danabot | 155b69d0734426dc804a8596d9f3e45da629f6e2fd040c177235547dc1b9db62

General

Target

JaffaCakes118_155b69d0734426dc804a8596d9f3e45da629f6e2fd040c177235547dc1b9db62.exe
Size

2.3MB
MD5

dfb0e0592d6c8dc938af4995ccb4a37b
SHA1

76fa2a835feae7216337aafb0424121441bb0fd2
SHA256

155b69d0734426dc804a8596d9f3e45da629f6e2fd040c177235547dc1b9db62
SHA512

d6947255c21347c34933e7b988a214ef00879d642cbea1396e6d0f772d4744e4a45e0f49d515f84c2cccabedf8e5ebe180d44ce3521f474efc0a3c2a409af6b7
SSDEEP

49152:HrPQpGqdb10mMVVrYKIoc6UzA0dchX0f93T0I52e5DI68fjNme4HPqw:UGqd3ic1A0CqQI57I6Oke4v

Score

10^/10

danabot banker discovery trojan

Malware Config

Extracted

Family

danabot

C2

153.92.223.225:443

185.62.56.245:443

198.15.112.179:443

Attributes

embedded_hash
5B850BFD39D47030C0AAC0024D43ABEA
type
loader

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot
Danabot family
danabot

Blocklisted process makes network request 9 IoCs

flow	pid	Process
16	4460	rundll32.exe
23	4460	rundll32.exe
37	4460	rundll32.exe
39	4460	rundll32.exe
42	4460	rundll32.exe
44	4460	rundll32.exe
48	4460	rundll32.exe
49	4460	rundll32.exe
50	4460	rundll32.exe

Loads dropped DLL 1 IoCs

pid	Process
4460	rundll32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2180	4172	WerFault.exe	82

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_155b69d0734426dc804a8596d9f3e45da629f6e2fd040c177235547dc1b9db62.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4172 wrote to memory of 4460	4172	JaffaCakes118_155b69d0734426dc804a8596d9f3e45da629f6e2fd040c177235547dc1b9db62.exe	83
PID 4172 wrote to memory of 4460	4172	JaffaCakes118_155b69d0734426dc804a8596d9f3e45da629f6e2fd040c177235547dc1b9db62.exe	83
PID 4172 wrote to memory of 4460	4172	JaffaCakes118_155b69d0734426dc804a8596d9f3e45da629f6e2fd040c177235547dc1b9db62.exe	83

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_155b69d0734426dc804a8596d9f3e45da629f6e2fd040c177235547dc1b9db62.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_155b69d0734426dc804a8596d9f3e45da629f6e2fd040c177235547dc1b9db62.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4172
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Oaafhiiwwshq.dll,start C:\Users\Admin\AppData\Local\Temp\JAFFAC~1.EXE
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:4460
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4172 -s 520
  2⤵
  - Program crash
  PID:2180

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4172 -ip 4172
1⤵
PID:3956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Oaafhiiwwshq.dll

Filesize
3.5MB

MD5
e6ab4dc8882f243c7580fce808e0ac0a

SHA1
f66bfc4202a8437db37aec4e129e27a057b42bcf

SHA256
767917a8380adcd79c5b4cacef27fabb2f407717dcd34271c635efb9628bdb18

SHA512
3f4c9e7f9401fd1f04c333d115f1973e9771b521c2d1bc294a405ea4a32617d6f0320b913eb4f98b248a09d7367057cc9785b37736ad414d826d1454055f7bdb

Download Submit
memory/4172-10-0x0000000000400000-0x0000000000680000-memory.dmp

Filesize
2.5MB

Download
memory/4172-2-0x00000000027D0000-0x0000000002A45000-memory.dmp

Filesize
2.5MB

Download
memory/4172-3-0x0000000000400000-0x0000000000680000-memory.dmp

Filesize
2.5MB

Download
memory/4172-1-0x0000000002580000-0x00000000027C5000-memory.dmp

Filesize
2.3MB

Download
memory/4172-9-0x00000000027D0000-0x0000000002A45000-memory.dmp

Filesize
2.5MB

Download
memory/4172-8-0x0000000000400000-0x00000000007B2000-memory.dmp

Filesize
3.7MB

Download
memory/4460-13-0x0000000000400000-0x0000000000786000-memory.dmp

Filesize
3.5MB

Download
memory/4460-17-0x0000000000400000-0x0000000000786000-memory.dmp

Filesize
3.5MB

Download
memory/4460-12-0x0000000000400000-0x0000000000786000-memory.dmp

Filesize
3.5MB

Download
memory/4460-7-0x0000000000400000-0x0000000000786000-memory.dmp

Filesize
3.5MB

Download
memory/4460-14-0x0000000000400000-0x0000000000786000-memory.dmp

Filesize
3.5MB

Download
memory/4460-15-0x0000000000400000-0x0000000000786000-memory.dmp

Filesize
3.5MB

Download
memory/4460-16-0x0000000000400000-0x0000000000786000-memory.dmp

Filesize
3.5MB

Download
memory/4460-11-0x0000000000400000-0x0000000000786000-memory.dmp

Filesize
3.5MB

Download
memory/4460-18-0x0000000000400000-0x0000000000786000-memory.dmp

Filesize
3.5MB

Download
memory/4460-20-0x0000000000400000-0x0000000000786000-memory.dmp

Filesize
3.5MB

Download
memory/4460-21-0x0000000000400000-0x0000000000786000-memory.dmp

Filesize
3.5MB

Download
memory/4460-22-0x0000000000400000-0x0000000000786000-memory.dmp

Filesize
3.5MB

Download
memory/4460-23-0x0000000000400000-0x0000000000786000-memory.dmp

Filesize
3.5MB

Download
memory/4460-25-0x0000000000400000-0x0000000000786000-memory.dmp

Filesize
3.5MB

Download

Analysis

Sharing