danabot | 76d9f06d6861a5fa03c02ca11c643684f51ba3372666b2f1541578f09c1d6d85

General

Target

5c7d93ea976f1f84ac8bef6e6065deca_JaffaCakes118.exe
Size

2.3MB
MD5

5c7d93ea976f1f84ac8bef6e6065deca
SHA1

22f9a5f7e38ac207f21287fa63f371a255a68c83
SHA256

76d9f06d6861a5fa03c02ca11c643684f51ba3372666b2f1541578f09c1d6d85
SHA512

0a64b6d8a6c87e0ea11c56b3542b229e97a4ffa6450a26456faa1b025a7ef5164f1b21bfceab04e5e480f893657c2bd65d6e1b6180f12b123783e1b19e0727b7
SSDEEP

49152:SgJyYd1z3uq8TsAO0Q3Lkxp8yzR0WdsIQP8hK6jEjZIBbKO:SgJyo3uq8Q0Q3LKp8CHdsIQ0o62Uv

Score

10^/10

danabot banker botnet discovery trojan

Malware Config

Extracted

Family

danabot

C2

89.44.9.132

64.188.23.70

179.43.133.35

45.147.231.218

89.45.4.126

rsa_pubkey.plain

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Danabot x86 payload 1 IoCs

Detection of Danabot x86 payload, mapped in memory during the execution of its loader.

botnet

resource	yara_rule
behavioral1/files/0x00090000000120f1-8.dat	family_danabot

Blocklisted process makes network request 8 IoCs

flow	pid	Process
2	2900	rundll32.exe
3	2900	rundll32.exe
4	2900	rundll32.exe
5	2900	rundll32.exe
6	2900	rundll32.exe
7	2900	rundll32.exe
8	2900	rundll32.exe
9	2900	rundll32.exe

Loads dropped DLL 5 IoCs

pid	Process
2756	regsvr32.exe
2900	rundll32.exe
2900	rundll32.exe
2900	rundll32.exe
2900	rundll32.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5c7d93ea976f1f84ac8bef6e6065deca_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2812 wrote to memory of 2756	2812	5c7d93ea976f1f84ac8bef6e6065deca_JaffaCakes118.exe	31
PID 2812 wrote to memory of 2756	2812	5c7d93ea976f1f84ac8bef6e6065deca_JaffaCakes118.exe	31
PID 2812 wrote to memory of 2756	2812	5c7d93ea976f1f84ac8bef6e6065deca_JaffaCakes118.exe	31
PID 2812 wrote to memory of 2756	2812	5c7d93ea976f1f84ac8bef6e6065deca_JaffaCakes118.exe	31
PID 2812 wrote to memory of 2756	2812	5c7d93ea976f1f84ac8bef6e6065deca_JaffaCakes118.exe	31
PID 2812 wrote to memory of 2756	2812	5c7d93ea976f1f84ac8bef6e6065deca_JaffaCakes118.exe	31
PID 2812 wrote to memory of 2756	2812	5c7d93ea976f1f84ac8bef6e6065deca_JaffaCakes118.exe	31
PID 2756 wrote to memory of 2900	2756	regsvr32.exe	32
PID 2756 wrote to memory of 2900	2756	regsvr32.exe	32
PID 2756 wrote to memory of 2900	2756	regsvr32.exe	32
PID 2756 wrote to memory of 2900	2756	regsvr32.exe	32
PID 2756 wrote to memory of 2900	2756	regsvr32.exe	32
PID 2756 wrote to memory of 2900	2756	regsvr32.exe	32
PID 2756 wrote to memory of 2900	2756	regsvr32.exe	32

C:\Users\Admin\AppData\Local\Temp\5c7d93ea976f1f84ac8bef6e6065deca_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\5c7d93ea976f1f84ac8bef6e6065deca_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2812
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\system32\regsvr32.exe -s C:\Users\Admin\AppData\Local\Temp\5C7D93~1.DLL f1 C:\Users\Admin\AppData\Local\Temp\5C7D93~1.EXE@2812
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2756
- - C:\Windows\SysWOW64\rundll32.exe
    C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\5C7D93~1.DLL,f0
    3⤵
    - Blocklisted process makes network request
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:2900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5C7D93~1.DLL

Filesize
2.0MB

MD5
07119b1790f56250fff9f87e81b96fc2

SHA1
400e345b7566f4d7b8c5bd460b271864a934172d

SHA256
fd9fd627f781017c2e5b375a3ac6b7f3f6e2c081d0ea093f281043d83ef04f09

SHA512
26f852057938563c10c2289706b582c86622055041b47aae29a395947a1a457649b719630ec3c995d5edf4fd9a2c581ce4a52698fa3f7e1b9ce27b8728c87dfd

Download Submit
memory/2756-11-0x0000000002630000-0x0000000002846000-memory.dmp

Filesize
2.1MB

Download
memory/2812-9-0x00000000021A0000-0x00000000023C1000-memory.dmp

Filesize
2.1MB

Download
memory/2812-3-0x0000000000400000-0x00000000006FC000-memory.dmp

Filesize
3.0MB

Download
memory/2812-6-0x0000000000400000-0x00000000006FC000-memory.dmp

Filesize
3.0MB

Download
memory/2812-7-0x0000000000400000-0x0000000000641000-memory.dmp

Filesize
2.3MB

Download
memory/2812-0-0x00000000021A0000-0x00000000023C1000-memory.dmp

Filesize
2.1MB

Download
memory/2812-2-0x0000000000400000-0x0000000000641000-memory.dmp

Filesize
2.3MB

Download
memory/2812-1-0x00000000021A0000-0x00000000023C1000-memory.dmp

Filesize
2.1MB

Download
memory/2900-16-0x0000000002280000-0x0000000002496000-memory.dmp

Filesize
2.1MB

Download
memory/2900-17-0x0000000002280000-0x0000000002496000-memory.dmp

Filesize
2.1MB

Download
memory/2900-19-0x0000000002280000-0x0000000002496000-memory.dmp

Filesize
2.1MB

Download
memory/2900-29-0x0000000002280000-0x0000000002496000-memory.dmp

Filesize
2.1MB

Download

Analysis

Sharing