Analysis
-
max time kernel
140s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
07-04-2024 18:43
Behavioral task
behavioral1
Sample
e59b006e2fffda4d0cc7d8c185cd2c19_JaffaCakes118.dll
Resource
win7-20240221-en
windows7-x64
3 signatures
150 seconds
General
-
Target
e59b006e2fffda4d0cc7d8c185cd2c19_JaffaCakes118.dll
-
Size
1.3MB
-
MD5
e59b006e2fffda4d0cc7d8c185cd2c19
-
SHA1
259e929ac08f2aea90ef45b5a28b3cf57a7ddc97
-
SHA256
c6b70d184339d61b7a42f0c189cadb0b22b3ebec18b194b7e5a334a9006d3aed
-
SHA512
1f9165146f80d3b01271708f5850528496c3b8ae8556d6eeb2dc8c04b4e969773bb16334f4087a8955913c2cbacf98c5c70010fd2e31ca7e7d56ba6ee5471d3d
-
SSDEEP
24576:L8pWEmDXswcrLEEcQ1fObM5HqTgNmsBdyTWnrO:QtSzeTBdyTq
Malware Config
Extracted
Family
danabot
Botnet
4
C2
23.229.29.48:443
5.9.224.204:443
192.210.222.81:443
Attributes
-
embedded_hash
0E1A7A1479C37094441FA911262B322A
-
type
loader
rsa_pubkey.plain
rsa_privkey.plain
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
rundll32.exeflow pid Process 2 2832 rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
rundll32.exedescription pid Process procid_target PID 1800 wrote to memory of 2832 1800 rundll32.exe 28 PID 1800 wrote to memory of 2832 1800 rundll32.exe 28 PID 1800 wrote to memory of 2832 1800 rundll32.exe 28 PID 1800 wrote to memory of 2832 1800 rundll32.exe 28 PID 1800 wrote to memory of 2832 1800 rundll32.exe 28 PID 1800 wrote to memory of 2832 1800 rundll32.exe 28 PID 1800 wrote to memory of 2832 1800 rundll32.exe 28
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e59b006e2fffda4d0cc7d8c185cd2c19_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1800 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e59b006e2fffda4d0cc7d8c185cd2c19_JaffaCakes118.dll,#12⤵
- Blocklisted process makes network request
PID:2832
-