danabot | 8ce823c7a2bd5e21c559c4bba91655079595b18ff77d52e105183d827d342637

General

Target

03428e1d5eab2e60eb8465545db5a48e_JaffaCakes118.exe
Size

1.1MB
MD5

03428e1d5eab2e60eb8465545db5a48e
SHA1

6cc1a12e799e4e7251b3fa9e052dfc3ae954be43
SHA256

8ce823c7a2bd5e21c559c4bba91655079595b18ff77d52e105183d827d342637
SHA512

98441072dc02cfa8806d3ed56fb6a44a72fe8f841d4e558cc90a61456dc6a3bcc8151ab6a6a09f71e9ed7c65e0ee841eefc633bec6749e8210dd2b8228cc1b27
SSDEEP

24576:XCZmQFcWF4mumJedQJoih8UX6bYDhs1tHFCvFGZOHT09+gGIOTn3hVnkVa4Hi:fQFcatduiSGhs1tHFCvcZeTcgTRVn6i

Score

10^/10

danabot 4 banker discovery trojan

Malware Config

Extracted

Family

danabot

Botnet

4

C2

142.11.192.232:443

192.119.110.73:443

142.11.242.31:443

192.210.222.88:443

Attributes

embedded_hash
F4711E27D559B4AEB1A081A1EB0AC465
type
loader

rsa_pubkey.plain

rsa_privkey.plain

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Danabot Loader Component 11 IoCs

resource	yara_rule
behavioral1/files/0x000a00000001225c-8.dat	DanabotLoader2021
behavioral1/memory/2880-15-0x0000000001FA0000-0x0000000002104000-memory.dmp	DanabotLoader2021
behavioral1/memory/2880-16-0x0000000001FA0000-0x0000000002104000-memory.dmp	DanabotLoader2021
behavioral1/memory/2880-24-0x0000000001FA0000-0x0000000002104000-memory.dmp	DanabotLoader2021
behavioral1/memory/2880-25-0x0000000001FA0000-0x0000000002104000-memory.dmp	DanabotLoader2021
behavioral1/memory/2880-26-0x0000000001FA0000-0x0000000002104000-memory.dmp	DanabotLoader2021
behavioral1/memory/2880-27-0x0000000001FA0000-0x0000000002104000-memory.dmp	DanabotLoader2021
behavioral1/memory/2880-28-0x0000000001FA0000-0x0000000002104000-memory.dmp	DanabotLoader2021
behavioral1/memory/2880-29-0x0000000001FA0000-0x0000000002104000-memory.dmp	DanabotLoader2021
behavioral1/memory/2880-30-0x0000000001FA0000-0x0000000002104000-memory.dmp	DanabotLoader2021
behavioral1/memory/2880-31-0x0000000001FA0000-0x0000000002104000-memory.dmp	DanabotLoader2021

Blocklisted process makes network request 1 IoCs

flow	pid	Process
2	2880	rundll32.exe

Loads dropped DLL 4 IoCs

pid	Process
2880	rundll32.exe
2880	rundll32.exe
2880	rundll32.exe
2880	rundll32.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	03428e1d5eab2e60eb8465545db5a48e_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1860 wrote to memory of 2880	1860	03428e1d5eab2e60eb8465545db5a48e_JaffaCakes118.exe	28
PID 1860 wrote to memory of 2880	1860	03428e1d5eab2e60eb8465545db5a48e_JaffaCakes118.exe	28
PID 1860 wrote to memory of 2880	1860	03428e1d5eab2e60eb8465545db5a48e_JaffaCakes118.exe	28
PID 1860 wrote to memory of 2880	1860	03428e1d5eab2e60eb8465545db5a48e_JaffaCakes118.exe	28
PID 1860 wrote to memory of 2880	1860	03428e1d5eab2e60eb8465545db5a48e_JaffaCakes118.exe	28
PID 1860 wrote to memory of 2880	1860	03428e1d5eab2e60eb8465545db5a48e_JaffaCakes118.exe	28
PID 1860 wrote to memory of 2880	1860	03428e1d5eab2e60eb8465545db5a48e_JaffaCakes118.exe	28

C:\Users\Admin\AppData\Local\Temp\03428e1d5eab2e60eb8465545db5a48e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\03428e1d5eab2e60eb8465545db5a48e_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1860
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\03428E~1.DLL,s C:\Users\Admin\AppData\Local\Temp\03428E~1.EXE
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\03428E~1.DLL

Filesize
1.3MB

MD5
0eac2c9a3b5b6b2cba2c5c53d46dac01

SHA1
aeb57cd2b6ca5237c7e997d6381b518959304aaa

SHA256
3ab0d641394f5d91c04d02703d4956ec22ab7d8c423c0c5cc66d917d5eb64d27

SHA512
dca2f0aad58215fc78b6c9c6a8ad1566103b4055e34396699a42f24282a44164a25f9257026408f60453604da8541245e4feae184c689efd7e983b79a44017ca

Download Submit
memory/1860-6-0x0000000000400000-0x000000000094D000-memory.dmp

Filesize
5.3MB

Download
memory/1860-3-0x0000000000400000-0x0000000000513000-memory.dmp

Filesize
1.1MB

Download
memory/1860-7-0x0000000000B80000-0x0000000000C87000-memory.dmp

Filesize
1.0MB

Download
memory/1860-2-0x0000000000B80000-0x0000000000C87000-memory.dmp

Filesize
1.0MB

Download
memory/1860-10-0x0000000000400000-0x0000000000513000-memory.dmp

Filesize
1.1MB

Download
memory/1860-9-0x0000000000950000-0x0000000000A40000-memory.dmp

Filesize
960KB

Download
memory/1860-1-0x0000000000950000-0x0000000000A40000-memory.dmp

Filesize
960KB

Download
memory/1860-0-0x0000000000950000-0x0000000000A40000-memory.dmp

Filesize
960KB

Download
memory/2880-31-0x0000000001FA0000-0x0000000002104000-memory.dmp

Filesize
1.4MB

Download
memory/2880-24-0x0000000001FA0000-0x0000000002104000-memory.dmp

Filesize
1.4MB

Download
memory/2880-16-0x0000000001FA0000-0x0000000002104000-memory.dmp

Filesize
1.4MB

Download
memory/2880-25-0x0000000001FA0000-0x0000000002104000-memory.dmp

Filesize
1.4MB

Download
memory/2880-26-0x0000000001FA0000-0x0000000002104000-memory.dmp

Filesize
1.4MB

Download
memory/2880-27-0x0000000001FA0000-0x0000000002104000-memory.dmp

Filesize
1.4MB

Download
memory/2880-28-0x0000000001FA0000-0x0000000002104000-memory.dmp

Filesize
1.4MB

Download
memory/2880-29-0x0000000001FA0000-0x0000000002104000-memory.dmp

Filesize
1.4MB

Download
memory/2880-30-0x0000000001FA0000-0x0000000002104000-memory.dmp

Filesize
1.4MB

Download
memory/2880-15-0x0000000001FA0000-0x0000000002104000-memory.dmp

Filesize
1.4MB

Download

Analysis

Sharing