danabot | 89f87a9e574260c5e2d89dd0d880fb873317d71c62c97b91b3f9c6797ecd49ae

General

Target

c1c88ea92eb85aebebaecc4400b17298_JaffaCakes118.dll
Size

1.6MB
MD5

c1c88ea92eb85aebebaecc4400b17298
SHA1

0abc7b546451c8d1616fb5656d7375dc8660a296
SHA256

89f87a9e574260c5e2d89dd0d880fb873317d71c62c97b91b3f9c6797ecd49ae
SHA512

87a6e7f7a761a09947e4b9cbafb08196c264e8e01b1e13050405d56678c9fac84f51f09141a10e0ddec430d8891579e56c3fd93bc40969209ab399cd115f6bdb
SSDEEP

24576:kpEQy1JpHqBJOuGHtDqlL7FgbpBGMb51A3Cf9X/QvrFgtQ:km7YB8uGNul9gbDGMbASf5YetQ

Score

10^/10

danabot 11 banker discovery trojan

Malware Config

Extracted

Family

danabot

Botnet

11

C2

34.125.56.40:443

35.237.192.132:443

138.68.78.110:443

Attributes

embedded_hash
37E0DF5EB8277A5EEFCF002901483F81
type
loader

rsa_pubkey.plain

rsa_privkey.plain

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Danabot Loader Component 17 IoCs

resource	yara_rule
behavioral2/memory/4924-2-0x0000000010000000-0x0000000010206000-memory.dmp	DanabotLoader2021
behavioral2/memory/4924-3-0x0000000010000000-0x0000000010206000-memory.dmp	DanabotLoader2021
behavioral2/memory/4924-5-0x0000000010000000-0x0000000010206000-memory.dmp	DanabotLoader2021
behavioral2/memory/4924-6-0x0000000010000000-0x0000000010206000-memory.dmp	DanabotLoader2021
behavioral2/memory/4924-7-0x0000000010000000-0x0000000010206000-memory.dmp	DanabotLoader2021
behavioral2/memory/4924-8-0x0000000010000000-0x0000000010206000-memory.dmp	DanabotLoader2021
behavioral2/memory/4924-9-0x0000000010000000-0x0000000010206000-memory.dmp	DanabotLoader2021
behavioral2/memory/4924-10-0x0000000010000000-0x0000000010206000-memory.dmp	DanabotLoader2021
behavioral2/memory/4924-11-0x0000000010000000-0x0000000010206000-memory.dmp	DanabotLoader2021
behavioral2/memory/4924-12-0x0000000010000000-0x0000000010206000-memory.dmp	DanabotLoader2021
behavioral2/memory/4924-13-0x0000000010000000-0x0000000010206000-memory.dmp	DanabotLoader2021
behavioral2/memory/4924-14-0x0000000010000000-0x0000000010206000-memory.dmp	DanabotLoader2021
behavioral2/memory/4924-15-0x0000000010000000-0x0000000010206000-memory.dmp	DanabotLoader2021
behavioral2/memory/4924-16-0x0000000010000000-0x0000000010206000-memory.dmp	DanabotLoader2021
behavioral2/memory/4924-17-0x0000000010000000-0x0000000010206000-memory.dmp	DanabotLoader2021
behavioral2/memory/4924-18-0x0000000010000000-0x0000000010206000-memory.dmp	DanabotLoader2021
behavioral2/memory/4924-19-0x0000000010000000-0x0000000010206000-memory.dmp	DanabotLoader2021

Danabot family
danabot

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 5044 wrote to memory of 4924	5044	regsvr32.exe	82
PID 5044 wrote to memory of 4924	5044	regsvr32.exe	82
PID 5044 wrote to memory of 4924	5044	regsvr32.exe	82

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\c1c88ea92eb85aebebaecc4400b17298_JaffaCakes118.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:5044
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\c1c88ea92eb85aebebaecc4400b17298_JaffaCakes118.dll
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4924-0-0x000000001008D000-0x000000001008F000-memory.dmp

Filesize
8KB

Download
memory/4924-1-0x0000000010000000-0x0000000010206000-memory.dmp

Filesize
2.0MB

Download
memory/4924-2-0x0000000010000000-0x0000000010206000-memory.dmp

Filesize
2.0MB

Download
memory/4924-3-0x0000000010000000-0x0000000010206000-memory.dmp

Filesize
2.0MB

Download
memory/4924-4-0x000000001008D000-0x000000001008F000-memory.dmp

Filesize
8KB

Download
memory/4924-5-0x0000000010000000-0x0000000010206000-memory.dmp

Filesize
2.0MB

Download
memory/4924-6-0x0000000010000000-0x0000000010206000-memory.dmp

Filesize
2.0MB

Download
memory/4924-7-0x0000000010000000-0x0000000010206000-memory.dmp

Filesize
2.0MB

Download
memory/4924-8-0x0000000010000000-0x0000000010206000-memory.dmp

Filesize
2.0MB

Download
memory/4924-9-0x0000000010000000-0x0000000010206000-memory.dmp

Filesize
2.0MB

Download
memory/4924-10-0x0000000010000000-0x0000000010206000-memory.dmp

Filesize
2.0MB

Download
memory/4924-11-0x0000000010000000-0x0000000010206000-memory.dmp

Filesize
2.0MB

Download
memory/4924-12-0x0000000010000000-0x0000000010206000-memory.dmp

Filesize
2.0MB

Download
memory/4924-13-0x0000000010000000-0x0000000010206000-memory.dmp

Filesize
2.0MB

Download
memory/4924-14-0x0000000010000000-0x0000000010206000-memory.dmp

Filesize
2.0MB

Download
memory/4924-15-0x0000000010000000-0x0000000010206000-memory.dmp

Filesize
2.0MB

Download
memory/4924-16-0x0000000010000000-0x0000000010206000-memory.dmp

Filesize
2.0MB

Download
memory/4924-17-0x0000000010000000-0x0000000010206000-memory.dmp

Filesize
2.0MB

Download
memory/4924-18-0x0000000010000000-0x0000000010206000-memory.dmp

Filesize
2.0MB

Download
memory/4924-19-0x0000000010000000-0x0000000010206000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing