danabot | 0a38204354bdd03ca06520f5482cc057a926eef96944a2a179c370b9f64f4842

Analysis

max time kernel
143s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
29-05-2024 00:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7efdce6925f9d0a47262bf6909dee878_JaffaCakes118.exe
Size

847KB
MD5

7efdce6925f9d0a47262bf6909dee878
SHA1

c2675a34536fbb0e637b3b63ca5671f93a7f9484
SHA256

0a38204354bdd03ca06520f5482cc057a926eef96944a2a179c370b9f64f4842
SHA512

7f5ac9a34891642b056cd37c0f54c3cc86caab581df6a4d62d1279efe38449b0bc63bbd305eecaf382fadba7022c6791293711ec9855920dbf82a0a07347a80d
SSDEEP

24576:WbTUojyk1O/sDcxLx+gGBWDvKe0VR7Ev3b7YpQKZ445fm:gy7Gs78V9Ev3fYpvf

Score

10^/10

danabot banker botnet trojan

Malware Config

Extracted

Family

danabot

58.58.210.181

222.175.52.161

149.53.185.172

81.63.70.192

195.123.246.209

149.154.159.213

2.255.189.191

187.198.70.207

139.113.48.33

244.28.200.120

rsa_pubkey.plain

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Danabot x86 payload 1 IoCs

Detection of Danabot x86 payload, mapped in memory during the execution of its loader.

botnet

resource	yara_rule
behavioral2/files/0x001900000002295c-2.dat	family_danabot

Blocklisted process makes network request 2 IoCs

flow	pid	Process
20	4888	rundll32.exe
26	4888	rundll32.exe

Deletes itself 1 IoCs

pid	Process
3212	regsvr32.exe

Loads dropped DLL 2 IoCs

pid	Process
3212	regsvr32.exe
4888	rundll32.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4828 wrote to memory of 3212	4828	7efdce6925f9d0a47262bf6909dee878_JaffaCakes118.exe	87
PID 4828 wrote to memory of 3212	4828	7efdce6925f9d0a47262bf6909dee878_JaffaCakes118.exe	87
PID 4828 wrote to memory of 3212	4828	7efdce6925f9d0a47262bf6909dee878_JaffaCakes118.exe	87
PID 3212 wrote to memory of 4888	3212	regsvr32.exe	88
PID 3212 wrote to memory of 4888	3212	regsvr32.exe	88
PID 3212 wrote to memory of 4888	3212	regsvr32.exe	88

C:\Users\Admin\AppData\Local\Temp\7efdce6925f9d0a47262bf6909dee878_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\7efdce6925f9d0a47262bf6909dee878_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4828
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\system32\regsvr32.exe -s C:\Users\Admin\AppData\Local\Temp\7EFDCE~1.DLL f1 C:\Users\Admin\AppData\Local\Temp\7EFDCE~1.EXE@4828
  2⤵
  - Deletes itself
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:3212
- - C:\Windows\SysWOW64\rundll32.exe
    C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\7EFDCE~1.DLL,f0
    3⤵
    - Blocklisted process makes network request
    - Loads dropped DLL
    PID:4888

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7EFDCE~1.DLL

Filesize
630KB

MD5
ce0b269731d60133a55af84b5bd7c363

SHA1
50070c522234226e4092d44a3c28f6eab3385172

SHA256
c32050bf67ef51c18ce3cbd6c0b4db2e1d9fbbc58185282fae6017ee6fc22dd6

SHA512
a4fee6dd30c37589b4a60982d299ffdd855b978d2c0bed225e363580cc341614fc62e9f2e02bbd2f4bd90560af666ad90092127df88cfabf39eddfd1e99f9006

Download Submit
memory/4828-1-0x0000000000400000-0x00000000004E0000-memory.dmp

Filesize
896KB

Download
memory/4888-5-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download