danabot | 9329c623ff64360ce5e887f27e050ff9c73537aca97761da60fd9ded70e9a8c4

Analysis

max time kernel
141s
max time network
118s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
21/04/2024, 07:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fecbacfbd7c6c9637a5c9bdc5101b92c_JaffaCakes118.exe
Size

1.1MB
MD5

fecbacfbd7c6c9637a5c9bdc5101b92c
SHA1

edd422674fb34b625753bf24bebecf052ec175ca
SHA256

9329c623ff64360ce5e887f27e050ff9c73537aca97761da60fd9ded70e9a8c4
SHA512

cb1ca2afc808b6e7ce83eb5017d2ac173334baafabe5e7e27f6cde697b30a50bd5bd88424a05e7a867eb015737b7bd04ef8ab4e0de2134c1cab734cda4ff212f
SSDEEP

24576:RDPvuiFY3TVoqQ1fone333t1sJvOEuTH3uVRnknDr5BPA:BXuiFY3TM80dmbuTH3uOn5BI

Score

10^/10

danabot 4 banker trojan

Malware Config

Extracted

Family

danabot

Botnet

142.11.244.124:443

142.11.206.50:443

Attributes

embedded_hash
6AD9FE4F9E491E785665E0D144F61DAB
type
loader

rsa_pubkey.plain

rsa_privkey.plain

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Danabot Loader Component 11 IoCs

resource	yara_rule
behavioral1/files/0x000c00000001224c-7.dat	DanabotLoader2021
behavioral1/memory/2980-9-0x0000000000280000-0x00000000003DE000-memory.dmp	DanabotLoader2021
behavioral1/memory/2980-11-0x0000000000280000-0x00000000003DE000-memory.dmp	DanabotLoader2021
behavioral1/memory/2980-19-0x0000000000280000-0x00000000003DE000-memory.dmp	DanabotLoader2021
behavioral1/memory/2980-20-0x0000000000280000-0x00000000003DE000-memory.dmp	DanabotLoader2021
behavioral1/memory/2980-21-0x0000000000280000-0x00000000003DE000-memory.dmp	DanabotLoader2021
behavioral1/memory/2980-22-0x0000000000280000-0x00000000003DE000-memory.dmp	DanabotLoader2021
behavioral1/memory/2980-23-0x0000000000280000-0x00000000003DE000-memory.dmp	DanabotLoader2021
behavioral1/memory/2980-24-0x0000000000280000-0x00000000003DE000-memory.dmp	DanabotLoader2021
behavioral1/memory/2980-25-0x0000000000280000-0x00000000003DE000-memory.dmp	DanabotLoader2021
behavioral1/memory/2980-26-0x0000000000280000-0x00000000003DE000-memory.dmp	DanabotLoader2021

Blocklisted process makes network request 1 IoCs

flow	pid	Process
2	2980	rundll32.exe

Loads dropped DLL 1 IoCs

pid	Process
2980	rundll32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2924 wrote to memory of 2980	2924	fecbacfbd7c6c9637a5c9bdc5101b92c_JaffaCakes118.exe	28
PID 2924 wrote to memory of 2980	2924	fecbacfbd7c6c9637a5c9bdc5101b92c_JaffaCakes118.exe	28
PID 2924 wrote to memory of 2980	2924	fecbacfbd7c6c9637a5c9bdc5101b92c_JaffaCakes118.exe	28
PID 2924 wrote to memory of 2980	2924	fecbacfbd7c6c9637a5c9bdc5101b92c_JaffaCakes118.exe	28
PID 2924 wrote to memory of 2980	2924	fecbacfbd7c6c9637a5c9bdc5101b92c_JaffaCakes118.exe	28
PID 2924 wrote to memory of 2980	2924	fecbacfbd7c6c9637a5c9bdc5101b92c_JaffaCakes118.exe	28
PID 2924 wrote to memory of 2980	2924	fecbacfbd7c6c9637a5c9bdc5101b92c_JaffaCakes118.exe	28

C:\Users\Admin\AppData\Local\Temp\fecbacfbd7c6c9637a5c9bdc5101b92c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fecbacfbd7c6c9637a5c9bdc5101b92c_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2924
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\FECBAC~1.TMP,S C:\Users\Admin\AppData\Local\Temp\FECBAC~1.EXE
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  PID:2980

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\FECBAC~1.TMP

Filesize
1.3MB

MD5
c92a53cc671aa0e174d0697f7b6e35e9

SHA1
a2dd513e7988b2e2d56b4bede0840093ad2ac4bb

SHA256
aaf22f0fb83992b924ada07e7f7353c8cda6a208330aefc1e5127fcccc9e2aea

SHA512
e158f8318b2715a8176d15b5778632c99fbea5217f5921ce9da2737e3f63049c75a1982577c65f938b4dd62b853adbee80d0af0251dceae3f395a6ec87602e8d

Download Submit
memory/2924-0-0x0000000000980000-0x0000000000A6A000-memory.dmp

Filesize
936KB

Download
memory/2924-1-0x0000000000980000-0x0000000000A6A000-memory.dmp

Filesize
936KB

Download
memory/2924-2-0x00000000022B0000-0x00000000023B0000-memory.dmp

Filesize
1024KB

Download
memory/2924-6-0x0000000000400000-0x000000000097F000-memory.dmp

Filesize
5.5MB

Download
memory/2924-5-0x0000000000400000-0x000000000097F000-memory.dmp

Filesize
5.5MB

Download
memory/2924-10-0x00000000022B0000-0x00000000023B0000-memory.dmp

Filesize
1024KB

Download
memory/2980-11-0x0000000000280000-0x00000000003DE000-memory.dmp

Filesize
1.4MB

Download
memory/2980-9-0x0000000000280000-0x00000000003DE000-memory.dmp

Filesize
1.4MB

Download
memory/2980-19-0x0000000000280000-0x00000000003DE000-memory.dmp

Filesize
1.4MB

Download
memory/2980-20-0x0000000000280000-0x00000000003DE000-memory.dmp

Filesize
1.4MB

Download
memory/2980-21-0x0000000000280000-0x00000000003DE000-memory.dmp

Filesize
1.4MB

Download
memory/2980-22-0x0000000000280000-0x00000000003DE000-memory.dmp

Filesize
1.4MB

Download
memory/2980-23-0x0000000000280000-0x00000000003DE000-memory.dmp

Filesize
1.4MB

Download
memory/2980-24-0x0000000000280000-0x00000000003DE000-memory.dmp

Filesize
1.4MB

Download
memory/2980-25-0x0000000000280000-0x00000000003DE000-memory.dmp

Filesize
1.4MB

Download
memory/2980-26-0x0000000000280000-0x00000000003DE000-memory.dmp

Filesize
1.4MB

Download