Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    140s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    21/04/2024, 09:24 UTC

General

  • Target

    fef6b272e83c2db9338ad55ffb6e8f6e_JaffaCakes118.dll

  • Size

    1.3MB

  • MD5

    fef6b272e83c2db9338ad55ffb6e8f6e

  • SHA1

    90c912ce3613ebcc0ecad406bf1c86fdc58162a8

  • SHA256

    90d3303cc9628d39013556750168afdcb0d3196d95ae004fd5a9642238636875

  • SHA512

    4b7d93dd2e9458e277391f3074dc76d4e92442bf1db0d7fb630f4896f27001bf4350062ddeb452887d1d6e69f6cac914bab6bad34e086a2fb8b6b951d23e4f7c

  • SSDEEP

    24576:2cFXB3P/KiY386VWysaBaotyaD8u9hZ0Bc0TU522c:tWzXko8awdc0Ty22c

Score
10/10

Malware Config

Extracted

Family

danabot

Botnet

15

C2

192.52.167.44:443

192.52.166.92:443

192.52.167.45:443

173.254.204.95:443

Attributes
  • embedded_hash

    740FCC7615F224B3D909D4EC25568A2A

  • type

    loader

rsa_pubkey.plain
1
-----BEGIN PUBLIC KEY-----
2
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCX+LhsoxcvmIw/a4O0dRy2Y0mp
3
bxQzvGQFTYy5/zrmf+FDKKvvxI2NSyhjP2/CnVYCPDds5/AKiKdy06LAbu5ZsGWB
4
l07IjPoAXz+X/K+D/ROUwjQ0MRj7ligpT2FYBy3jGALm/Nm12P0cbYhuWxFg2otG
5
sF8fpzFA38TKPrbIVQIDAQAB
6
-----END PUBLIC KEY-----
rsa_privkey.plain
1
-----BEGIN PRIVATE KEY-----
2
MIICdwIBADANBgkqhkiG9w0BAQEFAASCAmEwggJdAgEAAoGBAKQGqho6IZgMXeXY
3
EYC4/OJ1JWPa4HisQCEb8nJ50i9McjpFmcYtdpf4mBp28L8xvThQm0c+xFa2502c
4
PGl+Gl7riQrpmzw4qLUaVaUTHmhq9y1LE93N9vhH7yXGUFmhxwtERgxcRuIMLHjs
5
tZXQnX9j8QthO/jm1IFVKHvr5W25AgMBAAECgYEAk+2SwX6Fx5v3nw+DkYTERPQD
6
mY/Pe+VVHMcYm9d0EMYwCo+0xH9CAoLnoo58RuJz1XMU52cbKV1hM6Rg838QBfKp
7
RZHp+Hjl1jC8stka8y/6Xl6rcBY88+dfXlBSHl0nGYcrj3d0vLXnd7ecfUqCDOaW
8
zRYSV1NVczJSnm9b6WUCQQDaSumj1xW28GH6JPfY22td5BvuvLaIe7uhipwB09w3
9
SW6fZJUrsnhDoYFECaTocskPWawo8LEp6YNYs8F4BqhrAkEAwFwJUvhNN0S1qOYO
10
EBAcr+BDyQWJMbwlEJTXhh9qoDAUQWDCTXtAiuLpSHSv+PHZd6DWUmR5OWQeRtwC

Signatures

  • Danabot

    Danabot is a modular banking Trojan that has been linked with other malware.

  • Danabot Loader Component 2 IoCs
  • Blocklisted process makes network request 1 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\fef6b272e83c2db9338ad55ffb6e8f6e_JaffaCakes118.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2008
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\fef6b272e83c2db9338ad55ffb6e8f6e_JaffaCakes118.dll,#1
      2⤵
      • Blocklisted process makes network request
      PID:2772

Network

    No results found
  • 192.52.167.44:443
    rundll32.exe
    152 B
    3
No results found

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2772-0-0x0000000001F90000-0x00000000020ED000-memory.dmp

    Filesize

    1.4MB

  • memory/2772-1-0x0000000001F90000-0x00000000020ED000-memory.dmp

    Filesize

    1.4MB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.