danabot | a0c89e916208296d51e6dfb7f956ea1749b555e2adb6d1593f141a4debfbc68b

Analysis

max time kernel
126s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
08-09-2024 23:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d54a6522937b56fa77add452dbd27dea_JaffaCakes118.dll
Size

2.5MB
MD5

d54a6522937b56fa77add452dbd27dea
SHA1

e9d9278460e89193ba64ea27acd07d19a90161e0
SHA256

a0c89e916208296d51e6dfb7f956ea1749b555e2adb6d1593f141a4debfbc68b
SHA512

aa2303becf1e666d25cac7ef853b6de0f20ca8d390d2006e64a127430640f2803571201b755d476432a4bbe6a61f99e65c7c9bf77f6cab0edb094f85afd67cfc
SSDEEP

24576:Op79nhhd+3NDOtbWuXGHL3CWJ9NSFNX7oskG3aJZ20dIvy0tJT6k:ON9Xd+FoI3lLyNsskJJZK11

Score

10^/10

danabot banker discovery spyware stealer trojan

Malware Config

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Blocklisted process makes network request 5 IoCs

flow	pid	Process
3	2320	rundll32.exe
14	2320	rundll32.exe
16	2320	rundll32.exe
26	2320	rundll32.exe
28	2320	rundll32.exe

Executes dropped EXE 2 IoCs

pid	Process
2512	100361788.t.exe
1812	100361788.t.tmp

Loads dropped DLL 5 IoCs

pid	Process
2892	regsvr32.exe
2320	rundll32.exe
2512	100361788.t.exe
1812	100361788.t.tmp
1812	100361788.t.tmp

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Maps connected drives based on registry 3 TTPs 4 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\DISK\ENUM	regsvr32.exe
Key value enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	regsvr32.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	100361788.t.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	100361788.t.tmp

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2320	rundll32.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2060 wrote to memory of 2320	2060	rundll32.exe	31
PID 2060 wrote to memory of 2320	2060	rundll32.exe	31
PID 2060 wrote to memory of 2320	2060	rundll32.exe	31
PID 2060 wrote to memory of 2320	2060	rundll32.exe	31
PID 2060 wrote to memory of 2320	2060	rundll32.exe	31
PID 2060 wrote to memory of 2320	2060	rundll32.exe	31
PID 2060 wrote to memory of 2320	2060	rundll32.exe	31
PID 2320 wrote to memory of 2892	2320	rundll32.exe	32
PID 2320 wrote to memory of 2892	2320	rundll32.exe	32
PID 2320 wrote to memory of 2892	2320	rundll32.exe	32
PID 2320 wrote to memory of 2892	2320	rundll32.exe	32
PID 2320 wrote to memory of 2892	2320	rundll32.exe	32
PID 2320 wrote to memory of 2892	2320	rundll32.exe	32
PID 2320 wrote to memory of 2892	2320	rundll32.exe	32
PID 2320 wrote to memory of 2512	2320	rundll32.exe	33
PID 2320 wrote to memory of 2512	2320	rundll32.exe	33
PID 2320 wrote to memory of 2512	2320	rundll32.exe	33
PID 2320 wrote to memory of 2512	2320	rundll32.exe	33
PID 2320 wrote to memory of 2512	2320	rundll32.exe	33
PID 2320 wrote to memory of 2512	2320	rundll32.exe	33
PID 2320 wrote to memory of 2512	2320	rundll32.exe	33
PID 2512 wrote to memory of 1812	2512	100361788.t.exe	34
PID 2512 wrote to memory of 1812	2512	100361788.t.exe	34
PID 2512 wrote to memory of 1812	2512	100361788.t.exe	34
PID 2512 wrote to memory of 1812	2512	100361788.t.exe	34
PID 2512 wrote to memory of 1812	2512	100361788.t.exe	34
PID 2512 wrote to memory of 1812	2512	100361788.t.exe	34
PID 2512 wrote to memory of 1812	2512	100361788.t.exe	34

