Overview

overview

10

Static

static

3

4d1a5f5719...18.exe

windows7-x64

10

4d1a5f5719...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    143s
  • max time network
    69s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    16-07-2024 06:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4d1a5f5719f0b62562eb0d99f1a7baff_JaffaCakes118.exe

  • Size

    4.0MB

  • MD5

    4d1a5f5719f0b62562eb0d99f1a7baff

  • SHA1

    7455d73ee12d1ac328f3aedaf2a0f61fd9d69b0d

  • SHA256

    f055aaac2e4445e7dacf3fccbc3950eb6c44464d60625fa9476e9e4e5000d8f0

  • SHA512

    220635c140c062a8265106cb245cfe16316ba592454a66ac8c00a923bd6ea0e0482fdd2b94a9f1f4104c1f318b544f006fc5374f767b2955def208d3e99e7c6e

  • SSDEEP

    98304:MjK/i39kLrkjzYQ3mM1HXZ7sBHLJ868wOq8I9w1yPP7:MjCi39kPLQ3fpu+68JqdP7

Score
10/10
danabot3bankercollectiondiscoveryexecutionspywarestealertrojan

Malware Config

Extracted

Family

danabot

Version

1765

Botnet

3

C2

79.124.78.236:443

134.119.186.199:443

192.236.162.42:443

134.119.186.198:443
Attributes
  • embedded_hash

    82C66843DE542BC5CB88F713DE39B52B

  • type

    main

rsa_pubkey.plain
rsa_pubkey.plain

Signatures

  • Danabot

    Danabot is a modular banking Trojan that has been linked with other malware.

    trojanbankerdanabot
  • Blocklisted process makes network request 4 IoCs
  • Deletes itself 1 IoCs
  • Loads dropped DLL 8 IoCs
  • Reads WinSCP keys stored on the system 2 TTPs

    Tries to access WinSCP stored sessions.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
    collection
  • Accesses Microsoft Outlook profiles 1 TTPs 4 IoCs
    collection
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Using powershell.exe command.

    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 24 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 34 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4d1a5f5719f0b62562eb0d99f1a7baff_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\4d1a5f5719f0b62562eb0d99f1a7baff_JaffaCakes118.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1952
    • C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\4D1A5F~1.DLL,Z C:\Users\Admin\AppData\Local\Temp\4D1A5F~1.EXE
      2⤵
      • Deletes itself
      • Loads dropped DLL
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2136
      • C:\Windows\SysWOW64\RUNDLL32.EXE
        C:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\4D1A5F~1.DLL,MhAijBzpAjA=
        3⤵
        • Blocklisted process makes network request
        • Loads dropped DLL
        • Accesses Microsoft Outlook accounts
        • Accesses Microsoft Outlook profiles
        • Checks processor information in registry
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of WriteProcessMemory
        • outlook_office_path
        • outlook_win_path
        PID:2852
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmpD70E.tmp.ps1"
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2648
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmpE84E.tmp.ps1"
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2384
          • C:\Windows\SysWOW64\nslookup.exe
            "C:\Windows\system32\nslookup.exe" -type=any localhost
            5⤵
              PID:840
          • C:\Windows\SysWOW64\schtasks.exe
            schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
            4⤵
              PID:2696
            • C:\Windows\SysWOW64\schtasks.exe
              schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
              4⤵
                PID:1608

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\4D1A5F~1.DLL
          Filesize

          3.8MB

          MD5

          0fa776ebc6c175716ddae5d5ce2a5894

          SHA1

          3dbb9ac31089481cdba10345889f73d9acb59a02

          SHA256

          fda53157a533ba28a067f49b29c517b1e7ac91cba890aa5bcb2ed245a036cdd7

          SHA512

          55d11b53fe9134bf8b43a017591a27bedb9d539c5bac03e93cd3cd4a8a96b3f7030b9ad9fec373a0cf6e88a0776f32a3c57388dcb6114e895733fd45a5922b9e

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\kzhgdlvvsixxd.tmp
          Filesize

          2KB

          MD5

          79349891a29739c4734f862386dad5d2

          SHA1

          a1c19755c17114cf5b6abac8edfc8fc5296e1fed

          SHA256

          e5968677085f5d74b31cefe5189bf1913fcc90a4e624c3a40d847ea4f65176ef

          SHA512

          95c50f3dc754349e1be401c47b4c113a59726e690e3fc0bc460217c5be4fb8584694f24ec12b8bc24b4cc3f62276203b9880c0eaef3b4daf2c9bd4c0363be644

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\tmpD70E.tmp.ps1
          Filesize

