danabot | 2e8691f7ff5bad0085f774087ebac60d90d17b2bf50324e9311f1a3d6ed0dcb6

General

Target

JaffaCakes118_2e8691f7ff5bad0085f774087ebac60d90d17b2bf50324e9311f1a3d6ed0dcb6.exe
Size

1.9MB
MD5

62347da244f5978d9583288fc583f70d
SHA1

7b7f348debfd450f2c0f886bd97ade665b932441
SHA256

2e8691f7ff5bad0085f774087ebac60d90d17b2bf50324e9311f1a3d6ed0dcb6
SHA512

db05ac3a3b08ddf25d6d0bc9b28e97d829a6251253c3a430d82d97a12255549bccaf6c1602d4729afc53dbe01cd982ba20216931511740e32d489434adcd0e10
SSDEEP

49152:RUZA7Y3nP7boLvLjHLnUARB+bULaGGqh4BUywgNp8ScpJT:R6tP7wjDLbwB5qh4Fwgb8S0h

Score

10^/10

danabot banker discovery trojan

Malware Config

Extracted

Family

danabot

C2

103.144.139.228:443

213.227.154.98:443

66.85.147.23:443

153.92.223.225:443

Attributes

embedded_hash
A64A3A6ED13022027B84C77D31BE0C74
type
loader

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot
Danabot family
danabot

Blocklisted process makes network request 11 IoCs

flow	pid	Process
13	2372	rundll32.exe
14	2372	rundll32.exe
18	2372	rundll32.exe
35	2372	rundll32.exe
37	2372	rundll32.exe
40	2372	rundll32.exe
41	2372	rundll32.exe
48	2372	rundll32.exe
49	2372	rundll32.exe
50	2372	rundll32.exe
51	2372	rundll32.exe

Loads dropped DLL 2 IoCs

pid	Process
2372	rundll32.exe
2372	rundll32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3848	4164	WerFault.exe	81

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_2e8691f7ff5bad0085f774087ebac60d90d17b2bf50324e9311f1a3d6ed0dcb6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4164 wrote to memory of 2372	4164	JaffaCakes118_2e8691f7ff5bad0085f774087ebac60d90d17b2bf50324e9311f1a3d6ed0dcb6.exe	82
PID 4164 wrote to memory of 2372	4164	JaffaCakes118_2e8691f7ff5bad0085f774087ebac60d90d17b2bf50324e9311f1a3d6ed0dcb6.exe	82
PID 4164 wrote to memory of 2372	4164	JaffaCakes118_2e8691f7ff5bad0085f774087ebac60d90d17b2bf50324e9311f1a3d6ed0dcb6.exe	82

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2e8691f7ff5bad0085f774087ebac60d90d17b2bf50324e9311f1a3d6ed0dcb6.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2e8691f7ff5bad0085f774087ebac60d90d17b2bf50324e9311f1a3d6ed0dcb6.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4164
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Etfrehti.dll,start C:\Users\Admin\AppData\Local\Temp\JAFFAC~1.EXE
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2372
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4164 -s 508
  2⤵
  - Program crash
  PID:3848

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4164 -ip 4164
1⤵
PID:1176

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Etfrehti.dll

Filesize
2.5MB

MD5
d7a66ca4622307cefbaf2d548edf21c1

SHA1
d6e7396cf81fddc86bd9a6adb17dbec09fbd532d

SHA256
c692330b06a1c232eafe7e68f867c6f339ca9545834010b0997e19f936ad0b5d

SHA512
4d9e5fa064ea98af43d5fef363a69a593fdd0ae5f4b79db0794bd5b12e9ffd0c52bb53b7c7b08141f4a33ea7b786f2164504af3295ee9466477270e69b87f41c

Download Submit
memory/2372-15-0x000000000211B000-0x000000000211F000-memory.dmp

Filesize
16KB

Download
memory/2372-22-0x0000000001ED0000-0x0000000002164000-memory.dmp

Filesize
2.6MB

Download
memory/2372-14-0x0000000001ED0000-0x0000000002164000-memory.dmp

Filesize
2.6MB

Download
memory/2372-17-0x0000000001ED0000-0x0000000002164000-memory.dmp

Filesize
2.6MB

Download
memory/2372-16-0x0000000001ED0000-0x0000000002164000-memory.dmp

Filesize
2.6MB

Download
memory/2372-28-0x0000000001ED0000-0x0000000002164000-memory.dmp

Filesize
2.6MB

Download
memory/2372-27-0x0000000001ED0000-0x0000000002164000-memory.dmp

Filesize
2.6MB

Download
memory/2372-13-0x0000000002700000-0x0000000002701000-memory.dmp

Filesize
4KB

Download
memory/2372-25-0x0000000001ED0000-0x0000000002164000-memory.dmp

Filesize
2.6MB

Download
memory/2372-24-0x0000000001ED0000-0x0000000002164000-memory.dmp

Filesize
2.6MB

Download
memory/2372-21-0x0000000001ED0000-0x0000000002164000-memory.dmp

Filesize
2.6MB

Download
memory/2372-9-0x000000000211B000-0x000000000211F000-memory.dmp

Filesize
16KB

Download
memory/2372-8-0x0000000001ED0000-0x0000000002164000-memory.dmp

Filesize
2.6MB

Download
memory/2372-19-0x0000000001ED0000-0x0000000002164000-memory.dmp

Filesize
2.6MB

Download
memory/2372-20-0x0000000001ED0000-0x0000000002164000-memory.dmp

Filesize
2.6MB

Download
memory/4164-2-0x0000000002590000-0x000000000276C000-memory.dmp

Filesize
1.9MB

Download
memory/4164-3-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/4164-1-0x0000000002390000-0x000000000253D000-memory.dmp

Filesize
1.7MB

Download
memory/4164-11-0x0000000002590000-0x000000000276C000-memory.dmp

Filesize
1.9MB

Download
memory/4164-12-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/4164-10-0x0000000000400000-0x00000000005E8000-memory.dmp

Filesize
1.9MB

Download

Analysis

Sharing