Analysis
-
max time kernel
150s -
max time network
138s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
16-05-2024 21:37
Static task
static1
Behavioral task
behavioral1
Sample
4d20e507408edb688431c43d4afb655c_JaffaCakes118.exe
Resource
win7-20240220-en
General
-
Target
4d20e507408edb688431c43d4afb655c_JaffaCakes118.exe
-
Size
706KB
-
MD5
4d20e507408edb688431c43d4afb655c
-
SHA1
ab9b18b4745f61413b01b462871c31de9d392520
-
SHA256
1290eff5b9ce2405746a7b5b11e486829d3d3b8004f1b22b1a241496e60c4225
-
SHA512
38aeb11f7a6ed54d580196b5b4ff299f065ef47c3f9d0fe05823d8cd9b93469ad95d038e1c8a2a53b10a13530eeee9d28e019dc35fbb310349f4436492ea9ad5
-
SSDEEP
12288:SVZZzLcl02FoNOm1byXC1v4NFeuLX0XjOsP++q3gDRvl4q13:eclc3AFR0X6sm+qeRvl4q
Malware Config
Extracted
danabot
236.128.21.180
89.144.25.104
148.165.195.24
149.28.180.182
6.200.141.194
96.202.32.98
199.92.207.6
213.82.134.216
118.134.228.191
48.8.103.94
Signatures
-
Danabot x86 payload 1 IoCs
Detection of Danabot x86 payload, mapped in memory during the execution of its loader.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\4D20E5~1.DLL family_danabot -
Blocklisted process makes network request 8 IoCs
Processes:
rundll32.exeflow pid process 2 2468 rundll32.exe 5 2468 rundll32.exe 6 2468 rundll32.exe 9 2468 rundll32.exe 14 2468 rundll32.exe 17 2468 rundll32.exe 20 2468 rundll32.exe 21 2468 rundll32.exe -
Deletes itself 1 IoCs
Processes:
regsvr32.exepid process 2892 regsvr32.exe -
Loads dropped DLL 5 IoCs
Processes:
regsvr32.exerundll32.exepid process 2892 regsvr32.exe 2468 rundll32.exe 2468 rundll32.exe 2468 rundll32.exe 2468 rundll32.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
4d20e507408edb688431c43d4afb655c_JaffaCakes118.exeregsvr32.exedescription pid process target process PID 3032 wrote to memory of 2892 3032 4d20e507408edb688431c43d4afb655c_JaffaCakes118.exe regsvr32.exe PID 3032 wrote to memory of 2892 3032 4d20e507408edb688431c43d4afb655c_JaffaCakes118.exe regsvr32.exe PID 3032 wrote to memory of 2892 3032 4d20e507408edb688431c43d4afb655c_JaffaCakes118.exe regsvr32.exe PID 3032 wrote to memory of 2892 3032 4d20e507408edb688431c43d4afb655c_JaffaCakes118.exe regsvr32.exe PID 3032 wrote to memory of 2892 3032 4d20e507408edb688431c43d4afb655c_JaffaCakes118.exe regsvr32.exe PID 3032 wrote to memory of 2892 3032 4d20e507408edb688431c43d4afb655c_JaffaCakes118.exe regsvr32.exe PID 3032 wrote to memory of 2892 3032 4d20e507408edb688431c43d4afb655c_JaffaCakes118.exe regsvr32.exe PID 2892 wrote to memory of 2468 2892 regsvr32.exe rundll32.exe PID 2892 wrote to memory of 2468 2892 regsvr32.exe rundll32.exe PID 2892 wrote to memory of 2468 2892 regsvr32.exe rundll32.exe PID 2892 wrote to memory of 2468 2892 regsvr32.exe rundll32.exe PID 2892 wrote to memory of 2468 2892 regsvr32.exe rundll32.exe PID 2892 wrote to memory of 2468 2892 regsvr32.exe rundll32.exe PID 2892 wrote to memory of 2468 2892 regsvr32.exe rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4d20e507408edb688431c43d4afb655c_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\4d20e507408edb688431c43d4afb655c_JaffaCakes118.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3032 -
C:\Windows\SysWOW64\regsvr32.exeC:\Windows\system32\regsvr32.exe -s C:\Users\Admin\AppData\Local\Temp\4D20E5~1.DLL f1 C:\Users\Admin\AppData\Local\Temp\4D20E5~1.EXE@30322⤵
- Deletes itself
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2892 -
C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\4D20E5~1.DLL,f03⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:2468
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
506KB
MD53f1a39e1f0d2004fd050f6e629f5e771
SHA1f90a9d25012fc58a8fe2158f3ef4ec7adb6891a1
SHA2567bd3bab60ed53f7fa5c8ef8cb9af8e500aed93e70fc74a4f19b3976a457eb1f2
SHA5121fde33fd33eacad6271bba0949d95d4a7a6fb2adc6ef208cf15d4e2d1960022f48a9ecd91904bd58be661a4af116c32282149552cf64f3c0b5690294dd20fca7