danabot | 155b69d0734426dc804a8596d9f3e45da629f6e2fd040c177235547dc1b9db62

General

Target

JaffaCakes118_155b69d0734426dc804a8596d9f3e45da629f6e2fd040c177235547dc1b9db62.exe
Size

2.3MB
MD5

dfb0e0592d6c8dc938af4995ccb4a37b
SHA1

76fa2a835feae7216337aafb0424121441bb0fd2
SHA256

155b69d0734426dc804a8596d9f3e45da629f6e2fd040c177235547dc1b9db62
SHA512

d6947255c21347c34933e7b988a214ef00879d642cbea1396e6d0f772d4744e4a45e0f49d515f84c2cccabedf8e5ebe180d44ce3521f474efc0a3c2a409af6b7
SSDEEP

49152:HrPQpGqdb10mMVVrYKIoc6UzA0dchX0f93T0I52e5DI68fjNme4HPqw:UGqd3ic1A0CqQI57I6Oke4v

Score

10^/10

danabot banker discovery trojan

Malware Config

Extracted

Family

danabot

Attributes

embedded_hash
5B850BFD39D47030C0AAC0024D43ABEA
type
loader

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot
Danabot family
danabot

Loads dropped DLL 4 IoCs

pid	Process
2284	rundll32.exe
2284	rundll32.exe
2284	rundll32.exe
2284	rundll32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1128	2284	WerFault.exe	30

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_155b69d0734426dc804a8596d9f3e45da629f6e2fd040c177235547dc1b9db62.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2116 wrote to memory of 2284	2116	JaffaCakes118_155b69d0734426dc804a8596d9f3e45da629f6e2fd040c177235547dc1b9db62.exe	30
PID 2116 wrote to memory of 2284	2116	JaffaCakes118_155b69d0734426dc804a8596d9f3e45da629f6e2fd040c177235547dc1b9db62.exe	30
PID 2116 wrote to memory of 2284	2116	JaffaCakes118_155b69d0734426dc804a8596d9f3e45da629f6e2fd040c177235547dc1b9db62.exe	30
PID 2116 wrote to memory of 2284	2116	JaffaCakes118_155b69d0734426dc804a8596d9f3e45da629f6e2fd040c177235547dc1b9db62.exe	30
PID 2116 wrote to memory of 2284	2116	JaffaCakes118_155b69d0734426dc804a8596d9f3e45da629f6e2fd040c177235547dc1b9db62.exe	30
PID 2116 wrote to memory of 2284	2116	JaffaCakes118_155b69d0734426dc804a8596d9f3e45da629f6e2fd040c177235547dc1b9db62.exe	30
PID 2116 wrote to memory of 2284	2116	JaffaCakes118_155b69d0734426dc804a8596d9f3e45da629f6e2fd040c177235547dc1b9db62.exe	30
PID 2284 wrote to memory of 1128	2284	rundll32.exe	31
PID 2284 wrote to memory of 1128	2284	rundll32.exe	31
PID 2284 wrote to memory of 1128	2284	rundll32.exe	31
PID 2284 wrote to memory of 1128	2284	rundll32.exe	31

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_155b69d0734426dc804a8596d9f3e45da629f6e2fd040c177235547dc1b9db62.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_155b69d0734426dc804a8596d9f3e45da629f6e2fd040c177235547dc1b9db62.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2116
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Oaafhiiwwshq.dll,start C:\Users\Admin\AppData\Local\Temp\JAFFAC~1.EXE
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2284
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2284 -s 272
    3⤵
    - Program crash
    PID:1128

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Oaafhiiwwshq.dll

Filesize
3.5MB

MD5
e6ab4dc8882f243c7580fce808e0ac0a

SHA1
f66bfc4202a8437db37aec4e129e27a057b42bcf

SHA256
767917a8380adcd79c5b4cacef27fabb2f407717dcd34271c635efb9628bdb18

SHA512
3f4c9e7f9401fd1f04c333d115f1973e9771b521c2d1bc294a405ea4a32617d6f0320b913eb4f98b248a09d7367057cc9785b37736ad414d826d1454055f7bdb

Download Submit
memory/2116-8-0x0000000000400000-0x0000000000680000-memory.dmp

Filesize
2.5MB

Download
memory/2116-2-0x0000000002440000-0x00000000026B5000-memory.dmp

Filesize
2.5MB

Download
memory/2116-3-0x0000000000400000-0x0000000000680000-memory.dmp

Filesize
2.5MB

Download
memory/2116-6-0x0000000002440000-0x00000000026B5000-memory.dmp

Filesize
2.5MB

Download
memory/2116-5-0x0000000000400000-0x00000000007B2000-memory.dmp

Filesize
3.7MB

Download
memory/2116-0-0x00000000021F0000-0x0000000002433000-memory.dmp

Filesize
2.3MB

Download
memory/2116-7-0x00000000021F0000-0x0000000002433000-memory.dmp

Filesize
2.3MB

Download
memory/2116-1-0x00000000021F0000-0x0000000002433000-memory.dmp

Filesize
2.3MB

Download
memory/2284-14-0x0000000001DD0000-0x0000000002156000-memory.dmp

Filesize
3.5MB

Download
memory/2284-15-0x00000000020EB000-0x00000000020F0000-memory.dmp

Filesize
20KB

Download
memory/2284-16-0x0000000001DD0000-0x0000000002156000-memory.dmp

Filesize
3.5MB

Download
memory/2284-18-0x00000000020EB000-0x00000000020F0000-memory.dmp

Filesize
20KB

Download

Analysis

Sharing