danabot | eac16332d89309cec9208ac51a628f02f4abb70ed20243172ec492e1e1a317ca

Analysis

max time kernel
151s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
18-05-2024 18:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

563c7b884fca8f07414502e4b31b9a4a_JaffaCakes118.exe
Size

2.3MB
MD5

563c7b884fca8f07414502e4b31b9a4a
SHA1

a58855aff0066e5291d2c0076cde31a5abcb6acc
SHA256

eac16332d89309cec9208ac51a628f02f4abb70ed20243172ec492e1e1a317ca
SHA512

8a91bb3f7a11b41e03f7e70e136d23bf52476c00215b9e765e04d1d6b6025967410709defa1704536e5feb6eb25f8495564b0a72fba90b88cb34633a28f6029a
SSDEEP

49152:XIa+TGt8n9dp3vBs7qzU9CNOF9oCR8IsI:XIh6t85Iq3I3R87

Score

10^/10

danabot banker botnet trojan

Malware Config

Extracted

Family

danabot

71.170.44.127

149.154.159.213

169.184.210.27

244.116.82.20

58.173.201.4

138.237.81.5

210.103.205.121

24.160.68.106

151.236.14.84

109.230.5.162

rsa_pubkey.plain

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Danabot x86 payload 1 IoCs

Detection of Danabot x86 payload, mapped in memory during the execution of its loader.

botnet

Processes:

resource	yara_rule
behavioral2/files/0x000800000002325d-2.dat	family_danabot

Blocklisted process makes network request 7 IoCs

Processes:

rundll32.exe

flow	pid	Process
4	2784	rundll32.exe
34	2784	rundll32.exe
44	2784	rundll32.exe
47	2784	rundll32.exe
53	2784	rundll32.exe
55	2784	rundll32.exe
57	2784	rundll32.exe

Loads dropped DLL 3 IoCs

Processes:

regsvr32.exerundll32.exe

pid	Process
1892	regsvr32.exe
1892	regsvr32.exe
2784	rundll32.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

563c7b884fca8f07414502e4b31b9a4a_JaffaCakes118.exeregsvr32.exe

description	pid	Process	procid_target
PID 2456 wrote to memory of 1892	2456	563c7b884fca8f07414502e4b31b9a4a_JaffaCakes118.exe	91
PID 2456 wrote to memory of 1892	2456	563c7b884fca8f07414502e4b31b9a4a_JaffaCakes118.exe	91
PID 2456 wrote to memory of 1892	2456	563c7b884fca8f07414502e4b31b9a4a_JaffaCakes118.exe	91
PID 1892 wrote to memory of 2784	1892	regsvr32.exe	92
PID 1892 wrote to memory of 2784	1892	regsvr32.exe	92
PID 1892 wrote to memory of 2784	1892	regsvr32.exe	92

C:\Users\Admin\AppData\Local\Temp\563c7b884fca8f07414502e4b31b9a4a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\563c7b884fca8f07414502e4b31b9a4a_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2456
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\system32\regsvr32.exe -s C:\Users\Admin\AppData\Local\Temp\563C7B~1.DLL f1 C:\Users\Admin\AppData\Local\Temp\563C7B~1.EXE@2456
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1892
- - C:\Windows\SysWOW64\rundll32.exe
    C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\563C7B~1.DLL,f0
    3⤵
    - Blocklisted process makes network request
    - Loads dropped DLL
    PID:2784

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3044 --field-trial-handle=3060,i,1774866140584649235,8085848018931772189,262144 --variations-seed-version /prefetch:8
1⤵
PID:976

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\563C7B~1.DLL

Filesize
1.4MB

MD5
f0d64def1a7e262ccf95ec24e9b9f7cb

SHA1
3cf3660cc86d9ebededc8dce2f96548fb60a1e9d

SHA256
712c8a8693ba819e8c3faff2ba5b458d2d9361d35fc0aa13155f726c0bef77bb

SHA512
36abb1a48c6ebc356323f8253d307483b7361132a7a7b2db86c6427d2a271e11e2762cd078f56cd747ac8507255519de6822d697841d5707c3a6ef26a793cc04

Download Submit
memory/1892-5-0x0000000000D20000-0x0000000000E8B000-memory.dmp

Filesize
1.4MB

Download
memory/2456-1-0x0000000000400000-0x0000000000661000-memory.dmp

Filesize
2.4MB

Download
memory/2784-7-0x0000000000400000-0x000000000056B000-memory.dmp

Filesize
1.4MB

Download
memory/2784-9-0x0000000000400000-0x000000000056B000-memory.dmp

Filesize
1.4MB

Download
memory/2784-11-0x0000000000400000-0x000000000056B000-memory.dmp

Filesize
1.4MB

Download