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\d54a6522937b56fa77add452dbd27dea_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2060
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\d54a6522937b56fa77add452dbd27dea_JaffaCakes118.dll,#1
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  - Maps connected drives based on registry
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: RenamesItself
  - Suspicious use of WriteProcessMemory
  PID:2320
- - C:\Windows\SysWOW64\regsvr32.exe
    "C:\Windows\SysWOW64\regsvr32.exe" /s /n /i:"/in" "C:\ProgramData\59bbad6b\560cbd78.dll" /S:NOTTZ1_lgA5rkd1zAbd0Ch_SgPdwrNphlxfXmfj2DSF7nhD58VzO_6kYSOVAkkaE1DLMkb6KDsZ0EMqTfxOFrROzSa1Z0lg29Cztq4x72ftli97LripUVLU38iSs0w8T4IaIf1dsqxaPFWu4XeCXWK_AcEKrmQC9gcs1b5L9MoeK8LNP_z_ScBAnDYHUyMJx_SALghmDdHyJcr4oX-8dws1obGwjBmFYiUTN7kzT2LG_4CvG2ZrR6jXWNCvx73GZOrdzB4ok_amOsNGysuf1bWD3sS7JEYJQ0TVlznjVvwGiabuARaPc8Xy2rE5v67zbulO1ctrgERVhBu4kMPChAVUl8rsNmqaEzFrCvpT-TDN_GEB3VwA-RyZ6hIQ_hfIatcPXpvL-wK60XkWvFv_os7WXrLfbfLagvPpxAaC4soT5QYgSLftyyF8t3zYRHFFZ5Vxn4Dh-wd4e60cOWwCwWkFrpI3Duwlr-GokJsL_u-EOH6bzVNCA_VAFdNgLlaqSdRXgJPLb4Y6HdGGbCDTvZCjKM8jBdi6L_G1hrMF4-Sv2_qJcMKmeMTaBWtqrjw23Le2n6d3TPliEn1aGo0UZWxTaA0UImiuaDWdJfll2hAn1CmxscXKV9wyOurfUhjIeTOmL
    3⤵
    - Loads dropped DLL
    - Maps connected drives based on registry
    - System Location Discovery: System Language Discovery
    PID:2892
- - C:\Users\Admin\AppData\Local\Temp\100361788.t.exe
    "C:\Users\Admin\AppData\Local\Temp\100361788.t.exe" /VERYSILENT /SUPPRESSMSGBOXES /SP- 婍
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2512
  - - C:\Users\Admin\AppData\Local\Temp\is-944U0.tmp\100361788.t.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-944U0.tmp\100361788.t.tmp" /SL5="$50174,638163,56832,C:\Users\Admin\AppData\Local\Temp\100361788.t.exe" /VERYSILENT /SUPPRESSMSGBOXES /SP- ?
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:1812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\59bbad6b\560cbd78.dll

Filesize
643KB

MD5
f259784f275821d0c0f375cfd74af4c3

SHA1
8bcdf3d37da1852edffc3640620cc34ed2f155e8

SHA256
351fe3b5b19bff27037a1c3ad29386774b6b1ddd8fff7eda4babbe22fe06b9e3

SHA512
6452f994d37bf0d9755dbe872923e5d61def84f9200e0b52a18299b4d088d35d6ca9709ee244f22777425b3f5269300f59d990605c38a8f93f3d9039a5d8b324

Download Submit
\Users\Admin\AppData\Local\Temp\100361788.t.exe

Filesize
874KB

MD5
5c9deb1ee4eb2b9c1cd7cd3305822e68

SHA1
aa6413589de49fc45e751be70e325e2962fd9ccf

SHA256
41a4da106ac45473e81197cd46af7dce2545b82d01b40dabf4b013e076914ed1

SHA512
c5d5fabe7ffec59a896e7af54bd5801650008b9d0e93cdd2bec59ba54e5bf494ce19071d4e2e9e42bf7a6fccb6d54ea6301aab81e5b146ac951883ea9db2fdf7

Download Submit
\Users\Admin\AppData\Local\Temp\is-5OT56.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-944U0.tmp\100361788.t.tmp

Filesize
691KB

MD5
9303156631ee2436db23827e27337be4

SHA1
018e0d5b6ccf7000e36af30cebeb8adc5667e5fa

SHA256
bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4

SHA512
9fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f

Download Submit
memory/1812-29-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/2320-0-0x0000000074D00000-0x0000000074F8A000-memory.dmp

Filesize
2.5MB

Download
memory/2320-32-0x0000000074D00000-0x0000000074F8A000-memory.dmp

Filesize
2.5MB

Download
memory/2512-13-0x0000000000401000-0x000000000040B000-memory.dmp

Filesize
40KB

Download
memory/2512-10-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2512-31-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2892-4-0x00000000747F0000-0x0000000074896000-memory.dmp

Filesize
664KB

Download