Overview

overview

10

Static

static

3

4d1a5f5719...18.exe

windows7-x64

10

4d1a5f5719...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    142s
  • max time network
    93s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16-07-2024 06:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4d1a5f5719f0b62562eb0d99f1a7baff_JaffaCakes118.exe

  • Size

    4.0MB

  • MD5

    4d1a5f5719f0b62562eb0d99f1a7baff

  • SHA1

    7455d73ee12d1ac328f3aedaf2a0f61fd9d69b0d

  • SHA256

    f055aaac2e4445e7dacf3fccbc3950eb6c44464d60625fa9476e9e4e5000d8f0

  • SHA512

    220635c140c062a8265106cb245cfe16316ba592454a66ac8c00a923bd6ea0e0482fdd2b94a9f1f4104c1f318b544f006fc5374f767b2955def208d3e99e7c6e

  • SSDEEP

    98304:MjK/i39kLrkjzYQ3mM1HXZ7sBHLJ868wOq8I9w1yPP7:MjCi39kPLQ3fpu+68JqdP7

Score
10/10
danabot3bankercollectiondiscoveryexecutionspywarestealertrojan

Malware Config

Extracted

Family

danabot

Version

1765

Botnet

3

C2

79.124.78.236:443

134.119.186.199:443

192.236.162.42:443

134.119.186.198:443
Attributes
  • embedded_hash

    82C66843DE542BC5CB88F713DE39B52B

  • type

    main

rsa_pubkey.plain
rsa_pubkey.plain

Signatures

  • Danabot

    Danabot is a modular banking Trojan that has been linked with other malware.

    trojanbankerdanabot
  • Blocklisted process makes network request 4 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 3 IoCs
  • Reads WinSCP keys stored on the system 2 TTPs

    Tries to access WinSCP stored sessions.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
    collection
  • Accesses Microsoft Outlook profiles 1 TTPs 4 IoCs
    collection
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Using powershell.exe command.

    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Checks processor information in registry 2 TTPs 21 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4d1a5f5719f0b62562eb0d99f1a7baff_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\4d1a5f5719f0b62562eb0d99f1a7baff_JaffaCakes118.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4208
    • C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\4D1A5F~1.DLL,Z C:\Users\Admin\AppData\Local\Temp\4D1A5F~1.EXE
      2⤵
      • Loads dropped DLL
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4632
      • C:\Windows\SysWOW64\RUNDLL32.EXE
        C:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\4D1A5F~1.DLL,w2FifDa2Aw==
        3⤵
        • Blocklisted process makes network request
        • Checks computer location settings
        • Loads dropped DLL
        • Accesses Microsoft Outlook accounts
        • Accesses Microsoft Outlook profiles
        • Checks processor information in registry
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of WriteProcessMemory
        • outlook_office_path
        • outlook_win_path
        PID:3324
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmpB9EA.tmp.ps1"
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1872
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmpC5F2.tmp.ps1"
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1940
          • C:\Windows\SysWOW64\nslookup.exe
            "C:\Windows\system32\nslookup.exe" -type=any localhost
            5⤵
              PID:1788
          • C:\Windows\SysWOW64\schtasks.exe
            schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
            4⤵
              PID:2916
            • C:\Windows\SysWOW64\schtasks.exe
              schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
              4⤵
                PID:2372
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 4208 -s 520
            2⤵
            • Program crash
            PID:4068
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4208 -ip 4208
          1⤵
            PID:3672

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
            Filesize

            2KB

            MD5

            6ad58b45ba900fe2b784c35fe1ddd496

            SHA1

            7701cf4dfebc92b77e3d16a4094dac0def34f13a

            SHA256

            139a32ad96800367dc709be507e2b78e667610000be7c68f94c174e6fa60f84f

            SHA512

            168f58da543d5c3a645c9a51916528c8e291f0f49069fb8567328e6960874a97026839a31a3505bcd1cc26320a477fbd095406ff3e12c4419c5429b729cd9c1a

