danabot | 55f0976368822adb482407f46a40dcb9e0f2cc7e874d8b67c2bc82d82f7131e0

Analysis

max time kernel
148s
max time network
149s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
08-04-2024 19:40

Target

e84028b94d3abf5f753fe4ef54b4427e_JaffaCakes118.exe
Size

1.1MB
MD5

e84028b94d3abf5f753fe4ef54b4427e
SHA1

6b49249dd5b5cddd81a40e043efba289972ad8b2
SHA256

55f0976368822adb482407f46a40dcb9e0f2cc7e874d8b67c2bc82d82f7131e0
SHA512

e3eb19f516696d187a72006a1eb52375ef5b508605592f2ecc8e830a6352f3b2cd2687607fb00ee340af1664b84eb2e2b5a957a44cb787a18b386e6aabc10668
SSDEEP

24576:B67kak6S99HaKXLT75+6LdwjeiCjHoC36i/38mhKMbbojl:B9Xj5+6hiy36i/3jhKMbkj

Score

10^/10

Family

danabot

Botnet

23.229.29.48:443

5.9.224.204:443

192.210.222.81:443

Attributes

rsa_pubkey.plain

rsa_privkey.plain

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Danabot Loader Component 5 IoCs

Processes:

resource	yara_rule
behavioral1/files/0x000d000000012267-17.dat	DanabotLoader2021
behavioral1/memory/2940-18-0x0000000000410000-0x0000000000570000-memory.dmp	DanabotLoader2021
behavioral1/memory/2940-20-0x0000000000410000-0x0000000000570000-memory.dmp	DanabotLoader2021
behavioral1/memory/2940-35-0x0000000000410000-0x0000000000570000-memory.dmp	DanabotLoader2021
behavioral1/memory/2940-36-0x0000000000410000-0x0000000000570000-memory.dmp	DanabotLoader2021

Blocklisted process makes network request 1 IoCs

Processes:

rundll32.exe

flow	pid	Process
2	2940	rundll32.exe

Loads dropped DLL 4 IoCs

Processes:

rundll32.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

e84028b94d3abf5f753fe4ef54b4427e_JaffaCakes118.exe

description	pid	Process	procid_target
PID 1924 wrote to memory of 2940	1924	e84028b94d3abf5f753fe4ef54b4427e_JaffaCakes118.exe	30
PID 1924 wrote to memory of 2940	1924	e84028b94d3abf5f753fe4ef54b4427e_JaffaCakes118.exe	30
PID 1924 wrote to memory of 2940	1924	e84028b94d3abf5f753fe4ef54b4427e_JaffaCakes118.exe	30
PID 1924 wrote to memory of 2940	1924	e84028b94d3abf5f753fe4ef54b4427e_JaffaCakes118.exe	30
PID 1924 wrote to memory of 2940	1924	e84028b94d3abf5f753fe4ef54b4427e_JaffaCakes118.exe	30
PID 1924 wrote to memory of 2940	1924	e84028b94d3abf5f753fe4ef54b4427e_JaffaCakes118.exe	30
PID 1924 wrote to memory of 2940	1924	e84028b94d3abf5f753fe4ef54b4427e_JaffaCakes118.exe	30

C:\Users\Admin\AppData\Local\Temp\e84028b94d3abf5f753fe4ef54b4427e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e84028b94d3abf5f753fe4ef54b4427e_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1924
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\E84028~1.DLL,s C:\Users\Admin\AppData\Local\Temp\E84028~1.EXE
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  PID:2940

\Users\Admin\AppData\Local\Temp\E84028~1.DLL

Filesize
1.3MB

MD5
cb43018765ab34eea509f10a829d8bd3

SHA1
b8b6291602ee78b8694b23f7157251f73405d10f

SHA256
256b21d881823a210ca3fcc6f4c2517c54e0891b63ea431026ab555059231d01

SHA512
6126173366bc0c12aff95e9ca499a6f44c00761f1c6c70e09090eb90218e6e6e21abbf40b0e8ed1c582b62352ca80294877f0b96a3781f75286c221410bbe7ba

Download Submit
memory/1924-3-0x0000000000400000-0x000000000248A000-memory.dmp

Filesize
32.5MB

Download
memory/1924-2-0x0000000002490000-0x0000000002595000-memory.dmp

Filesize
1.0MB

Download
memory/1924-0-0x0000000000270000-0x000000000035D000-memory.dmp

Filesize
948KB

Download
memory/1924-6-0x0000000000400000-0x000000000248A000-memory.dmp

Filesize
32.5MB

Download
memory/1924-8-0x0000000002490000-0x0000000002595000-memory.dmp

Filesize
1.0MB

Download
memory/1924-1-0x0000000000270000-0x000000000035D000-memory.dmp

Filesize
948KB

Download
memory/1924-19-0x0000000000400000-0x000000000248A000-memory.dmp

Filesize
32.5MB

Download
memory/1924-32-0x0000000000400000-0x000000000248A000-memory.dmp

Filesize
32.5MB

Download
memory/2940-18-0x0000000000410000-0x0000000000570000-memory.dmp

Filesize
1.4MB

Download
memory/2940-20-0x0000000000410000-0x0000000000570000-memory.dmp

Filesize
1.4MB

Download
memory/2940-35-0x0000000000410000-0x0000000000570000-memory.dmp

Filesize
1.4MB

Download
memory/2940-36-0x0000000000410000-0x0000000000570000-memory.dmp

Filesize
1.4MB

Download