Analysis

  • max time kernel
    141s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    24-12-2024 02:32

General

  • Target

    JaffaCakes118_ed3986685132335d9f563db0349f743808626331bdcbd64d915214612840bfcc.exe

  • Size

    1.4MB

  • MD5

    8a0e6424bd0cb2b611055dbcd4dc4d6d

  • SHA1

    61e0f648dec0053d023dbfeaf45cb99086809124

  • SHA256

    ed3986685132335d9f563db0349f743808626331bdcbd64d915214612840bfcc

  • SHA512

    618594997b2e7268a03847a265de44c1246fdc7ab1a7c9a227cf736fcd135ec1949f1f2d53fec6ff04a14bbc9181445e20491dbd9e5f67dae695d2f1bb0e3a68

  • SSDEEP

    24576:Vn1alEjk+odRHc6UDuGZzjtE68lmiGtpfWHg2mWJztt+R+LteieKDRqHquI3uy4:VnY6NUMXZzR7L+AlWJpt+Y/ewyn

Malware Config

Extracted

Family

danabot

C2

198.15.112.179:443

185.62.56.245:443

153.92.223.225:443

192.119.70.159:443

Attributes
  • embedded_hash

    6618C163D57D6441FCCA65D86C4D380D

  • type

    loader

Signatures

  • Danabot

    Danabot is a modular banking Trojan that has been linked with other malware.

  • Danabot family
  • Blocklisted process makes network request 6 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 40 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ed3986685132335d9f563db0349f743808626331bdcbd64d915214612840bfcc.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ed3986685132335d9f563db0349f743808626331bdcbd64d915214612840bfcc.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3012
    • C:\Windows\SysWOW64\AdapterTroubleshooter.exe
      C:\Windows\system32\AdapterTroubleshooter.exe
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2760
    • C:\Windows\syswow64\rundll32.exe
      "C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#61
      2⤵
      • Blocklisted process makes network request
      • System Location Discovery: System Language Discovery
      PID:2520

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2520-59-0x00000000000F0000-0x00000000000F3000-memory.dmp

    Filesize

    12KB

  • memory/2520-60-0x00000000000F0000-0x00000000000F3000-memory.dmp

    Filesize

    12KB

  • memory/2520-53-0x0000000000080000-0x0000000000083000-memory.dmp

    Filesize

    12KB

  • memory/2520-54-0x0000000076F70000-0x0000000076F71000-memory.dmp

    Filesize

    4KB

  • memory/2520-70-0x00000000000F0000-0x00000000000F3000-memory.dmp

    Filesize

    12KB

  • memory/2520-68-0x00000000000F0000-0x00000000000F3000-memory.dmp

    Filesize

    12KB

  • memory/2520-64-0x0000000075840000-0x0000000075940000-memory.dmp

    Filesize

    1024KB

  • memory/2520-63-0x0000000075840000-0x0000000075940000-memory.dmp

    Filesize

    1024KB

  • memory/2520-55-0x0000000075860000-0x0000000075861000-memory.dmp

    Filesize

    4KB

  • memory/2520-57-0x0000000075840000-0x0000000075940000-memory.dmp

    Filesize

    1024KB

  • memory/2520-15-0x0000000000290000-0x0000000000293000-memory.dmp

    Filesize

    12KB

  • memory/2520-16-0x0000000000290000-0x0000000000293000-memory.dmp

    Filesize

    12KB

  • memory/2520-58-0x0000000075840000-0x0000000075940000-memory.dmp

    Filesize

    1024KB

  • memory/2520-72-0x00000000000F0000-0x00000000000F3000-memory.dmp

    Filesize

    12KB

  • memory/2520-62-0x0000000075860000-0x0000000075861000-memory.dmp

    Filesize

    4KB

  • memory/2520-56-0x00000000000F0000-0x00000000000F3000-memory.dmp

    Filesize

    12KB

  • memory/3012-2-0x00000000020C0000-0x000000000239B000-memory.dmp

    Filesize

    2.9MB

  • memory/3012-14-0x0000000000400000-0x00000000006E8000-memory.dmp

    Filesize

    2.9MB

  • memory/3012-0-0x0000000001F90000-0x00000000020B6000-memory.dmp

    Filesize

    1.1MB

  • memory/3012-1-0x0000000001F90000-0x00000000020B6000-memory.dmp

    Filesize

    1.1MB

  • memory/3012-61-0x0000000000400000-0x00000000006E8000-memory.dmp

    Filesize

    2.9MB

  • memory/3012-13-0x0000000000400000-0x00000000006E8000-memory.dmp

    Filesize

    2.9MB

  • memory/3012-12-0x0000000000400000-0x00000000006E8000-memory.dmp

    Filesize

    2.9MB

  • memory/3012-6-0x00000000020C0000-0x000000000239B000-memory.dmp

    Filesize

    2.9MB

  • memory/3012-5-0x0000000001F90000-0x00000000020B6000-memory.dmp

    Filesize

    1.1MB

  • memory/3012-4-0x0000000000400000-0x00000000006E8000-memory.dmp

    Filesize

    2.9MB

  • memory/3012-3-0x0000000000400000-0x00000000006E8000-memory.dmp

    Filesize

    2.9MB