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            17KB

            MD5

            ad13b9f847be1c7ecf7a8cb67949240a

            SHA1

            9f32e51d26fadda4194226a7a65e2cecd8d4849a

            SHA256

            bb7ac91f149066eb9a89e728d66db8cecb68ccd6d6c91f335002f5fd36998789

            SHA512

            1577cee006842559443bfc7d0d96ccec8534b134246dbdc018e9a1fad9925f663d5db25e17b87cb9fe69e2fc1335234492bd5d77570a3e3e6e65bf49c6f6b766

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\4D1A5F~1.DLL
            Filesize

            3.8MB

            MD5

            0fa776ebc6c175716ddae5d5ce2a5894

            SHA1

            3dbb9ac31089481cdba10345889f73d9acb59a02

            SHA256

            fda53157a533ba28a067f49b29c517b1e7ac91cba890aa5bcb2ed245a036cdd7

            SHA512

            55d11b53fe9134bf8b43a017591a27bedb9d539c5bac03e93cd3cd4a8a96b3f7030b9ad9fec373a0cf6e88a0776f32a3c57388dcb6114e895733fd45a5922b9e

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\Mlhtfycgjov.tmp
            Filesize

            2KB

            MD5

            9254324e8fff94bc5a0f8470623b0fa5

            SHA1

            ab117fb8e8d709a420101ea053bcb94041326e7c

            SHA256

            3879c66f342eff0293248dae0a9ecac25de1ade6676d9946c6b34c64f6236074

            SHA512

            5e8a2a384ac55558e5ae2715f8e07602eb2d7eeb70239f5d8290dc5a536cfc77e8bfed4a63b094ed18fa2b7d05f56897812fd302d6fddb28bc78fe4825dc3b97

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_eppcjlnz.ecf.ps1
            Filesize

            60B

            MD5

            d17fe0a3f47be24a6453e9ef58c94641

            SHA1

            6ab83620379fc69f80c0242105ddffd7d98d5d9d

            SHA256

            96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

            SHA512

            5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\tmpB9EA.tmp.ps1
            Filesize

            261B

            MD5

            52fc91814916acce4731c8245ab6126a

            SHA1

            e9f48303fde19d872972d6d8c1f0d48f60881bae

            SHA256

            8b7f1fd5fb94fe3d6385035c66bbf838fe711868f0f7b939200e6bca906b83c5

            SHA512

            53677aa4a640e47a42d96194c07a4855b1c9d5cdc1720f6d4ee0c6b8d8c24bcea97ad3e60b075c8e6d252857494360f26045d1644fc79210594d2d0282853e30

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\tmpB9EB.tmp
            Filesize

            1KB

            MD5

            c416c12d1b2b1da8c8655e393b544362

            SHA1

            fb1a43cd8e1c556c2d25f361f42a21293c29e447

            SHA256

            0600d59103840dff210778179fdfba904dcb737a4bfdb35384608698c86ea046

            SHA512

            cb6d3636be4330aa2fd577c3636d0b7165f92ee817e98f21180ba0c918eb76f4e38f025086593a0e508234ca981cfec2c53482b0e9cc0acfa885fefbdf89913c

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\tmpC5F2.tmp.ps1
            Filesize

            80B

            MD5

            02ec65563322fd4e59f286ed8ec9a970

            SHA1

            c6fde2e210273fe8a2890754879b9582d787dc9f

            SHA256

            c0a56f856256360e3283745fd6eac66191d79f60ef53da0dd999baf1ac682edd

            SHA512

            a6db5ef400f315082fdd13d3658bd9b312003a1eaf2e97b3049255c9b75205b2591827bbf99edd441f4f02f251afd45cab56904b6efebdf469da592cd7b6b734

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\tmpC5F3.tmp
            Filesize

            86B

            MD5

            1860260b2697808b80802352fe324782

            SHA1

            f07b4cb6a8133d8dd942fc285d63cb3ce5a1ed6b

            SHA256

            0c4bb6ae7726faa47aef8459bcf37bf9ca16f0b93fd52790932adaf7845d1fb1

            SHA512

            d9fd458e2fe871e93199d7f3783133ded898d824024d9525e8c9af2af31892b13f3fb147d3bfda7dfd7659b7072f5cd1d6c3ebfe2dbf5893afd00e59a96aa94f

