B322A
-
type
loader
rsa_pubkey.plain
rsa_privkey.plain
Signatures
-
Danabot Loader Component 14 IoCs
Processes:
resource yara_rule behavioral2/memory/3600-0-0x0000000000400000-0x0000000000562000-memory.dmp DanabotLoader2021 behavioral2/memory/3600-1-0x0000000000400000-0x0000000000562000-memory.dmp DanabotLoader2021 behavioral2/memory/3600-2-0x0000000000400000-0x0000000000562000-memory.dmp DanabotLoader2021 behavioral2/memory/3600-3-0x0000000000400000-0x0000000000562000-memory.dmp DanabotLoader2021 behavioral2/memory/3600-4-0x0000000000400000-0x0000000000562000-memory.dmp DanabotLoader2021 behavioral2/memory/3600-5-0x0000000000400000-0x0000000000562000-memory.dmp DanabotLoader2021 behavioral2/memory/3600-6-0x0000000000400000-0x0000000000562000-memory.dmp DanabotLoader2021 behavioral2/memory/3600-7-0x0000000000400000-0x0000000000562000-memory.dmp DanabotLoader2021 behavioral2/memory/3600-8-0x0000000000400000-0x0000000000562000-memory.dmp DanabotLoader2021 behavioral2/memory/3600-9-0x0000000000400000-0x0000000000562000-memory.dmp DanabotLoader2021 behavioral2/memory/3600-10-0x0000000000400000-0x0000000000562000-memory.dmp DanabotLoader2021 behavioral2/memory/3600-11-0x0000000000400000-0x0000000000562000-memory.dmp DanabotLoader2021 behavioral2/memory/3600-12-0x0000000000400000-0x0000000000562000-memory.dmp DanabotLoader2021 behavioral2/memory/3600-13-0x0000000000400000-0x0000000000562000-memory.dmp DanabotLoader2021 -
Blocklisted process makes network request 1 IoCs
Processes:
rundll32.exeflow pid process 5 3600 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 3140 wrote to memory of 3600 3140 rundll32.exe rundll32.exe PID 3140 wrote to memory of 3600 3140 rundll32.exe rundll32.exe PID 3140 wrote to memory of 3600 3140 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e476a9b5d996a26fea7435e9a84d2177_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e476a9b5d996a26fea7435e9a84d2177_JaffaCakes118.dll,#12⤵
- Blocklisted process makes network request
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3600-0-0x0000000000400000-0x0000000000562000-memory.dmpFilesize
1.4MB
-
memory/3600-1-0x0000000000400000-0x0000000000562000-memory.dmpFilesize
1.4MB
-
memory/3600-2-0x0000000000400000-0x0000000000562000-memory.dmpFilesize
1.4MB
-
memory/3600-3-0x0000000000400000-0x0000000000562000-memory.dmpFilesize
1.4MB
-
memory/3600-4-0x0000000000400000-0x0000000000562000-memory.dmpFilesize
1.4MB
-
memory/3600-5-0x0000000000400000-0x0000000000562000-memory.dmpFilesize
1.4MB
-
memory/3600-6-0x0000000000400000-0x0000000000562000-memory.dmpFilesize
1.4MB
-
memory/3600-7-0x0000000000400000-0x0000000000562000-memory.dmpFilesize
1.4MB
-
memory/3600-8-0x0000000000400000-0x0000000000562000-memory.dmpFilesize
1.4MB
-
memory/3600-9-0x0000000000400000-0x0000000000562000-memory.dmpFilesize
1.4MB
-
memory/3600-10-0x0000000000400000-0x0000000000562000-memory.dmpFilesize
1.4MB
-
memory/3600-11-0x0000000000400000-0x0000000000562000-memory.dmpFilesize
1.4MB
-
memory/3600-12-0x0000000000400000-0x0000000000562000-memory.dmpFilesize
1.4MB
-
memory/3600-13-0x0000000000400000-0x0000000000562000-memory.dmpFilesize
1.4MB