danabot | d39e3c62fb0b70846240f3d73a3885d5024eebcc9e61fa77f5ebbb450fbf7620

General

Target

350e751bb68ade139e174d65008eebe0_JaffaCakes118.vbs
Size

24.3MB
MD5

350e751bb68ade139e174d65008eebe0
SHA1

f235f388686573edd1475f337c9b5b34afd4b9e1
SHA256

d39e3c62fb0b70846240f3d73a3885d5024eebcc9e61fa77f5ebbb450fbf7620
SHA512

3b34c36fd8e2e9b83150cfe652bc34c615b0017174f35d4ba2513d63b73aa51ae75c928f7e6307bd29d9adeb3222cb6ba8f19c0feeab53d2cf2f66ca43394f47
SSDEEP

6144:tJGfk3YNoB2OmKvIbvSGF2qU4DZA3fX680UPUXzmcTc8cxhTWMRA4PZUhQKsTRIq:WnhrO

Score

10^/10

danabot banker trojan

Malware Config

Extracted

Family

danabot

C2

181.63.44.194

207.148.83.108

45.77.40.71

87.115.138.169

24.229.48.7

116.111.206.27

45.196.143.203

218.65.3.199

131.59.110.186

113.81.97.96

rsa_pubkey.plain

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	876	2636	regsvr32.exe	28

Blocklisted process makes network request 5 IoCs

flow	pid	Process
2	2560	rundll32.exe
5	2560	rundll32.exe
8	2560	rundll32.exe
11	2560	rundll32.exe
12	2560	rundll32.exe

Loads dropped DLL 2 IoCs

pid	Process
2680	regsvr32.exe
2560	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2064	WScript.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 876 wrote to memory of 2680	876	regsvr32.exe	30
PID 876 wrote to memory of 2680	876	regsvr32.exe	30
PID 876 wrote to memory of 2680	876	regsvr32.exe	30
PID 876 wrote to memory of 2680	876	regsvr32.exe	30
PID 876 wrote to memory of 2680	876	regsvr32.exe	30
PID 876 wrote to memory of 2680	876	regsvr32.exe	30
PID 876 wrote to memory of 2680	876	regsvr32.exe	30
PID 2680 wrote to memory of 2560	2680	regsvr32.exe	31
PID 2680 wrote to memory of 2560	2680	regsvr32.exe	31
PID 2680 wrote to memory of 2560	2680	regsvr32.exe	31
PID 2680 wrote to memory of 2560	2680	regsvr32.exe	31
PID 2680 wrote to memory of 2560	2680	regsvr32.exe	31
PID 2680 wrote to memory of 2560	2680	regsvr32.exe	31
PID 2680 wrote to memory of 2560	2680	regsvr32.exe	31

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\350e751bb68ade139e174d65008eebe0_JaffaCakes118.vbs"
1⤵
- Suspicious use of FindShellTrayWindow
PID:2064

C:\Windows\system32\regsvr32.exe
regsvr32.exe -s C:\Users\Admin\AppData\Local\Temp\qCnossAab.txt
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:876
- C:\Windows\SysWOW64\regsvr32.exe
  -s C:\Users\Admin\AppData\Local\Temp\qCnossAab.txt
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2680
- - C:\Windows\SysWOW64\rundll32.exe
    C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\qCnossAab.txt,f0
    3⤵
    - Blocklisted process makes network request
    - Loads dropped DLL
    PID:2560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\UJJSUG~1.ZIP

Filesize
933KB

MD5
cdddd64bee8f82fb2a6b7407945d11a8

SHA1
fb2c47216027f66452b0d4184c81c8857a39f394

SHA256
2faa64d3c244e7a8599d6ab9db2c662229d3b98eefe4fac8765f23dd422f89ba

SHA512
1e3c2cd2944d9acc334bf2d2cf3747466023cf3b261cd28d4125f06f0e45983dd3734c912ebe2f6db7ec66567c22caf910746dcfbaad1878afc8acc06adca604

Download Submit
C:\Users\Admin\AppData\Local\Temp\qCnossAab.txt

Filesize
1.1MB

MD5
f8cf63fb5f35fb0a72aeffcf1dc27aef

SHA1
bcf27f65d35c4ce37f0f6af6ca3f2215fbef34eb

SHA256
dca1194d8f8691d90bb209e4b9baae53da4d107169bda9b1d8c4a99a6316b5b9

SHA512
f30acf1e157b70df459ef4d133bc680c9a7f48ddd532c29fa9d27c8eb16e976f6baf4d2f701d40a8875929267f8147dc25ee960b8b7eccc20da59eeca814dc4f

Download Submit
memory/2064-9-0x0000000002240000-0x0000000002241000-memory.dmp

Filesize
4KB

Download
memory/2560-39-0x0000000001FE0000-0x0000000002A0A000-memory.dmp

Filesize
10.2MB

Download
memory/2560-46-0x0000000001FE0000-0x0000000002A0A000-memory.dmp

Filesize
10.2MB

Download
memory/2560-44-0x0000000001FE0000-0x0000000002A0A000-memory.dmp

Filesize
10.2MB

Download
memory/2560-41-0x0000000001FE0000-0x0000000002A0A000-memory.dmp

Filesize
10.2MB

Download
memory/2560-34-0x0000000001FE0000-0x0000000002A0A000-memory.dmp

Filesize
10.2MB

Download
memory/2560-35-0x0000000001FE0000-0x0000000002A0A000-memory.dmp

Filesize
10.2MB

Download
memory/2560-36-0x0000000001FE0000-0x0000000002A0A000-memory.dmp

Filesize
10.2MB

Download
memory/2680-25-0x0000000002450000-0x0000000002E7A000-memory.dmp

Filesize
10.2MB

Download
memory/2680-29-0x0000000002450000-0x0000000002E7A000-memory.dmp

Filesize
10.2MB

Download
memory/2680-27-0x0000000002450000-0x0000000002E7A000-memory.dmp

Filesize
10.2MB

Download
memory/2680-28-0x0000000002565000-0x000000000256A000-memory.dmp

Filesize
20KB

Download

Analysis

Sharing