            Download Submit

          • memory/1872-77-0x0000000005020000-0x0000000005028000-memory.dmp

            Filesize

            32KB

            Download

          • memory/1872-71-0x0000000006280000-0x000000000629E000-memory.dmp

            Filesize

            120KB

            Download

          • memory/1872-76-0x0000000006800000-0x000000000681A000-memory.dmp

            Filesize

            104KB

            Download

          • memory/1872-75-0x0000000007B10000-0x000000000818A000-memory.dmp

            Filesize

            6.5MB

            Download

          • memory/1872-74-0x00000000065C0000-0x00000000065CA000-memory.dmp

            Filesize

            40KB

            Download

          • memory/1872-72-0x0000000006310000-0x000000000635C000-memory.dmp

            Filesize

            304KB

            Download

          • memory/1872-70-0x0000000005EC0000-0x0000000006214000-memory.dmp

            Filesize

            3.3MB

            Download

          • memory/1872-60-0x0000000005C10000-0x0000000005C76000-memory.dmp

            Filesize

            408KB

            Download

          • memory/1872-56-0x0000000004CA0000-0x0000000004CD6000-memory.dmp

            Filesize

            216KB

            Download

          • memory/1872-57-0x00000000053A0000-0x00000000059C8000-memory.dmp

            Filesize

            6.2MB

            Download

          • memory/1872-58-0x0000000005A00000-0x0000000005A22000-memory.dmp

            Filesize

            136KB

            Download

          • memory/1872-59-0x0000000005BA0000-0x0000000005C06000-memory.dmp

            Filesize

            408KB

            Download

          • memory/1940-97-0x00000000056D0000-0x0000000005A24000-memory.dmp

            Filesize

            3.3MB

            Download

          • memory/1940-99-0x0000000005D70000-0x0000000005DBC000-memory.dmp

            Filesize

            304KB

            Download

          • memory/3324-20-0x0000000002980000-0x0000000002FE2000-memory.dmp

            Filesize

            6.4MB

            Download

          • memory/3324-18-0x0000000002980000-0x0000000002FE2000-memory.dmp

            Filesize

            6.4MB

            Download

          • memory/3324-50-0x0000000002980000-0x0000000002FE2000-memory.dmp

            Filesize

            6.4MB

            Download

          • memory/3324-106-0x0000000002170000-0x000000000253D000-memory.dmp

            Filesize

            3.8MB

            Download

          • memory/3324-19-0x0000000002980000-0x0000000002FE2000-memory.dmp

            Filesize

            6.4MB

            Download

          • memory/3324-17-0x0000000003200000-0x0000000003201000-memory.dmp

            Filesize

            4KB

            Download

          • memory/3324-16-0x0000000002980000-0x0000000002FE2000-memory.dmp

            Filesize

            6.4MB

            Download

          • memory/3324-12-0x0000000002170000-0x000000000253D000-memory.dmp

            Filesize

            3.8MB

            Download

          • memory/4208-1-0x0000000002AE0000-0x0000000002EB2000-memory.dmp

            Filesize

            3.8MB

            Download

          • memory/4208-14-0x0000000000400000-0x00000000007EA000-memory.dmp

            Filesize

            3.9MB

            Download

          • memory/4208-3-0x0000000000400000-0x00000000007EA000-memory.dmp

            Filesize

            3.9MB

            Download

          • memory/4208-2-0x0000000002EC0000-0x000000000329F000-memory.dmp

            Filesize

            3.9MB

            Download

          • memory/4208-15-0x0000000002EC0000-0x000000000329F000-memory.dmp

            Filesize

            3.9MB

            Download

          • memory/4208-13-0x0000000000400000-0x0000000000C49000-memory.dmp

            Filesize

            8.3MB

            Download

          • memory/4632-9-0x00000000007D0000-0x00000000007D1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/4632-7-0x0000000003310000-0x0000000003972000-memory.dmp

            Filesize

            6.4MB

            Download

          • memory/4632-8-0x0000000000400000-0x00000000007CD000-memory.dmp

            Filesize

            3.8MB

            Download