Overview

overview

10

Static

static

3

f0345563ec...18.exe

windows7-x64

10

f0345563ec...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    145s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-09-2024 16:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f0345563ece05e441e96aa1cbfeb4edd_JaffaCakes118.exe

  • Size

    1.2MB

  • MD5

    f0345563ece05e441e96aa1cbfeb4edd

  • SHA1

    ab4aa38faaae74314ae8b54ab28b77d7d75c1522

  • SHA256

    b6b8c3786d083acd1def5d1ca92b0c505981bde8ce2304d6d159c142376f66a0

  • SHA512

    5ef94563596e49d74b8e6c908971296b8b871ac576274d98e7af80b8c0d440e9de218c258330dadb9a6a7c0cd889c9c01479d4dea1dd410911e4eeedc6cc684e

  • SSDEEP

    24576:8mbCS2RwYk7DfBFjcG7hZiSR7kb0n+iIUWu+NCyMwnEq89t2Rca:8mbC5wpcG7h500VWu+NHVnr89J

Score
10/10
danabotbankerbotnetdiscoverytrojan

Malware Config

Extracted

Family

danabot

C2

45.74.187.0

146.1.214.150

158.228.122.53

202.136.199.125

149.28.180.182

4.79.227.177

44.151.109.26

178.209.51.211

167.196.69.157

149.143.183.11
rsa_pubkey.plain

Signatures

  • Danabot

    Danabot is a modular banking Trojan that has been linked with other malware.

    trojanbankerdanabot
  • Danabot x86 payload 1 IoCs

    Detection of Danabot x86 payload, mapped in memory during the execution of its loader.

    botnet
  • Blocklisted process makes network request 8 IoCs
  • Deletes itself 1 IoCs
  • Loads dropped DLL 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f0345563ece05e441e96aa1cbfeb4edd_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\f0345563ece05e441e96aa1cbfeb4edd_JaffaCakes118.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3528
    • C:\Windows\SysWOW64\regsvr32.exe
      C:\Windows\system32\regsvr32.exe -s C:\Users\Admin\AppData\Local\Temp\F03455~1.DLL f1 C:\Users\Admin\AppData\Local\Temp\F03455~1.EXE@3528
      2⤵
      • Deletes itself
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2516
      • C:\Windows\SysWOW64\rundll32.exe
        C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\F03455~1.DLL,f0
        3⤵
        • Blocklisted process makes network request
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        PID:3504

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\F03455~1.DLL
    Filesize

    1.1MB

    MD5

    912ae7819075827b6301cc93c9bc9c70

    SHA1

    baa650f63b51213dc9facebc8b0bccb87ba2df90

    SHA256

    be9ed9c0db43a369c641d80b674009c9c42c8b8bb3700be51f5a531d64454826

    SHA512

    3ad9287f6543afb0c033984037f11482f48ab93725413796a1a67738503a80864bb0ed73865f90901538d8e0f7733f1201c68d3e4a9468bebd9abb064cbff599

    Download Submit

  • memory/3504-6-0x0000000002940000-0x0000000002A5E000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/3504-7-0x0000000002940000-0x0000000002A5E000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/3504-9-0x0000000002940000-0x0000000002A5E000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/3528-1-0x0000000000400000-0x0000000000547000-memory.dmp

    Filesize

    1.3MB

    Download