danabot | b6b8c3786d083acd1def5d1ca92b0c505981bde8ce2304d6d159c142376f66a0

General

Target

f0345563ece05e441e96aa1cbfeb4edd_JaffaCakes118.exe
Size

1.2MB
MD5

f0345563ece05e441e96aa1cbfeb4edd
SHA1

ab4aa38faaae74314ae8b54ab28b77d7d75c1522
SHA256

b6b8c3786d083acd1def5d1ca92b0c505981bde8ce2304d6d159c142376f66a0
SHA512

5ef94563596e49d74b8e6c908971296b8b871ac576274d98e7af80b8c0d440e9de218c258330dadb9a6a7c0cd889c9c01479d4dea1dd410911e4eeedc6cc684e
SSDEEP

24576:8mbCS2RwYk7DfBFjcG7hZiSR7kb0n+iIUWu+NCyMwnEq89t2Rca:8mbC5wpcG7h500VWu+NHVnr89J

Score

10^/10

danabot banker botnet discovery trojan

Malware Config

Extracted

Family

danabot

C2

45.74.187.0

146.1.214.150

158.228.122.53

202.136.199.125

149.28.180.182

4.79.227.177

44.151.109.26

178.209.51.211

167.196.69.157

149.143.183.11

rsa_pubkey.plain

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Danabot x86 payload 1 IoCs

Detection of Danabot x86 payload, mapped in memory during the execution of its loader.

botnet

Processes:

resource	yara_rule
behavioral1/files/0x000a000000012255-2.dat	family_danabot

Blocklisted process makes network request 8 IoCs

Processes:

rundll32.exe

flow	pid	Process
2	2772	rundll32.exe
5	2772	rundll32.exe
6	2772	rundll32.exe
9	2772	rundll32.exe
12	2772	rundll32.exe
13	2772	rundll32.exe
16	2772	rundll32.exe
17	2772	rundll32.exe

Deletes itself 1 IoCs

Processes:

regsvr32.exe

pid	Process
2612	regsvr32.exe

Loads dropped DLL 5 IoCs

Processes:

regsvr32.exerundll32.exe

pid	Process
2612	regsvr32.exe
2772	rundll32.exe
2772	rundll32.exe
2772	rundll32.exe
2772	rundll32.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

f0345563ece05e441e96aa1cbfeb4edd_JaffaCakes118.exeregsvr32.exerundll32.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f0345563ece05e441e96aa1cbfeb4edd_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

f0345563ece05e441e96aa1cbfeb4edd_JaffaCakes118.exeregsvr32.exe

description	pid	Process	procid_target
PID 2200 wrote to memory of 2612	2200	f0345563ece05e441e96aa1cbfeb4edd_JaffaCakes118.exe	31
PID 2200 wrote to memory of 2612	2200	f0345563ece05e441e96aa1cbfeb4edd_JaffaCakes118.exe	31
PID 2200 wrote to memory of 2612	2200	f0345563ece05e441e96aa1cbfeb4edd_JaffaCakes118.exe	31
PID 2200 wrote to memory of 2612	2200	f0345563ece05e441e96aa1cbfeb4edd_JaffaCakes118.exe	31
PID 2200 wrote to memory of 2612	2200	f0345563ece05e441e96aa1cbfeb4edd_JaffaCakes118.exe	31
PID 2200 wrote to memory of 2612	2200	f0345563ece05e441e96aa1cbfeb4edd_JaffaCakes118.exe	31
PID 2200 wrote to memory of 2612	2200	f0345563ece05e441e96aa1cbfeb4edd_JaffaCakes118.exe	31
PID 2612 wrote to memory of 2772	2612	regsvr32.exe	32
PID 2612 wrote to memory of 2772	2612	regsvr32.exe	32
PID 2612 wrote to memory of 2772	2612	regsvr32.exe	32
PID 2612 wrote to memory of 2772	2612	regsvr32.exe	32
PID 2612 wrote to memory of 2772	2612	regsvr32.exe	32
PID 2612 wrote to memory of 2772	2612	regsvr32.exe	32
PID 2612 wrote to memory of 2772	2612	regsvr32.exe	32

C:\Users\Admin\AppData\Local\Temp\f0345563ece05e441e96aa1cbfeb4edd_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f0345563ece05e441e96aa1cbfeb4edd_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2200
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\system32\regsvr32.exe -s C:\Users\Admin\AppData\Local\Temp\F03455~1.DLL f1 C:\Users\Admin\AppData\Local\Temp\F03455~1.EXE@2200
  2⤵
  - Deletes itself
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2612
- - C:\Windows\SysWOW64\rundll32.exe
    C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\F03455~1.DLL,f0
    3⤵
    - Blocklisted process makes network request
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:2772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\F03455~1.DLL

Filesize
1.1MB

MD5
9fd43173283b7fb278eb565915ddcfe8

SHA1
6aa1881715b883d4c5e60d9d4e29791d5f40805a

SHA256
cad457a0297f6895527dc7a60273005f06b9d10f0a35c807c5d33b5f0cc8d746

SHA512
469466bba29496f84be2cb1e96bd25313077649ca9872cfde629d4e2c81f35433d25e78637d05e30a35cf40e826c1ea37d958bd9c2781cb2dc8842716d09d96a

Download Submit
memory/2200-1-0x0000000000400000-0x0000000000547000-memory.dmp

Filesize
1.3MB

Download
memory/2612-4-0x00000000021A0000-0x00000000022BE000-memory.dmp

Filesize
1.1MB

Download
memory/2772-9-0x0000000001E60000-0x0000000001F7E000-memory.dmp

Filesize
1.1MB

Download
memory/2772-10-0x0000000001E60000-0x0000000001F7E000-memory.dmp

Filesize
1.1MB

Download
memory/2772-12-0x0000000001E60000-0x0000000001F7E000-memory.dmp

Filesize
1.1MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads