danabot | 55afea44e72acc36665531748a70a7b18cac5c9dfe49e1dda387cad2117b0486

Analysis

max time kernel
149s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
10-10-2024 13:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

30130621d1a675461436f5dca3e5625f_JaffaCakes118.exe
Size

1.1MB
MD5

30130621d1a675461436f5dca3e5625f
SHA1

95176e0ca9165e981b972bf90a16e6dfa8a5c079
SHA256

55afea44e72acc36665531748a70a7b18cac5c9dfe49e1dda387cad2117b0486
SHA512

247af244724f32c4ddbe7c6a4e61fe0a7b5f30cee1777cae1f6e1ebbb0089b56dcf89366af7401b883857fbdcb4f135b02cdb7aeae6458a2e49c7aee609673c5
SSDEEP

24576:nxNyvJt4aKJXfqAIi7gPKjkhpLzBJA5O+qNBY:XcJt4aevqAINPKjA3CO5vY

Score

10^/10

danabot 4 banker discovery trojan

Malware Config

Extracted

Family

danabot

Botnet

142.11.244.124:443

142.11.206.50:443

Attributes

embedded_hash
6AD9FE4F9E491E785665E0D144F61DAB
type
loader

rsa_pubkey.plain

rsa_privkey.plain

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Blocklisted process makes network request 1 IoCs

flow	pid	Process
26	3096	rundll32.exe

Loads dropped DLL 2 IoCs

pid	Process
3096	rundll32.exe
3096	rundll32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1788	2776	WerFault.exe	82

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	30130621d1a675461436f5dca3e5625f_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2776 wrote to memory of 3096	2776	30130621d1a675461436f5dca3e5625f_JaffaCakes118.exe	86
PID 2776 wrote to memory of 3096	2776	30130621d1a675461436f5dca3e5625f_JaffaCakes118.exe	86
PID 2776 wrote to memory of 3096	2776	30130621d1a675461436f5dca3e5625f_JaffaCakes118.exe	86

C:\Users\Admin\AppData\Local\Temp\30130621d1a675461436f5dca3e5625f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\30130621d1a675461436f5dca3e5625f_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2776
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\301306~1.TMP,S C:\Users\Admin\AppData\Local\Temp\301306~1.EXE
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:3096
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2776 -s 528
  2⤵
  - Program crash
  PID:1788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2776 -ip 2776
1⤵
PID:3744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\301306~1.TMP

Filesize
1.3MB

MD5
c34e64d64f186fcf1b8700558ea00f83

SHA1
4ad50888687801f4c8e88d876c0fb055b2db6f84

SHA256
75a5ee6f16cb6870422c641a9b3be48d62391d493e3ca90f2670d26f645599e7

SHA512
57e3e8ad93f1fc3c582b67c3c057c006bf5ecb2a5e2a9cb66d1934249d755aedcec53130f3011fdeb3d3a6390bb46bb0adbbab07bc7947c834ec658a99663216

Download Submit
memory/2776-10-0x0000000000400000-0x0000000002D49000-memory.dmp

Filesize
41.3MB

Download
memory/2776-2-0x0000000004B80000-0x0000000004C80000-memory.dmp

Filesize
1024KB

Download
memory/2776-3-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/2776-1-0x0000000004A30000-0x0000000004B25000-memory.dmp

Filesize
980KB

Download
memory/2776-12-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/2776-11-0x0000000004B80000-0x0000000004C80000-memory.dmp

Filesize
1024KB

Download
memory/3096-13-0x0000000002380000-0x00000000024DF000-memory.dmp

Filesize
1.4MB

Download
memory/3096-9-0x0000000002380000-0x00000000024DF000-memory.dmp

Filesize
1.4MB

Download
memory/3096-21-0x0000000002380000-0x00000000024DF000-memory.dmp

Filesize
1.4MB

Download
memory/3096-22-0x0000000002380000-0x00000000024DF000-memory.dmp

Filesize
1.4MB

Download
memory/3096-23-0x0000000002380000-0x00000000024DF000-memory.dmp

Filesize
1.4MB

Download
memory/3096-24-0x0000000002380000-0x00000000024DF000-memory.dmp

Filesize
1.4MB

Download
memory/3096-25-0x0000000002380000-0x00000000024DF000-memory.dmp

Filesize
1.4MB

Download
memory/3096-26-0x0000000002380000-0x00000000024DF000-memory.dmp

Filesize
1.4MB

Download
memory/3096-27-0x0000000002380000-0x00000000024DF000-memory.dmp

Filesize
1.4MB

Download
memory/3096-28-0x0000000002380000-0x00000000024DF000-memory.dmp

Filesize
1.4MB

Download