Overview

overview

10

Static

static

3

817e14be1b...18.exe

windows7-x64

10

817e14be1b...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    143s
  • max time network
    96s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240730-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240730-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-08-2024 18:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    817e14be1b3a0979390a8c3cc7c4f9d1_JaffaCakes118.exe

  • Size

    4.0MB

  • MD5

    817e14be1b3a0979390a8c3cc7c4f9d1

  • SHA1

    ce294e099cefdcfb41ef8463a52be5f0dcd0e992

  • SHA256

    697a11fb5efab2c155e459623ea902409395463c379f4549cc471d806e90f783

  • SHA512

    1fc1c1917b583d37ce57903c71a8b987bc3333d0cc309e933dde2f7f816ce5b8e42dd7c883eefd2cbd198952979fb38052cdb1e0756ae023263c4b85db898942

  • SSDEEP

    98304:xiFrwPbHPPquDjTdNwoTPI//JSGZoTw899Y72en:x5bnqunT7woqJpyTw899iH

Score
10/10
danabot3bankercollectioncredential_accessdiscoveryexecutionspywarestealertrojan

Malware Config

Extracted

Family

danabot

Version

1765

Botnet

3

C2

192.236.192.241:443

134.119.186.198:443

104.168.156.222:443

192.236.192.238:443
Attributes
  • embedded_hash

    82C66843DE542BC5CB88F713DE39B52B

  • type

    main

rsa_pubkey.plain
rsa_pubkey.plain

Signatures

  • Danabot

    Danabot is a modular banking Trojan that has been linked with other malware.

    trojanbankerdanabot
  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer
  • Blocklisted process makes network request 4 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 2 IoCs
  • Reads WinSCP keys stored on the system 2 TTPs

    Tries to access WinSCP stored sessions.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
    collection
  • Accesses Microsoft Outlook profiles 1 TTPs 4 IoCs
    collection
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Using powershell.exe command.

    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 20 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\817e14be1b3a0979390a8c3cc7c4f9d1_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\817e14be1b3a0979390a8c3cc7c4f9d1_JaffaCakes118.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1944
    • C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\817E14~1.DLL,Z C:\Users\Admin\AppData\Local\Temp\817E14~1.EXE
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3628
      • C:\Windows\SysWOW64\RUNDLL32.EXE
        C:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\817E14~1.DLL,a0oh
        3⤵
        • Blocklisted process makes network request
        • Checks computer location settings
        • Loads dropped DLL
        • Accesses Microsoft Outlook accounts
        • Accesses Microsoft Outlook profiles
        • System Location Discovery: System Language Discovery
        • Checks processor information in registry
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of WriteProcessMemory
        • outlook_office_path
        • outlook_win_path
        PID:1808
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmpCA84.tmp.ps1"
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4432
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmpD8CE.tmp.ps1"
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:4600
          • C:\Windows\SysWOW64\nslookup.exe
            "C:\Windows\system32\nslookup.exe" -type=any localhost
            5⤵
            • System Location Discovery: System Language Discovery
            PID:4744
        • C:\Windows\SysWOW64\schtasks.exe
          schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1484
        • C:\Windows\SysWOW64\schtasks.exe
          schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
          4⤵
          • System Location Discovery: System Language Discovery
          PID:4624
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1944 -s 444
      2⤵
      • Program crash
      PID:4860
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1944 -ip 1944
    1⤵
      PID:1972

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data
      Filesize

      40KB

      MD5

      a182561a527f929489bf4b8f74f65cd7

      SHA1

      8cd6866594759711ea1836e86a5b7ca64ee8911f

      SHA256

      42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914

      SHA512

      9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
      Filesize

      2KB

      MD5

      6ad58b45ba900fe2b784c35fe1ddd496

      SHA1

      7701cf4dfebc92b77e3d16a4094dac0def34f13a

      SHA256

      139a32ad96800367dc709be507e2b78e667610000be7c68f94c174e6fa60f84f

      SHA512

      168f58da543d5c3a645c9a51916528c8e291f0f49069fb8567328e6960874a97026839a31a3505bcd1cc26320a477fbd095406ff3e12c4419c5429b729cd9c1a

