danabot | 40edb22b5967cfeb7b56ff2bd41a97fdeabbfd2a2cb7c7b2020c402f2274e325

General

Target

fb24cb12e0315ba0c5c8a0add05baa88_JaffaCakes118.exe
Size

1.2MB
MD5

fb24cb12e0315ba0c5c8a0add05baa88
SHA1

e46da0e271242aaf70143892136e7280d19da266
SHA256

40edb22b5967cfeb7b56ff2bd41a97fdeabbfd2a2cb7c7b2020c402f2274e325
SHA512

0a3394320165b8ed3486e9c74fcd923a9658315dd48c72585cb12b5a1df7e79d2292c8017a97065b009520a52202c4f730366faaaaf465f7d039602deb4a0459
SSDEEP

24576:nztkoD42cMZ4rTy5rhwuR5M71Il9+zudfik4LjE5cukYIMSilA:pTR5rhwuR5SXuUFjgjIMJ

Score

10^/10

danabot 4 banker trojan

Malware Config

Extracted

Family

danabot

Botnet

4

C2

142.11.244.124:443

142.11.206.50:443

Attributes

embedded_hash
6AD9FE4F9E491E785665E0D144F61DAB
type
loader

rsa_pubkey.plain

rsa_privkey.plain

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Danabot Loader Component 11 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1116-8-0x0000000001F90000-0x00000000020EF000-memory.dmp	DanabotLoader2021
behavioral1/files/0x000b00000001224c-7.dat	DanabotLoader2021
behavioral1/memory/1116-11-0x0000000001F90000-0x00000000020EF000-memory.dmp	DanabotLoader2021
behavioral1/memory/1116-19-0x0000000001F90000-0x00000000020EF000-memory.dmp	DanabotLoader2021
behavioral1/memory/1116-20-0x0000000001F90000-0x00000000020EF000-memory.dmp	DanabotLoader2021
behavioral1/memory/1116-21-0x0000000001F90000-0x00000000020EF000-memory.dmp	DanabotLoader2021
behavioral1/memory/1116-22-0x0000000001F90000-0x00000000020EF000-memory.dmp	DanabotLoader2021
behavioral1/memory/1116-23-0x0000000001F90000-0x00000000020EF000-memory.dmp	DanabotLoader2021
behavioral1/memory/1116-24-0x0000000001F90000-0x00000000020EF000-memory.dmp	DanabotLoader2021
behavioral1/memory/1116-25-0x0000000001F90000-0x00000000020EF000-memory.dmp	DanabotLoader2021
behavioral1/memory/1116-26-0x0000000001F90000-0x00000000020EF000-memory.dmp	DanabotLoader2021

Blocklisted process makes network request 1 IoCs

Processes:

rundll32.exe

flow	pid	Process
2	1116	rundll32.exe

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid	Process
1116	rundll32.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

fb24cb12e0315ba0c5c8a0add05baa88_JaffaCakes118.exe

description	pid	Process	procid_target
PID 2020 wrote to memory of 1116	2020	fb24cb12e0315ba0c5c8a0add05baa88_JaffaCakes118.exe	28
PID 2020 wrote to memory of 1116	2020	fb24cb12e0315ba0c5c8a0add05baa88_JaffaCakes118.exe	28
PID 2020 wrote to memory of 1116	2020	fb24cb12e0315ba0c5c8a0add05baa88_JaffaCakes118.exe	28
PID 2020 wrote to memory of 1116	2020	fb24cb12e0315ba0c5c8a0add05baa88_JaffaCakes118.exe	28
PID 2020 wrote to memory of 1116	2020	fb24cb12e0315ba0c5c8a0add05baa88_JaffaCakes118.exe	28
PID 2020 wrote to memory of 1116	2020	fb24cb12e0315ba0c5c8a0add05baa88_JaffaCakes118.exe	28
PID 2020 wrote to memory of 1116	2020	fb24cb12e0315ba0c5c8a0add05baa88_JaffaCakes118.exe	28

C:\Users\Admin\AppData\Local\Temp\fb24cb12e0315ba0c5c8a0add05baa88_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fb24cb12e0315ba0c5c8a0add05baa88_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2020
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\FB24CB~1.TMP,S C:\Users\Admin\AppData\Local\Temp\FB24CB~1.EXE
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  PID:1116

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\FB24CB~1.TMP

Filesize
1.3MB

MD5
0c13e3cdc49f0ff630b1b88cd02c3fe1

SHA1
9fc58ec62a89813ea0bf9eee4d507895c63be46a

SHA256
785514ebf057bf14ef8a67d20fcf3665d1b5940749eb35ea80ca0b1e2d5dbad4

SHA512
2f58f036b9bb38dde803b13dcde2371517f625108dcd08488ce909fa4e893d3750e1b8b7e39087dc99b0260e6f5ff9433f48c939bbc9373f3e4e93a20790e8d0

Download Submit
memory/1116-11-0x0000000001F90000-0x00000000020EF000-memory.dmp

Filesize
1.4MB

Download
memory/1116-21-0x0000000001F90000-0x00000000020EF000-memory.dmp

Filesize
1.4MB

Download
memory/1116-8-0x0000000001F90000-0x00000000020EF000-memory.dmp

Filesize
1.4MB

Download
memory/1116-26-0x0000000001F90000-0x00000000020EF000-memory.dmp

Filesize
1.4MB

Download
memory/1116-19-0x0000000001F90000-0x00000000020EF000-memory.dmp

Filesize
1.4MB

Download
memory/1116-25-0x0000000001F90000-0x00000000020EF000-memory.dmp

Filesize
1.4MB

Download
memory/1116-24-0x0000000001F90000-0x00000000020EF000-memory.dmp

Filesize
1.4MB

Download
memory/1116-23-0x0000000001F90000-0x00000000020EF000-memory.dmp

Filesize
1.4MB

Download
memory/1116-22-0x0000000001F90000-0x00000000020EF000-memory.dmp

Filesize
1.4MB

Download
memory/1116-20-0x0000000001F90000-0x00000000020EF000-memory.dmp

Filesize
1.4MB

Download
memory/2020-0-0x0000000004C40000-0x0000000004D2B000-memory.dmp

Filesize
940KB

Download
memory/2020-9-0x0000000000400000-0x000000000332A000-memory.dmp

Filesize
47.2MB

Download
memory/2020-5-0x0000000000400000-0x000000000332A000-memory.dmp

Filesize
47.2MB

Download
memory/2020-2-0x0000000004D30000-0x0000000004E31000-memory.dmp

Filesize
1.0MB

Download
memory/2020-10-0x0000000004D30000-0x0000000004E31000-memory.dmp

Filesize
1.0MB

Download
memory/2020-1-0x0000000004C40000-0x0000000004D2B000-memory.dmp

Filesize
940KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads