Overview

overview

10

Static

static

3

df537c8d5d...18.exe

windows7-x64

10

df537c8d5d...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    154s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    14-09-2024 02:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    df537c8d5df1dc0946f58aec2a3cad5e_JaffaCakes118.exe

  • Size

    2.3MB

  • MD5

    df537c8d5df1dc0946f58aec2a3cad5e

  • SHA1

    fe1eb05c36a79bb69ba2426601fab0551b55cbaf

  • SHA256

    4577691a01dbfeeec04082337a20f19b9a330f03bb1332c1f2340dbaf3734c0d

  • SHA512

    3fd1159860aa3ab8a60a7cb5433b0b9ef97f9f13828630994023138829e044bb8f9771ee2f11a4dc02bf981a38b2570402b52cb832d408f407b68cc222ce0654

  • SSDEEP

    49152:lLLLibBVPtqB2hidjT7jBsry/m8kev18rriaLC6YkqzIyiAbSLRU2bh4xm:lLfiP4BnvBsry/D39ci8QzIyiACzGxm

Score
10/10
danabotbankerbotnetdiscoverytrojan

Malware Config

Extracted

Family

danabot

C2

89.44.9.132

64.188.23.70

179.43.133.35

45.147.231.218

89.45.4.126
rsa_pubkey.plain

Signatures

  • Danabot

    Danabot is a modular banking Trojan that has been linked with other malware.

    trojanbankerdanabot
  • Danabot x86 payload 1 IoCs

    Detection of Danabot x86 payload, mapped in memory during the execution of its loader.

    botnet
  • Blocklisted process makes network request 8 IoCs
  • Loads dropped DLL 5 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\df537c8d5df1dc0946f58aec2a3cad5e_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\df537c8d5df1dc0946f58aec2a3cad5e_JaffaCakes118.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2684
    • C:\Windows\SysWOW64\regsvr32.exe
      C:\Windows\system32\regsvr32.exe -s C:\Users\Admin\AppData\Local\Temp\DF537C~1.DLL f1 C:\Users\Admin\AppData\Local\Temp\DF537C~1.EXE@2684
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2480
      • C:\Windows\SysWOW64\rundll32.exe
        C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\DF537C~1.DLL,f0
        3⤵
        • Blocklisted process makes network request
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        PID:2784

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\DF537C~1.DLL
    Filesize

    2.0MB

    MD5

    07119b1790f56250fff9f87e81b96fc2

    SHA1

    400e345b7566f4d7b8c5bd460b271864a934172d

    SHA256

    fd9fd627f781017c2e5b375a3ac6b7f3f6e2c081d0ea093f281043d83ef04f09

    SHA512

    26f852057938563c10c2289706b582c86622055041b47aae29a395947a1a457649b719630ec3c995d5edf4fd9a2c581ce4a52698fa3f7e1b9ce27b8728c87dfd

    Download Submit

  • memory/2480-8-0x0000000002590000-0x00000000027A6000-memory.dmp

    Filesize

    2.1MB

    Download

  • memory/2684-11-0x0000000006CE0000-0x0000000006F16000-memory.dmp

    Filesize

    2.2MB

    Download

  • memory/2684-3-0x0000000000400000-0x0000000000641000-memory.dmp

    Filesize

    2.3MB

    Download

  • memory/2684-2-0x0000000006CE0000-0x0000000006F16000-memory.dmp

    Filesize

    2.2MB

    Download

  • memory/2684-1-0x0000000006AB0000-0x0000000006CD1000-memory.dmp

    Filesize

    2.1MB

    Download

  • memory/2684-0-0x0000000006AB0000-0x0000000006CD1000-memory.dmp

    Filesize

    2.1MB

    Download

  • memory/2684-10-0x0000000006AB0000-0x0000000006CD1000-memory.dmp

    Filesize

    2.1MB

    Download

  • memory/2684-9-0x0000000000400000-0x0000000000641000-memory.dmp

    Filesize

    2.3MB

    Download

  • memory/2684-5-0x0000000000400000-0x0000000004FC4000-memory.dmp

    Filesize

    75.8MB

    Download

  • memory/2784-16-0x00000000020C0000-0x00000000022D6000-memory.dmp

    Filesize

    2.1MB

    Download

  • memory/2784-17-0x00000000020C0000-0x00000000022D6000-memory.dmp

    Filesize

    2.1MB

    Download

  • memory/2784-19-0x00000000020C0000-0x00000000022D6000-memory.dmp

    Filesize

    2.1MB

    Download

  • memory/2784-21-0x00000000020C0000-0x00000000022D6000-memory.dmp

    Filesize

    2.1MB

    Download