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      17KB

      MD5

      bb2e44e2b226b583574b3cc741b1bcd3

      SHA1

      c8514d5df104a07c9917949954c078a8e1e2d190

      SHA256

      e46eb496f0864ace2d742c472b700c257e12af1ef87795e72cfb20189addca03

      SHA512

      192d94d803223e6d886e1fa7399c6d82f483cfe520e8286db97257f3a1f13c90513a7f0d975b75251937ac71ba7b76cec9fed5bea23f4295cea798e9bc393deb

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\817E14~1.DLL
      Filesize

      3.8MB

      MD5

      bfd6071199ed716a90c57a78b45274b4

      SHA1

      c2af91e2fee92907868eff13a39c2b3787fca4f1

      SHA256

      b64a043a5a33d465e2e8d69a087bc90be11d39b1495ca355c2e3ce4fd1824ee1

      SHA512

      cab575f60e4156923c8db09de32da40250d01ebdc932bf0333f5075f9fb62123c6d7262af63333dd4901b796a8893f49569f1e5f738cbfff2560c5e39f98d7ce

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Chvbmzi.tmp
      Filesize

      2KB

      MD5

      fe7bafe2850912e07da553561f32a732

      SHA1

      b7350c4df775aaeeea36f4b8e24c545e79029b55

      SHA256

      472da4ddf30a53ca2cfec54411e1dbebd751dc78e18a169d5b0422c3f1bf69b2

      SHA512

      4da88f9ace5b841f4855b07f5b64f00d934146e052cdbcc344581d97706b2c8483973cb6c16892462f6b3a4fa2954451888e1c5aa229413e6c5022830858d911

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4lno1iam.3i3.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\tmpCA84.tmp.ps1
      Filesize

      261B

      MD5

      5021e21b3bd8389e1a312621c83c0afe

      SHA1

      9b401e65528ba0b139e8f82c6e71ccc76687ca3f

      SHA256

      2d5cf5f51f086500a1dcb94b788ce204c73161ad9083b2951d4a2e55c400229e

      SHA512

      7a89e78b3eb2b92247b3be3fa182ca4b5cd880d6678e42b9a56df4861f5fe5d5c96f39dd65cab65178c233e36b7b58e1de189a6d7d9ea2754a2b540870c020c2

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\tmpCA85.tmp
      Filesize

      1KB

      MD5

      c416c12d1b2b1da8c8655e393b544362

      SHA1

      fb1a43cd8e1c556c2d25f361f42a21293c29e447

      SHA256

      0600d59103840dff210778179fdfba904dcb737a4bfdb35384608698c86ea046

      SHA512

      cb6d3636be4330aa2fd577c3636d0b7165f92ee817e98f21180ba0c918eb76f4e38f025086593a0e508234ca981cfec2c53482b0e9cc0acfa885fefbdf89913c

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\tmpD8CE.tmp.ps1
      Filesize

      80B

      MD5

      82da154f2034de34bb060361312b58ff

      SHA1

      7a28283b9ffaf179f46c0f54bbee00b8bafd95cd

      SHA256

      fd8afc87871e48ccbdf9993a53b8483cada9451db27f5b27ee2b36916f55f7cd

      SHA512

      9789455a9d817975e29c5cd7e3ecd72f2cb7628348ce3fbb5b55af1da9852b7d4c6c69632ebd5fb5f26f0d2d8ea6f572b9e4feeadb75459e7f997460d729c444

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\tmpD8CF.tmp
      Filesize

      86B

      MD5

      1860260b2697808b80802352fe324782

      SHA1

      f07b4cb6a8133d8dd942fc285d63cb3ce5a1ed6b

      SHA256

      0c4bb6ae7726faa47aef8459bcf37bf9ca16f0b93fd52790932adaf7845d1fb1

      SHA512

      d9fd458e2fe871e93199d7f3783133ded898d824024d9525e8c9af2af31892b13f3fb147d3bfda7dfd7659b7072f5cd1d6c3ebfe2dbf5893afd00e59a96aa94f

