danabot | 5f67a9e1b25d56cf1e7ba857b2cfc4be77db1e92ea8a32ee154e9322d96387f7

General

Target

8e569bc871b8364669e122b63dda8399_JaffaCakes118.exe
Size

1.2MB
MD5

8e569bc871b8364669e122b63dda8399
SHA1

69dfd12c7df066389d1cf48ee17619ce03289263
SHA256

5f67a9e1b25d56cf1e7ba857b2cfc4be77db1e92ea8a32ee154e9322d96387f7
SHA512

21782398dcfdcaa15d1e61874b6811907876066f45d77cb563d86db9c692b1435c4956fc92b89bd47a29b31162ee8f4ee9df7492360b158a7a7ae1ae2fbfbb1e
SSDEEP

24576:Qr0NQtHQ+I8JqdGmbTXgpDDhJ8BD1gNZNZANDuRrPNiKQ//j36L:QYNQtHQ+idGmbTXgpHhJ8BD1UvANDorN

Score

10^/10

danabot 4 banker discovery trojan

Malware Config

Extracted

Family

danabot

Botnet

4

C2

142.11.242.31:443

192.119.110.73:443

192.210.222.88:443

Attributes

embedded_hash
F4711E27D559B4AEB1A081A1EB0AC465
type
loader

rsa_pubkey.plain

rsa_privkey.plain

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Danabot Loader Component 10 IoCs

resource	yara_rule
behavioral2/files/0x000400000001da3a-6.dat	DanabotLoader2021
behavioral2/memory/1204-11-0x0000000000400000-0x0000000000565000-memory.dmp	DanabotLoader2021
behavioral2/memory/1204-19-0x0000000000400000-0x0000000000565000-memory.dmp	DanabotLoader2021
behavioral2/memory/1204-20-0x0000000000400000-0x0000000000565000-memory.dmp	DanabotLoader2021
behavioral2/memory/1204-21-0x0000000000400000-0x0000000000565000-memory.dmp	DanabotLoader2021
behavioral2/memory/1204-22-0x0000000000400000-0x0000000000565000-memory.dmp	DanabotLoader2021
behavioral2/memory/1204-23-0x0000000000400000-0x0000000000565000-memory.dmp	DanabotLoader2021
behavioral2/memory/1204-24-0x0000000000400000-0x0000000000565000-memory.dmp	DanabotLoader2021
behavioral2/memory/1204-25-0x0000000000400000-0x0000000000565000-memory.dmp	DanabotLoader2021
behavioral2/memory/1204-26-0x0000000000400000-0x0000000000565000-memory.dmp	DanabotLoader2021

Blocklisted process makes network request 1 IoCs

flow	pid	Process
50	1204	rundll32.exe

Loads dropped DLL 1 IoCs

pid	Process
1204	rundll32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4384	2848	WerFault.exe	83

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8e569bc871b8364669e122b63dda8399_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2848 wrote to memory of 1204	2848	8e569bc871b8364669e122b63dda8399_JaffaCakes118.exe	87
PID 2848 wrote to memory of 1204	2848	8e569bc871b8364669e122b63dda8399_JaffaCakes118.exe	87
PID 2848 wrote to memory of 1204	2848	8e569bc871b8364669e122b63dda8399_JaffaCakes118.exe	87

C:\Users\Admin\AppData\Local\Temp\8e569bc871b8364669e122b63dda8399_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\8e569bc871b8364669e122b63dda8399_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2848
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\8E569B~1.DLL,s C:\Users\Admin\AppData\Local\Temp\8E569B~1.EXE
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:1204
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2848 -s 444
  2⤵
  - Program crash
  PID:4384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 2848 -ip 2848
1⤵
PID:4840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\8E569B~1.DLL

Filesize
1.4MB

MD5
2cf7987d0665db4b8fb790726c33d7d2

SHA1
43102b064b044ee69116bf5af8cc7fae5e979210

SHA256
9eba4e582570236c5ebcb556fa8d4d6632891099c7cd51a181d2317bf2b31be8

SHA512
881482e4704f6465962b6ec001cceb50365a6294d263841ea5a262069741009e85fbe12bfb2776af872515df73dfb4203edeea07c032b55fc16ec93ed87c6a3b

Download Submit
memory/1204-23-0x0000000000400000-0x0000000000565000-memory.dmp

Filesize
1.4MB

Download
memory/1204-22-0x0000000000400000-0x0000000000565000-memory.dmp

Filesize
1.4MB

Download
memory/1204-26-0x0000000000400000-0x0000000000565000-memory.dmp

Filesize
1.4MB

Download
memory/1204-25-0x0000000000400000-0x0000000000565000-memory.dmp

Filesize
1.4MB

Download
memory/1204-24-0x0000000000400000-0x0000000000565000-memory.dmp

Filesize
1.4MB

Download
memory/1204-19-0x0000000000400000-0x0000000000565000-memory.dmp

Filesize
1.4MB

Download
memory/1204-21-0x0000000000400000-0x0000000000565000-memory.dmp

Filesize
1.4MB

Download
memory/1204-20-0x0000000000400000-0x0000000000565000-memory.dmp

Filesize
1.4MB

Download
memory/1204-11-0x0000000000400000-0x0000000000565000-memory.dmp

Filesize
1.4MB

Download
memory/2848-3-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2848-10-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2848-1-0x0000000000840000-0x000000000093D000-memory.dmp

Filesize
1012KB

Download
memory/2848-9-0x0000000000970000-0x0000000000A77000-memory.dmp

Filesize
1.0MB

Download
memory/2848-8-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/2848-2-0x0000000000970000-0x0000000000A77000-memory.dmp

Filesize
1.0MB

Download

Analysis

Sharing