Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
140s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
21/04/2024, 09:24 UTC
Behavioral task
behavioral1
Sample
fef6b272e83c2db9338ad55ffb6e8f6e_JaffaCakes118.dll
Resource
win7-20240221-en
4 signatures
150 seconds
General
-
Target
fef6b272e83c2db9338ad55ffb6e8f6e_JaffaCakes118.dll
-
Size
1.3MB
-
MD5
fef6b272e83c2db9338ad55ffb6e8f6e
-
SHA1
90c912ce3613ebcc0ecad406bf1c86fdc58162a8
-
SHA256
90d3303cc9628d39013556750168afdcb0d3196d95ae004fd5a9642238636875
-
SHA512
4b7d93dd2e9458e277391f3074dc76d4e92442bf1db0d7fb630f4896f27001bf4350062ddeb452887d1d6e69f6cac914bab6bad34e086a2fb8b6b951d23e4f7c
-
SSDEEP
24576:2cFXB3P/KiY386VWysaBaotyaD8u9hZ0Bc0TU522c:tWzXko8awdc0Ty22c
Malware Config
Extracted
Family
danabot
Botnet
15
C2
192.52.167.44:443
192.52.166.92:443
192.52.167.45:443
173.254.204.95:443
Attributes
-
embedded_hash
740FCC7615F224B3D909D4EC25568A2A
-
type
loader
rsa_pubkey.plain
1
-----BEGIN PUBLIC KEY-----
2
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCX+LhsoxcvmIw/a4O0dRy2Y0mp
3
bxQzvGQFTYy5/zrmf+FDKKvvxI2NSyhjP2/CnVYCPDds5/AKiKdy06LAbu5ZsGWB
4
l07IjPoAXz+X/K+D/ROUwjQ0MRj7ligpT2FYBy3jGALm/Nm12P0cbYhuWxFg2otG
5
sF8fpzFA38TKPrbIVQIDAQAB
6
-----END PUBLIC KEY-----
rsa_privkey.plain
1
-----BEGIN PRIVATE KEY-----
2
MIICdwIBADANBgkqhkiG9w0BAQEFAASCAmEwggJdAgEAAoGBAKQGqho6IZgMXeXY
3
EYC4/OJ1JWPa4HisQCEb8nJ50i9McjpFmcYtdpf4mBp28L8xvThQm0c+xFa2502c
4
PGl+Gl7riQrpmzw4qLUaVaUTHmhq9y1LE93N9vhH7yXGUFmhxwtERgxcRuIMLHjs
5
tZXQnX9j8QthO/jm1IFVKHvr5W25AgMBAAECgYEAk+2SwX6Fx5v3nw+DkYTERPQD
6
mY/Pe+VVHMcYm9d0EMYwCo+0xH9CAoLnoo58RuJz1XMU52cbKV1hM6Rg838QBfKp
7
RZHp+Hjl1jC8stka8y/6Xl6rcBY88+dfXlBSHl0nGYcrj3d0vLXnd7ecfUqCDOaW
8
zRYSV1NVczJSnm9b6WUCQQDaSumj1xW28GH6JPfY22td5BvuvLaIe7uhipwB09w3
9
SW6fZJUrsnhDoYFECaTocskPWawo8LEp6YNYs8F4BqhrAkEAwFwJUvhNN0S1qOYO
10
EBAcr+BDyQWJMbwlEJTXhh9qoDAUQWDCTXtAiuLpSHSv+PHZd6DWUmR5OWQeRtwC
11
NX1bawJAZS/yi6MJCsr078oxJVHYvCYgGJNbnXqVqDUjSemWG/6rC7HJP/8zpk34
12
KLy7t5B1yOrNVhD0XrRC0VxJ40RazwJBAIu0DD2LAiFqsHiLJJl76im9ud1MPPi3
13
CUBCqUjKlljiskNNL7CwHA8Cf6TUwl0N4P/l+uH6AKSy1t5luOD6OyMCQDDUpPtf
14
NbIsrENcbujqM7bWC15IuhMjyonl2HbFVCBC8dxyZJwsHRvoypQ7kPH0Yv494ZJa
15
/RMtHuDPu8gTtzI=
16
-----END PRIVATE KEY-----
Signatures
-
Danabot Loader Component 2 IoCs
resource yara_rule behavioral1/memory/2772-0-0x0000000001F90000-0x00000000020ED000-memory.dmp DanabotLoader2021 behavioral1/memory/2772-1-0x0000000001F90000-0x00000000020ED000-memory.dmp DanabotLoader2021 -
Blocklisted process makes network request 1 IoCs
flow pid Process 2 2772 rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2008 wrote to memory of 2772 2008 rundll32.exe 28 PID 2008 wrote to memory of 2772 2008 rundll32.exe 28 PID 2008 wrote to memory of 2772 2008 rundll32.exe 28 PID 2008 wrote to memory of 2772 2008 rundll32.exe 28 PID 2008 wrote to memory of 2772 2008 rundll32.exe 28 PID 2008 wrote to memory of 2772 2008 rundll32.exe 28 PID 2008 wrote to memory of 2772 2008 rundll32.exe 28
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\fef6b272e83c2db9338ad55ffb6e8f6e_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2008 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\fef6b272e83c2db9338ad55ffb6e8f6e_JaffaCakes118.dll,#12⤵
- Blocklisted process makes network request
PID:2772
-