danabot | 50b32f4330ee0822a8010830064aaae8d58a32e556cf77e4dcb624e640ec2234

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
20-05-2024 06:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5d970965b78013545a9c0d32eb10ee61_JaffaCakes118.vbs
Size

22.6MB
MD5

5d970965b78013545a9c0d32eb10ee61
SHA1

29c055edc3c0de81add7741034f2aa8f038bc638
SHA256

50b32f4330ee0822a8010830064aaae8d58a32e556cf77e4dcb624e640ec2234
SHA512

a4a344f279c156edc1ed6d5c072962006ab84781f9ed5e3b718d94559c3fb6b6dcdf429020a1458528edd957334c718c7fe641117b5f50fad4a2d18ec5b723a5
SSDEEP

12288:/eEl4AjRZrrZTbM6mUnt9Ho3KzA4Gv19yMUq9Rrb8anAO4mrA6DKMjXcZkPSbP6D:3w

Score

10^/10

danabot banker trojan

Malware Config

Extracted

Family

danabot

181.63.44.194

207.148.83.108

45.77.40.71

87.115.138.169

24.229.48.7

116.111.206.27

45.196.143.203

218.65.3.199

131.59.110.186

113.81.97.96

rsa_pubkey.plain

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5084	2796	regsvr32.exe	88

Blocklisted process makes network request 7 IoCs

flow	pid	Process
38	1368	rundll32.exe
44	1368	rundll32.exe
45	1368	rundll32.exe
47	1368	rundll32.exe
52	1368	rundll32.exe
62	1368	rundll32.exe
63	1368	rundll32.exe

Loads dropped DLL 4 IoCs

pid	Process
2652	regsvr32.exe
2652	regsvr32.exe
1368	rundll32.exe
1368	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3988	WScript.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 5084 wrote to memory of 2652	5084	regsvr32.exe	96
PID 5084 wrote to memory of 2652	5084	regsvr32.exe	96
PID 5084 wrote to memory of 2652	5084	regsvr32.exe	96
PID 2652 wrote to memory of 1368	2652	regsvr32.exe	98
PID 2652 wrote to memory of 1368	2652	regsvr32.exe	98
PID 2652 wrote to memory of 1368	2652	regsvr32.exe	98

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5d970965b78013545a9c0d32eb10ee61_JaffaCakes118.vbs"
1⤵
- Suspicious use of FindShellTrayWindow
PID:3988

C:\Windows\system32\regsvr32.exe
regsvr32.exe -s C:\Users\Admin\AppData\Local\Temp\sNKBbUr.txt
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:5084
- C:\Windows\SysWOW64\regsvr32.exe
  -s C:\Users\Admin\AppData\Local\Temp\sNKBbUr.txt
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2652
- - C:\Windows\SysWOW64\rundll32.exe
    C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\sNKBbUr.txt,f0
    3⤵
    - Blocklisted process makes network request
    - Loads dropped DLL
    PID:1368

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nIRKsgH.txt.zip

Filesize
933KB

MD5
876ecd68b1b519c3ba5e3c8edb7fa9e2

SHA1
8ecab84b15e28e251084557365925c386483a1a5

SHA256
86841c434c14d073713ecb569e0e54f599be1752a12f89720ebeab3501899cca

SHA512
22661ded55ca11cee118256a5b08bb17625955b90f166a153f4f239621a88864d8f30bccdf51850322ad515d3cdfbb6c73520db4d550e2f810087334f942e78b

Download Submit
C:\Users\Admin\AppData\Local\Temp\sNKBbUr.txt

Filesize
1.1MB

MD5
f8cf63fb5f35fb0a72aeffcf1dc27aef

SHA1
bcf27f65d35c4ce37f0f6af6ca3f2215fbef34eb

SHA256
dca1194d8f8691d90bb209e4b9baae53da4d107169bda9b1d8c4a99a6316b5b9

SHA512
f30acf1e157b70df459ef4d133bc680c9a7f48ddd532c29fa9d27c8eb16e976f6baf4d2f701d40a8875929267f8147dc25ee960b8b7eccc20da59eeca814dc4f

Download Submit
memory/1368-37-0x00000000020F0000-0x0000000002B1A000-memory.dmp

Filesize
10.2MB

Download
memory/1368-48-0x00000000020F0000-0x0000000002B1A000-memory.dmp

Filesize
10.2MB

Download
memory/1368-44-0x00000000020F0000-0x0000000002B1A000-memory.dmp

Filesize
10.2MB

Download
memory/1368-43-0x00000000020F0000-0x0000000002B1A000-memory.dmp

Filesize
10.2MB

Download
memory/1368-41-0x00000000020F0000-0x0000000002B1A000-memory.dmp

Filesize
10.2MB

Download
memory/1368-36-0x00000000020F0000-0x0000000002B1A000-memory.dmp

Filesize
10.2MB

Download
memory/1368-38-0x00000000020F0000-0x0000000002B1A000-memory.dmp

Filesize
10.2MB

Download
memory/2652-31-0x00000000028D5000-0x00000000028DA000-memory.dmp

Filesize
20KB

Download
memory/2652-32-0x00000000027C0000-0x00000000031EA000-memory.dmp

Filesize
10.2MB

Download
memory/2652-27-0x00000000027C0000-0x00000000031EA000-memory.dmp

Filesize
10.2MB

Download
memory/2652-28-0x00000000027C0000-0x00000000031EA000-memory.dmp

Filesize
10.2MB

Download
memory/2652-26-0x00000000027C0000-0x00000000031EA000-memory.dmp

Filesize
10.2MB

Download