danabot | dbf7ee1c646a64f9b4aea4b4180b15a91fa4e31b7e35bb2ed2a3e65301db98d6

Analysis

max time kernel
140s
max time network
121s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
20-04-2024 08:23

Target

fc55d7afa5ad97587a0d02965e69501b_JaffaCakes118.dll
Size

1.3MB
MD5

fc55d7afa5ad97587a0d02965e69501b
SHA1

e485195a77d6ac84189da82c088698e3118d01bb
SHA256

dbf7ee1c646a64f9b4aea4b4180b15a91fa4e31b7e35bb2ed2a3e65301db98d6
SHA512

e03bb1a1c018811a5f4f93f5206a25c2de8b9de8763b2847e07770cc7fc763300662e5e642706e90ccae6a8ea4ea17ad9ebd8392ee95b5946397605389d5f303
SSDEEP

24576:0IhaxlfjpVpSyBbYqx+RCwO6p8dDdPC7leTYuT+Pti:ruRDa4wpp8dscPTUti

Score

10^/10

Family

danabot

Botnet

142.11.244.124:443

142.11.206.50:443

Attributes

rsa_pubkey.plain

rsa_privkey.plain

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Blocklisted process makes network request 1 IoCs

Processes:

rundll32.exe

flow	pid	Process
2	1952	rundll32.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

rundll32.exe

description	pid	Process	procid_target
PID 2476 wrote to memory of 1952	2476	rundll32.exe	28
PID 2476 wrote to memory of 1952	2476	rundll32.exe	28
PID 2476 wrote to memory of 1952	2476	rundll32.exe	28
PID 2476 wrote to memory of 1952	2476	rundll32.exe	28
PID 2476 wrote to memory of 1952	2476	rundll32.exe	28
PID 2476 wrote to memory of 1952	2476	rundll32.exe	28
PID 2476 wrote to memory of 1952	2476	rundll32.exe	28

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\fc55d7afa5ad97587a0d02965e69501b_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2476
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\fc55d7afa5ad97587a0d02965e69501b_JaffaCakes118.dll,#1
  2⤵
  - Blocklisted process makes network request
  PID:1952

memory/1952-0-0x0000000002010000-0x000000000216C000-memory.dmp

Filesize
1.4MB

Download
memory/1952-1-0x0000000002010000-0x000000000216C000-memory.dmp

Filesize
1.4MB

Download
memory/1952-2-0x0000000002010000-0x000000000216C000-memory.dmp

Filesize
1.4MB

Download
memory/1952-3-0x0000000002010000-0x000000000216C000-memory.dmp

Filesize
1.4MB

Download
memory/1952-4-0x0000000002010000-0x000000000216C000-memory.dmp

Filesize
1.4MB

Download
memory/1952-5-0x0000000002010000-0x000000000216C000-memory.dmp

Filesize
1.4MB

Download
memory/1952-6-0x0000000002010000-0x000000000216C000-memory.dmp

Filesize
1.4MB

Download
memory/1952-7-0x0000000002010000-0x000000000216C000-memory.dmp

Filesize
1.4MB

Download
memory/1952-8-0x0000000002010000-0x000000000216C000-memory.dmp

Filesize
1.4MB

Download
memory/1952-9-0x0000000002010000-0x000000000216C000-memory.dmp

Filesize
1.4MB

Download
memory/1952-10-0x0000000002010000-0x000000000216C000-memory.dmp

Filesize
1.4MB

Download
memory/1952-11-0x0000000002010000-0x000000000216C000-memory.dmp

Filesize
1.4MB

Download
memory/1952-12-0x0000000002010000-0x000000000216C000-memory.dmp

Filesize
1.4MB

Download
memory/1952-13-0x0000000002010000-0x000000000216C000-memory.dmp

Filesize
1.4MB

Download
memory/1952-14-0x0000000002010000-0x000000000216C000-memory.dmp

Filesize
1.4MB

Download