danabot | 40edb22b5967cfeb7b56ff2bd41a97fdeabbfd2a2cb7c7b2020c402f2274e325

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
19-04-2024 20:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fb24cb12e0315ba0c5c8a0add05baa88_JaffaCakes118.exe
Size

1.2MB
MD5

fb24cb12e0315ba0c5c8a0add05baa88
SHA1

e46da0e271242aaf70143892136e7280d19da266
SHA256

40edb22b5967cfeb7b56ff2bd41a97fdeabbfd2a2cb7c7b2020c402f2274e325
SHA512

0a3394320165b8ed3486e9c74fcd923a9658315dd48c72585cb12b5a1df7e79d2292c8017a97065b009520a52202c4f730366faaaaf465f7d039602deb4a0459
SSDEEP

24576:nztkoD42cMZ4rTy5rhwuR5M71Il9+zudfik4LjE5cukYIMSilA:pTR5rhwuR5SXuUFjgjIMJ

Score

10^/10

danabot 4 banker trojan

Malware Config

Extracted

Family

danabot

Botnet

142.11.244.124:443

142.11.206.50:443

Attributes

embedded_hash
6AD9FE4F9E491E785665E0D144F61DAB
type
loader

rsa_pubkey.plain

rsa_privkey.plain

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Danabot Loader Component 11 IoCs

Processes:

resource	yara_rule
behavioral2/files/0x000b0000000233f4-5.dat	DanabotLoader2021
behavioral2/memory/4260-8-0x0000000002270000-0x00000000023CF000-memory.dmp	DanabotLoader2021
behavioral2/memory/4260-12-0x0000000002270000-0x00000000023CF000-memory.dmp	DanabotLoader2021
behavioral2/memory/4260-20-0x0000000002270000-0x00000000023CF000-memory.dmp	DanabotLoader2021
behavioral2/memory/4260-21-0x0000000002270000-0x00000000023CF000-memory.dmp	DanabotLoader2021
behavioral2/memory/4260-22-0x0000000002270000-0x00000000023CF000-memory.dmp	DanabotLoader2021
behavioral2/memory/4260-23-0x0000000002270000-0x00000000023CF000-memory.dmp	DanabotLoader2021
behavioral2/memory/4260-24-0x0000000002270000-0x00000000023CF000-memory.dmp	DanabotLoader2021
behavioral2/memory/4260-25-0x0000000002270000-0x00000000023CF000-memory.dmp	DanabotLoader2021
behavioral2/memory/4260-26-0x0000000002270000-0x00000000023CF000-memory.dmp	DanabotLoader2021
behavioral2/memory/4260-27-0x0000000002270000-0x00000000023CF000-memory.dmp	DanabotLoader2021

Blocklisted process makes network request 1 IoCs

Processes:

rundll32.exe

flow	pid	Process
67	4260	rundll32.exe

Loads dropped DLL 2 IoCs

Processes:

rundll32.exe

pid	Process
4260	rundll32.exe
4260	rundll32.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid	pid_target	Process	procid_target
4332	4724	WerFault.exe	83

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

fb24cb12e0315ba0c5c8a0add05baa88_JaffaCakes118.exe

description	pid	Process	procid_target
PID 4724 wrote to memory of 4260	4724	fb24cb12e0315ba0c5c8a0add05baa88_JaffaCakes118.exe	87
PID 4724 wrote to memory of 4260	4724	fb24cb12e0315ba0c5c8a0add05baa88_JaffaCakes118.exe	87
PID 4724 wrote to memory of 4260	4724	fb24cb12e0315ba0c5c8a0add05baa88_JaffaCakes118.exe	87

C:\Users\Admin\AppData\Local\Temp\fb24cb12e0315ba0c5c8a0add05baa88_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fb24cb12e0315ba0c5c8a0add05baa88_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4724
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\FB24CB~1.TMP,S C:\Users\Admin\AppData\Local\Temp\FB24CB~1.EXE
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  PID:4260
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4724 -s 448
  2⤵
  - Program crash
  PID:4332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4724 -ip 4724
1⤵
PID:2872

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\FB24CB~1.TMP

Filesize
1.3MB

MD5
0c13e3cdc49f0ff630b1b88cd02c3fe1

SHA1
9fc58ec62a89813ea0bf9eee4d507895c63be46a

SHA256
785514ebf057bf14ef8a67d20fcf3665d1b5940749eb35ea80ca0b1e2d5dbad4

SHA512
2f58f036b9bb38dde803b13dcde2371517f625108dcd08488ce909fa4e893d3750e1b8b7e39087dc99b0260e6f5ff9433f48c939bbc9373f3e4e93a20790e8d0

Download Submit
memory/4260-24-0x0000000002270000-0x00000000023CF000-memory.dmp

Filesize
1.4MB

Download
memory/4260-23-0x0000000002270000-0x00000000023CF000-memory.dmp

Filesize
1.4MB

Download
memory/4260-8-0x0000000002270000-0x00000000023CF000-memory.dmp

Filesize
1.4MB

Download
memory/4260-27-0x0000000002270000-0x00000000023CF000-memory.dmp

Filesize
1.4MB

Download
memory/4260-26-0x0000000002270000-0x00000000023CF000-memory.dmp

Filesize
1.4MB

Download
memory/4260-25-0x0000000002270000-0x00000000023CF000-memory.dmp

Filesize
1.4MB

Download
memory/4260-20-0x0000000002270000-0x00000000023CF000-memory.dmp

Filesize
1.4MB

Download
memory/4260-21-0x0000000002270000-0x00000000023CF000-memory.dmp

Filesize
1.4MB

Download
memory/4260-12-0x0000000002270000-0x00000000023CF000-memory.dmp

Filesize
1.4MB

Download
memory/4260-22-0x0000000002270000-0x00000000023CF000-memory.dmp

Filesize
1.4MB

Download
memory/4724-2-0x0000000005190000-0x0000000005291000-memory.dmp

Filesize
1.0MB

Download
memory/4724-1-0x00000000050A0000-0x0000000005190000-memory.dmp

Filesize
960KB

Download
memory/4724-11-0x0000000005190000-0x0000000005291000-memory.dmp

Filesize
1.0MB

Download
memory/4724-10-0x0000000000400000-0x000000000332A000-memory.dmp

Filesize
47.2MB

Download
memory/4724-9-0x0000000000400000-0x000000000332A000-memory.dmp

Filesize
47.2MB

Download