      Download Submit

    • memory/1808-18-0x0000000002CD0000-0x0000000003332000-memory.dmp

      Filesize

      6.4MB

      Download

    • memory/1808-111-0x0000000002CD0000-0x0000000003332000-memory.dmp

      Filesize

      6.4MB

      Download

    • memory/1808-12-0x00000000007D0000-0x00000000007D1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1808-17-0x0000000002CD0000-0x0000000003332000-memory.dmp

      Filesize

      6.4MB

      Download

    • memory/1808-110-0x0000000002CD0000-0x0000000003332000-memory.dmp

      Filesize

      6.4MB

      Download

    • memory/1808-19-0x0000000002CD0000-0x0000000003332000-memory.dmp

      Filesize

      6.4MB

      Download

    • memory/1808-41-0x0000000002CD0000-0x0000000003332000-memory.dmp

      Filesize

      6.4MB

      Download

    • memory/1808-13-0x0000000000400000-0x00000000007CE000-memory.dmp

      Filesize

      3.8MB

      Download

    • memory/1808-11-0x0000000002CD0000-0x0000000003332000-memory.dmp

      Filesize

      6.4MB

      Download

    • memory/1944-14-0x0000000000400000-0x0000000000C93000-memory.dmp

      Filesize

      8.6MB

      Download

    • memory/1944-1-0x00000000010D0000-0x00000000014A6000-memory.dmp

      Filesize

      3.8MB

      Download

    • memory/1944-15-0x00000000014B0000-0x000000000188F000-memory.dmp

      Filesize

      3.9MB

      Download

    • memory/1944-16-0x0000000000400000-0x00000000007EB000-memory.dmp

      Filesize

      3.9MB

      Download

    • memory/1944-3-0x0000000000400000-0x00000000007EB000-memory.dmp

      Filesize

      3.9MB

      Download

    • memory/1944-2-0x00000000014B0000-0x000000000188F000-memory.dmp

      Filesize

      3.9MB

      Download

    • memory/3628-9-0x00000000007D0000-0x00000000007D1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3628-7-0x0000000002DB0000-0x0000000003412000-memory.dmp

      Filesize

      6.4MB

      Download

    • memory/3628-8-0x0000000000400000-0x00000000007CE000-memory.dmp

      Filesize

      3.8MB

      Download

    • memory/4432-50-0x0000000005740000-0x00000000057A6000-memory.dmp

      Filesize

      408KB

      Download

    • memory/4432-51-0x00000000057B0000-0x0000000005816000-memory.dmp

      Filesize

      408KB

      Download

    • memory/4432-68-0x0000000006FE0000-0x0000000006FE8000-memory.dmp

      Filesize

      32KB

      Download

    • memory/4432-66-0x0000000007460000-0x0000000007ADA000-memory.dmp

      Filesize

      6.5MB

      Download

    • memory/4432-65-0x0000000006160000-0x000000000616A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/4432-47-0x0000000004890000-0x00000000048C6000-memory.dmp

      Filesize

      216KB

      Download

    • memory/4432-63-0x0000000005E60000-0x0000000005EAC000-memory.dmp

      Filesize

      304KB

      Download

    • memory/4432-48-0x0000000004F00000-0x0000000005528000-memory.dmp

      Filesize

      6.2MB

      Download

    • memory/4432-62-0x0000000005E20000-0x0000000005E3E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/4432-61-0x0000000005820000-0x0000000005B74000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/4432-67-0x0000000006380000-0x000000000639A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/4432-49-0x00000000055A0000-0x00000000055C2000-memory.dmp

      Filesize

      136KB

      Download

    • memory/4600-90-0x0000000005C70000-0x0000000005CBC000-memory.dmp

      Filesize

      304KB

      Download

    • memory/4600-88-0x0000000005570000-0x00000000058C4000-memory.dmp

      Filesize

      3.3MB

      Download