danabot | eac16332d89309cec9208ac51a628f02f4abb70ed20243172ec492e1e1a317ca

Analysis

max time kernel
142s
max time network
141s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
18-05-2024 18:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

563c7b884fca8f07414502e4b31b9a4a_JaffaCakes118.exe
Size

2.3MB
MD5

563c7b884fca8f07414502e4b31b9a4a
SHA1

a58855aff0066e5291d2c0076cde31a5abcb6acc
SHA256

eac16332d89309cec9208ac51a628f02f4abb70ed20243172ec492e1e1a317ca
SHA512

8a91bb3f7a11b41e03f7e70e136d23bf52476c00215b9e765e04d1d6b6025967410709defa1704536e5feb6eb25f8495564b0a72fba90b88cb34633a28f6029a
SSDEEP

49152:XIa+TGt8n9dp3vBs7qzU9CNOF9oCR8IsI:XIh6t85Iq3I3R87

Score

10^/10

danabot banker botnet trojan

Malware Config

Extracted

Family

danabot

71.170.44.127

149.154.159.213

169.184.210.27

244.116.82.20

58.173.201.4

138.237.81.5

210.103.205.121

24.160.68.106

151.236.14.84

109.230.5.162

rsa_pubkey.plain

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Danabot x86 payload 1 IoCs

Detection of Danabot x86 payload, mapped in memory during the execution of its loader.

botnet

Processes:

resource	yara_rule
behavioral1/files/0x000a000000012286-3.dat	family_danabot

Blocklisted process makes network request 9 IoCs

Processes:

rundll32.exe

flow	pid	Process
2	2152	rundll32.exe
5	2152	rundll32.exe
6	2152	rundll32.exe
9	2152	rundll32.exe
10	2152	rundll32.exe
15	2152	rundll32.exe
18	2152	rundll32.exe
21	2152	rundll32.exe
22	2152	rundll32.exe

Loads dropped DLL 5 IoCs

Processes:

regsvr32.exerundll32.exe

pid	Process
1808	regsvr32.exe
2152	rundll32.exe
2152	rundll32.exe
2152	rundll32.exe
2152	rundll32.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

563c7b884fca8f07414502e4b31b9a4a_JaffaCakes118.exeregsvr32.exe

description	pid	Process	procid_target
PID 3044 wrote to memory of 1808	3044	563c7b884fca8f07414502e4b31b9a4a_JaffaCakes118.exe	29
PID 3044 wrote to memory of 1808	3044	563c7b884fca8f07414502e4b31b9a4a_JaffaCakes118.exe	29
PID 3044 wrote to memory of 1808	3044	563c7b884fca8f07414502e4b31b9a4a_JaffaCakes118.exe	29
PID 3044 wrote to memory of 1808	3044	563c7b884fca8f07414502e4b31b9a4a_JaffaCakes118.exe	29
PID 3044 wrote to memory of 1808	3044	563c7b884fca8f07414502e4b31b9a4a_JaffaCakes118.exe	29
PID 3044 wrote to memory of 1808	3044	563c7b884fca8f07414502e4b31b9a4a_JaffaCakes118.exe	29
PID 3044 wrote to memory of 1808	3044	563c7b884fca8f07414502e4b31b9a4a_JaffaCakes118.exe	29
PID 1808 wrote to memory of 2152	1808	regsvr32.exe	30
PID 1808 wrote to memory of 2152	1808	regsvr32.exe	30
PID 1808 wrote to memory of 2152	1808	regsvr32.exe	30
PID 1808 wrote to memory of 2152	1808	regsvr32.exe	30
PID 1808 wrote to memory of 2152	1808	regsvr32.exe	30
PID 1808 wrote to memory of 2152	1808	regsvr32.exe	30
PID 1808 wrote to memory of 2152	1808	regsvr32.exe	30

C:\Users\Admin\AppData\Local\Temp\563c7b884fca8f07414502e4b31b9a4a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\563c7b884fca8f07414502e4b31b9a4a_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3044
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\system32\regsvr32.exe -s C:\Users\Admin\AppData\Local\Temp\563C7B~1.DLL f1 C:\Users\Admin\AppData\Local\Temp\563C7B~1.EXE@3044
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1808
- - C:\Windows\SysWOW64\rundll32.exe
    C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\563C7B~1.DLL,f0
    3⤵
    - Blocklisted process makes network request
    - Loads dropped DLL
    PID:2152

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\563C7B~1.DLL

Filesize
1.4MB

MD5
f1edfec279fb324e127b71b3c7c109ab

SHA1
f77f4c5a7e8288d0a8f367c007aa697662c30606

SHA256
63ffc8bebee53fe93e941f965ef34bceea9ae95c98ef38a65483feae7fa724f8

SHA512
d12ac98587eb8545036171b6dac5dc074e35f612a4be9c7c59cc25bee38715b55e69e0706ec6d9f3188d72c736c4878236e5b28bae676e13ebea75de3692fbe5

Download Submit
memory/1808-4-0x0000000002270000-0x00000000023DB000-memory.dmp

Filesize
1.4MB

Download
memory/2152-9-0x00000000021C0000-0x000000000232B000-memory.dmp

Filesize
1.4MB

Download
memory/2152-10-0x00000000021C0000-0x000000000232B000-memory.dmp

Filesize
1.4MB

Download
memory/2152-12-0x00000000021C0000-0x000000000232B000-memory.dmp

Filesize
1.4MB

Download
memory/2152-14-0x00000000021C0000-0x000000000232B000-memory.dmp

Filesize
1.4MB

Download
memory/2152-22-0x00000000021C0000-0x000000000232B000-memory.dmp

Filesize
1.4MB

Download
memory/3044-1-0x0000000000400000-0x0000000000661000-memory.dmp

Filesize
2.4MB

Download