danabot | a0c89e916208296d51e6dfb7f956ea1749b555e2adb6d1593f141a4debfbc68b

General

Target

d54a6522937b56fa77add452dbd27dea_JaffaCakes118.dll
Size

2.5MB
MD5

d54a6522937b56fa77add452dbd27dea
SHA1

e9d9278460e89193ba64ea27acd07d19a90161e0
SHA256

a0c89e916208296d51e6dfb7f956ea1749b555e2adb6d1593f141a4debfbc68b
SHA512

aa2303becf1e666d25cac7ef853b6de0f20ca8d390d2006e64a127430640f2803571201b755d476432a4bbe6a61f99e65c7c9bf77f6cab0edb094f85afd67cfc
SSDEEP

24576:Op79nhhd+3NDOtbWuXGHL3CWJ9NSFNX7oskG3aJZ20dIvy0tJT6k:ON9Xd+FoI3lLyNsskJJZK11

Score

10^/10

danabot banker discovery spyware stealer trojan

Malware Config

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Blocklisted process makes network request 9 IoCs

flow	pid	Process
16	4984	rundll32.exe
34	4984	rundll32.exe
37	4984	rundll32.exe
40	4984	rundll32.exe
53	4984	rundll32.exe
63	4984	rundll32.exe
64	4984	rundll32.exe
67	4984	rundll32.exe
71	4984	rundll32.exe

Executes dropped EXE 2 IoCs

pid	Process
3100	1417831.t.exe
4252	1417831.t.tmp

Loads dropped DLL 1 IoCs

pid	Process
4936	regsvr32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Maps connected drives based on registry 3 TTPs 4 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\DISK\ENUM	regsvr32.exe
Key value enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum	rundll32.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1417831.t.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1417831.t.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4984	rundll32.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3016 wrote to memory of 4984	3016	rundll32.exe	85
PID 3016 wrote to memory of 4984	3016	rundll32.exe	85
PID 3016 wrote to memory of 4984	3016	rundll32.exe	85
PID 4984 wrote to memory of 4936	4984	rundll32.exe	97
PID 4984 wrote to memory of 4936	4984	rundll32.exe	97
PID 4984 wrote to memory of 4936	4984	rundll32.exe	97
PID 4984 wrote to memory of 3100	4984	rundll32.exe	98
PID 4984 wrote to memory of 3100	4984	rundll32.exe	98
PID 4984 wrote to memory of 3100	4984	rundll32.exe	98
PID 3100 wrote to memory of 4252	3100	1417831.t.exe	99
PID 3100 wrote to memory of 4252	3100	1417831.t.exe	99
PID 3100 wrote to memory of 4252	3100	1417831.t.exe	99

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\d54a6522937b56fa77add452dbd27dea_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3016
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\d54a6522937b56fa77add452dbd27dea_JaffaCakes118.dll,#1
  2⤵
  - Blocklisted process makes network request
  - Maps connected drives based on registry
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: RenamesItself
  - Suspicious use of WriteProcessMemory
  PID:4984
- - C:\Windows\SysWOW64\regsvr32.exe
    "C:\Windows\SysWOW64\regsvr32.exe" /s /n /i:"/in" "C:\ProgramData\2a2e9aa0\5c1364ce.dll" /S:NOTTZ1_lgA5rkd1zAbd0Ch_SgPdwrNphlxfXmfj2DSF7nhD58VzO_6kYSOVAkkaE1DLMkb6KDsZ0EMqTfxOFrROzSa1Z0lg29Cztq4x72ftli97LripUVLU38iSs0w8T4IaIf1dsqxaPFWu4XeCXWK_AcEKrmQC9gcs1b5L9MoeK8LNP_z_ScBAnDYHUyMJx_SALghmDdHyJcr4oX-8dws1obGwjBmFYiUTN7kzT2LG_4CvG2ZrR6jXWNCvx73GZOrdzB4ok_amOsNGysuf1bWD3sS7JEYJQ0TVlznjVvwGiabuARaPc8Xy2rE5v67zbulO1ctrgERVhBu4kMPChAVUl8rsNmqaEzFrCvpT-TDN_GEB3VwA-RyZ6hIQ_hfIatcPXpvL-wK60XkWvFv_os7WXrLfbfLagvPpxAaC4soT5QYgSLftyyF8t3zYRHFFZ5Vxn4Dh-wd4e60cOWwCwWkFrpI3Duwlr-GokJsL_u-EOH6bzVNCA_VAFdNgLlaqSdRXgJPLb4Y6HdGGbCDTvZCjKM8jBdi6L_G1hrMF4-Sv2_qJcMKmeMTaBWtqrjw23Le2n6d3TPliEn1aGo0UZWxTaA0UImiuaDWdJfll2hAn1CmxscXKV9wyOurfUhjIeTOmL
    3⤵
    - Loads dropped DLL
    - Maps connected drives based on registry
    - System Location Discovery: System Language Discovery
    PID:4936
- - C:\Users\Admin\AppData\Local\Temp\1417831.t.exe
    "C:\Users\Admin\AppData\Local\Temp\1417831.t.exe" /VERYSILENT /SUPPRESSMSGBOXES /SP- 婍
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3100
  - - C:\Users\Admin\AppData\Local\Temp\is-U6LIC.tmp\1417831.t.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-U6LIC.tmp\1417831.t.tmp" /SL5="$F0034,638163,56832,C:\Users\Admin\AppData\Local\Temp\1417831.t.exe" /VERYSILENT /SUPPRESSMSGBOXES /SP- ?
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4252

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\2a2e9aa0\5c1364ce.dll

Filesize
643KB

MD5
f259784f275821d0c0f375cfd74af4c3

SHA1
8bcdf3d37da1852edffc3640620cc34ed2f155e8

SHA256
351fe3b5b19bff27037a1c3ad29386774b6b1ddd8fff7eda4babbe22fe06b9e3

SHA512
6452f994d37bf0d9755dbe872923e5d61def84f9200e0b52a18299b4d088d35d6ca9709ee244f22777425b3f5269300f59d990605c38a8f93f3d9039a5d8b324

Download Submit
C:\Users\Admin\AppData\Local\Temp\1417831.t.exe

Filesize
874KB

MD5
5c9deb1ee4eb2b9c1cd7cd3305822e68

SHA1
aa6413589de49fc45e751be70e325e2962fd9ccf

SHA256
41a4da106ac45473e81197cd46af7dce2545b82d01b40dabf4b013e076914ed1

SHA512
c5d5fabe7ffec59a896e7af54bd5801650008b9d0e93cdd2bec59ba54e5bf494ce19071d4e2e9e42bf7a6fccb6d54ea6301aab81e5b146ac951883ea9db2fdf7

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-U6LIC.tmp\1417831.t.tmp

Filesize
691KB

MD5
9303156631ee2436db23827e27337be4

SHA1
018e0d5b6ccf7000e36af30cebeb8adc5667e5fa

SHA256
bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4

SHA512
9fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f

Download Submit
memory/3100-11-0x0000000000401000-0x000000000040B000-memory.dmp

Filesize
40KB

Download
memory/3100-9-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3100-25-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4252-24-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/4936-4-0x0000000073EB0000-0x0000000073F56000-memory.dmp

Filesize
664KB

Download
memory/4984-0-0x0000000074860000-0x0000000074AEA000-memory.dmp

Filesize
2.5MB

Download
memory/4984-26-0x0000000074860000-0x0000000074AEA000-memory.dmp

Filesize
2.5MB

Download

Analysis

Sharing