danabot | 1290eff5b9ce2405746a7b5b11e486829d3d3b8004f1b22b1a241496e60c4225

Analysis

max time kernel
143s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
16-05-2024 21:37

Target

4d20e507408edb688431c43d4afb655c_JaffaCakes118.exe
Size

706KB
MD5

4d20e507408edb688431c43d4afb655c
SHA1

ab9b18b4745f61413b01b462871c31de9d392520
SHA256

1290eff5b9ce2405746a7b5b11e486829d3d3b8004f1b22b1a241496e60c4225
SHA512

38aeb11f7a6ed54d580196b5b4ff299f065ef47c3f9d0fe05823d8cd9b93469ad95d038e1c8a2a53b10a13530eeee9d28e019dc35fbb310349f4436492ea9ad5
SSDEEP

12288:SVZZzLcl02FoNOm1byXC1v4NFeuLX0XjOsP++q3gDRvl4q13:eclc3AFR0X6sm+qeRvl4q

Score

10^/10

Family

danabot

236.128.21.180

89.144.25.104

148.165.195.24

149.28.180.182

6.200.141.194

96.202.32.98

199.92.207.6

213.82.134.216

118.134.228.191

48.8.103.94

rsa_pubkey.plain

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot
Danabot x86 payload 1 IoCs
Detection of Danabot x86 payload, mapped in memory during the execution of its loader.
botnet

Processes:

resource yara_rule

C:\Users\Admin\AppData\Local\Temp\4d20e507408edb688431c43d4afb655c_JaffaCakes118.dll family_danabot
Blocklisted process makes network request 7 IoCs

Processes:

rundll32.exe

flow pid process

24 1244 rundll32.exe
34 1244 rundll32.exe
48 1244 rundll32.exe
56 1244 rundll32.exe
58 1244 rundll32.exe
74 1244 rundll32.exe
75 1244 rundll32.exe
Deletes itself 1 IoCs

Processes:

regsvr32.exe

pid process

2612 regsvr32.exe
Loads dropped DLL 2 IoCs

Processes:

regsvr32.exerundll32.exe

pid process

2612 regsvr32.exe
1244 rundll32.exe

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\4d20e507408edb688431c43d4afb655c_JaffaCakes118.dll	family_danabot

pid	process
2612	regsvr32.exe

pid	process
2612	regsvr32.exe
1244	rundll32.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

4d20e507408edb688431c43d4afb655c_JaffaCakes118.exeregsvr32.exe

description	pid	process	target process
PID 460 wrote to memory of 2612	460	4d20e507408edb688431c43d4afb655c_JaffaCakes118.exe	regsvr32.exe
PID 460 wrote to memory of 2612	460	4d20e507408edb688431c43d4afb655c_JaffaCakes118.exe	regsvr32.exe
PID 460 wrote to memory of 2612	460	4d20e507408edb688431c43d4afb655c_JaffaCakes118.exe	regsvr32.exe
PID 2612 wrote to memory of 1244	2612	regsvr32.exe	rundll32.exe
PID 2612 wrote to memory of 1244	2612	regsvr32.exe	rundll32.exe
PID 2612 wrote to memory of 1244	2612	regsvr32.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\4d20e507408edb688431c43d4afb655c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\4d20e507408edb688431c43d4afb655c_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:460

C:\Users\Admin\AppData\Local\Temp\4d20e507408edb688431c43d4afb655c_JaffaCakes118.dll
Filesize
506KB

MD5
d4f003aefacd6590ef1b5d02bed50cbb

SHA1
9b6acf8ee4ebe30d41dcaef9ba9bcd27c3b8e068

SHA256
8a29457ca1f6fcf00433ebe25e17cb89348b075b0da63488e8bc92b250738083

SHA512
76f984da451aa702d244fc3d83bec3e602d3eb9b5498438c6193a07bea6a79dc9a930d7f44c5af327ae9928dcd8b04de8d6ca6d13dcc1d7c9b68d206805df86a

Download Submit
memory/460-1-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/1244-7-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2612-4-0x0000000000550000-0x0000000000551000-memory.dmp

Filesize
4KB

Download