Analysis
-
max time kernel
143s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
16-05-2024 21:37
Static task
static1
Behavioral task
behavioral1
Sample
4d20e507408edb688431c43d4afb655c_JaffaCakes118.exe
Resource
win7-20240220-en
General
-
Target
4d20e507408edb688431c43d4afb655c_JaffaCakes118.exe
-
Size
706KB
-
MD5
4d20e507408edb688431c43d4afb655c
-
SHA1
ab9b18b4745f61413b01b462871c31de9d392520
-
SHA256
1290eff5b9ce2405746a7b5b11e486829d3d3b8004f1b22b1a241496e60c4225
-
SHA512
38aeb11f7a6ed54d580196b5b4ff299f065ef47c3f9d0fe05823d8cd9b93469ad95d038e1c8a2a53b10a13530eeee9d28e019dc35fbb310349f4436492ea9ad5
-
SSDEEP
12288:SVZZzLcl02FoNOm1byXC1v4NFeuLX0XjOsP++q3gDRvl4q13:eclc3AFR0X6sm+qeRvl4q
Malware Config
Extracted
danabot
236.128.21.180
89.144.25.104
148.165.195.24
149.28.180.182
6.200.141.194
96.202.32.98
199.92.207.6
213.82.134.216
118.134.228.191
48.8.103.94
Signatures
-
Danabot x86 payload 1 IoCs
Detection of Danabot x86 payload, mapped in memory during the execution of its loader.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\4d20e507408edb688431c43d4afb655c_JaffaCakes118.dll family_danabot -
Blocklisted process makes network request 7 IoCs
Processes:
rundll32.exeflow pid process 24 1244 rundll32.exe 34 1244 rundll32.exe 48 1244 rundll32.exe 56 1244 rundll32.exe 58 1244 rundll32.exe 74 1244 rundll32.exe 75 1244 rundll32.exe -
Deletes itself 1 IoCs
Processes:
regsvr32.exepid process 2612 regsvr32.exe -
Loads dropped DLL 2 IoCs
Processes:
regsvr32.exerundll32.exepid process 2612 regsvr32.exe 1244 rundll32.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
4d20e507408edb688431c43d4afb655c_JaffaCakes118.exeregsvr32.exedescription pid process target process PID 460 wrote to memory of 2612 460 4d20e507408edb688431c43d4afb655c_JaffaCakes118.exe regsvr32.exe PID 460 wrote to memory of 2612 460 4d20e507408edb688431c43d4afb655c_JaffaCakes118.exe regsvr32.exe PID 460 wrote to memory of 2612 460 4d20e507408edb688431c43d4afb655c_JaffaCakes118.exe regsvr32.exe PID 2612 wrote to memory of 1244 2612 regsvr32.exe rundll32.exe PID 2612 wrote to memory of 1244 2612 regsvr32.exe rundll32.exe PID 2612 wrote to memory of 1244 2612 regsvr32.exe rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4d20e507408edb688431c43d4afb655c_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\4d20e507408edb688431c43d4afb655c_JaffaCakes118.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exeC:\Windows\system32\regsvr32.exe -s C:\Users\Admin\AppData\Local\Temp\4D20E5~1.DLL f1 C:\Users\Admin\AppData\Local\Temp\4D20E5~1.EXE@4602⤵
- Deletes itself
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\4D20E5~1.DLL,f03⤵
- Blocklisted process makes network request
- Loads dropped DLL
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\4d20e507408edb688431c43d4afb655c_JaffaCakes118.dllFilesize
506KB
MD5d4f003aefacd6590ef1b5d02bed50cbb
SHA19b6acf8ee4ebe30d41dcaef9ba9bcd27c3b8e068
SHA2568a29457ca1f6fcf00433ebe25e17cb89348b075b0da63488e8bc92b250738083
SHA51276f984da451aa702d244fc3d83bec3e602d3eb9b5498438c6193a07bea6a79dc9a930d7f44c5af327ae9928dcd8b04de8d6ca6d13dcc1d7c9b68d206805df86a
-
memory/460-1-0x0000000000400000-0x00000000004BD000-memory.dmpFilesize
756KB
-
memory/1244-7-0x0000000000400000-0x000000000048C000-memory.dmpFilesize
560KB
-
memory/2612-4-0x0000000000550000-0x0000000000551000-memory.dmpFilesize
4KB