danabot | 7e93386b0f4aee6ba5dba9b29ebbf2926c99a83ff57e4f7719d652e2b0ba301f

Analysis

max time kernel
140s
max time network
121s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
19-04-2024 08:08

Target

f9e0642b0e36d83c2c58953619e6f4c5_JaffaCakes118.dll
Size

1.3MB
MD5

f9e0642b0e36d83c2c58953619e6f4c5
SHA1

b00c21cc5e56f77472313ea1017d0db97f1e5c86
SHA256

7e93386b0f4aee6ba5dba9b29ebbf2926c99a83ff57e4f7719d652e2b0ba301f
SHA512

25675403947478631855fb9008f1f9234843f3bdfaab816570dfe10549d22651a2b0a1c408ff6094db062cf3272bdf0cd6d14ff91099fc36bf9bab708001c104
SSDEEP

24576:1ncFd4/jGahKXNsix1g9zbu8e/3FiE+TCzgcAw:SEs+buX7+TNZ

Score

10^/10

Family

danabot

Botnet

142.11.192.232:443

192.119.110.73:443

142.11.242.31:443

192.210.222.88:443

Attributes

rsa_pubkey.plain

rsa_privkey.plain

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Blocklisted process makes network request 1 IoCs

Processes:

rundll32.exe

flow	pid	Process
2	2176	rundll32.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

rundll32.exe

description	pid	Process	procid_target
PID 3060 wrote to memory of 2176	3060	rundll32.exe	28
PID 3060 wrote to memory of 2176	3060	rundll32.exe	28
PID 3060 wrote to memory of 2176	3060	rundll32.exe	28
PID 3060 wrote to memory of 2176	3060	rundll32.exe	28
PID 3060 wrote to memory of 2176	3060	rundll32.exe	28
PID 3060 wrote to memory of 2176	3060	rundll32.exe	28
PID 3060 wrote to memory of 2176	3060	rundll32.exe	28

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\f9e0642b0e36d83c2c58953619e6f4c5_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3060
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\f9e0642b0e36d83c2c58953619e6f4c5_JaffaCakes118.dll,#1
  2⤵
  - Blocklisted process makes network request
  PID:2176

memory/2176-0-0x0000000001E90000-0x0000000001FF3000-memory.dmp

Filesize
1.4MB

Download
memory/2176-1-0x0000000001E90000-0x0000000001FF3000-memory.dmp

Filesize
1.4MB

Download
memory/2176-2-0x0000000001E90000-0x0000000001FF3000-memory.dmp

Filesize
1.4MB

Download
memory/2176-3-0x0000000001E90000-0x0000000001FF3000-memory.dmp

Filesize
1.4MB

Download
memory/2176-4-0x0000000001E90000-0x0000000001FF3000-memory.dmp

Filesize
1.4MB

Download
memory/2176-5-0x0000000001E90000-0x0000000001FF3000-memory.dmp

Filesize
1.4MB

Download
memory/2176-6-0x0000000001E90000-0x0000000001FF3000-memory.dmp

Filesize
1.4MB

Download
memory/2176-7-0x0000000001E90000-0x0000000001FF3000-memory.dmp

Filesize
1.4MB

Download
memory/2176-8-0x0000000001E90000-0x0000000001FF3000-memory.dmp

Filesize
1.4MB

Download
memory/2176-9-0x0000000001E90000-0x0000000001FF3000-memory.dmp

Filesize
1.4MB

Download
memory/2176-10-0x0000000001E90000-0x0000000001FF3000-memory.dmp

Filesize
1.4MB

Download
memory/2176-11-0x0000000001E90000-0x0000000001FF3000-memory.dmp

Filesize
1.4MB

Download
memory/2176-12-0x0000000001E90000-0x0000000001FF3000-memory.dmp

Filesize
1.4MB

Download
memory/2176-13-0x0000000001E90000-0x0000000001FF3000-memory.dmp

Filesize
1.4MB

Download
memory/2176-14-0x0000000001E90000-0x0000000001FF3000-memory.dmp

Filesize
1.4MB

Download