          261B

          MD5

          aba96975b48fa3b2732fe4a00112b04b

          SHA1

          acb837dbfccdbefabf387700d39794da47c3e2aa

          SHA256

          1e1f162dc6297b8441f6e8e6b4ccadd74fd01dd6d46253c85d67a8e98479a1b4

          SHA512

          791bced622030102fc677006be48ff8de5a4f25b333fdf87c5c7279efa1e72538a32c519f80df65e08c60dbafb4315dee4f358463d8375e60b2662dac37f03eb

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\tmpE84E.tmp.ps1
          Filesize

          80B

          MD5

          b57367674a4faac2ed91be447bf478e5

          SHA1

          2a232d3c57bb31e96638857b42478735abf52b24

          SHA256

          8d94fea149420d501f3282395077467d6383f34b77501a4fd8d7a0b98519ec8e

          SHA512

          b5ec13e9055d38557c99150cbcc4df5ac0212606cf31404a81f650bf1bcecfaf529a31e717d4a3f90593fc634768e73624d4f89fb5320013822cd3093c496419

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\tmpE84F.tmp
          Filesize

          86B

          MD5

          1860260b2697808b80802352fe324782

          SHA1

          f07b4cb6a8133d8dd942fc285d63cb3ce5a1ed6b

          SHA256

          0c4bb6ae7726faa47aef8459bcf37bf9ca16f0b93fd52790932adaf7845d1fb1

          SHA512

          d9fd458e2fe871e93199d7f3783133ded898d824024d9525e8c9af2af31892b13f3fb147d3bfda7dfd7659b7072f5cd1d6c3ebfe2dbf5893afd00e59a96aa94f

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
          Filesize

          7KB

          MD5

          070de1f70fe3919ba7206bdc2b22bb44

          SHA1

          861f50e9104df0e3107a9b93be13722ee2ae2fe1

          SHA256

          7c1864c8983aa21b7e465e37a00ba2f1bb2af3b501669961449d7d34fb07baea

          SHA512

          632213e8655b9d8d0b5daa9846ff77f31bc69ff185fc33752b8dba7e5b6c0668cdd27852956918e493edf5111d8bb8ad116c5d7ccbcb5af804e8b87d106acc24

          Download Submit

        • memory/1952-3-0x0000000000400000-0x00000000007EA000-memory.dmp

          Filesize

          3.9MB

          Download

        • memory/1952-14-0x0000000000400000-0x00000000007EA000-memory.dmp

          Filesize

          3.9MB

          Download

        • memory/1952-13-0x0000000002490000-0x000000000285C000-memory.dmp

          Filesize

          3.8MB

          Download

        • memory/1952-12-0x0000000002860000-0x0000000002C3F000-memory.dmp

          Filesize

          3.9MB

          Download

        • memory/1952-5-0x0000000000400000-0x0000000000C49000-memory.dmp

          Filesize

          8.3MB

          Download

        • memory/1952-2-0x0000000002860000-0x0000000002C3F000-memory.dmp

          Filesize

          3.9MB

          Download

        • memory/1952-0-0x0000000002490000-0x000000000285C000-memory.dmp

          Filesize

          3.8MB

          Download

        • memory/1952-1-0x0000000002490000-0x000000000285C000-memory.dmp

          Filesize

          3.8MB

          Download

        • memory/2136-17-0x0000000002C90000-0x0000000002C91000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2136-23-0x0000000002610000-0x0000000002C72000-memory.dmp

          Filesize

          6.4MB

          Download

        • memory/2136-16-0x0000000002610000-0x0000000002C72000-memory.dmp

          Filesize

          6.4MB

          Download

        • memory/2136-15-0x0000000002610000-0x0000000002C72000-memory.dmp

          Filesize

          6.4MB

          Download

        • memory/2136-11-0x0000000001F70000-0x000000000233D000-memory.dmp

          Filesize

          3.8MB

          Download

        • memory/2852-25-0x0000000002BB0000-0x0000000002BB1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2852-24-0x0000000002530000-0x0000000002B92000-memory.dmp

          Filesize

          6.4MB

          Download

        • memory/2852-28-0x0000000002530000-0x0000000002B92000-memory.dmp

          Filesize

          6.4MB

          Download

        • memory/2852-27-0x0000000002530000-0x0000000002B92000-memory.dmp

          Filesize

          6.4MB

          Download

        • memory/2852-31-0x0000000002530000-0x0000000002B92000-memory.dmp

          Filesize

          6.4MB

          Download

        • memory/2852-26-0x0000000002530000-0x0000000002B92000-memory.dmp

          Filesize

          6.4MB

          Download

        • memory/2852-22-0x0000000001D90000-0x000000000215D000-memory.dmp

          Filesize

          3.8MB

          Download

        • memory/2852-47-0x0000000001D90000-0x000000000215D000-memory.dmp

          Filesize

          3.8MB

          Download