Analysis
-
max time kernel
143s -
max time network
127s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
29-05-2024 00:53
Static task
static1
Behavioral task
behavioral1
Sample
7efdce6925f9d0a47262bf6909dee878_JaffaCakes118.exe
Resource
win7-20240508-en
General
-
Target
7efdce6925f9d0a47262bf6909dee878_JaffaCakes118.exe
-
Size
847KB
-
MD5
7efdce6925f9d0a47262bf6909dee878
-
SHA1
c2675a34536fbb0e637b3b63ca5671f93a7f9484
-
SHA256
0a38204354bdd03ca06520f5482cc057a926eef96944a2a179c370b9f64f4842
-
SHA512
7f5ac9a34891642b056cd37c0f54c3cc86caab581df6a4d62d1279efe38449b0bc63bbd305eecaf382fadba7022c6791293711ec9855920dbf82a0a07347a80d
-
SSDEEP
24576:WbTUojyk1O/sDcxLx+gGBWDvKe0VR7Ev3b7YpQKZ445fm:gy7Gs78V9Ev3fYpvf
Malware Config
Extracted
danabot
58.58.210.181
222.175.52.161
149.53.185.172
81.63.70.192
195.123.246.209
149.154.159.213
2.255.189.191
187.198.70.207
139.113.48.33
244.28.200.120
Signatures
-
Danabot x86 payload 1 IoCs
Detection of Danabot x86 payload, mapped in memory during the execution of its loader.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\7EFDCE~1.DLL family_danabot -
Blocklisted process makes network request 2 IoCs
Processes:
rundll32.exeflow pid process 20 4888 rundll32.exe 26 4888 rundll32.exe -
Deletes itself 1 IoCs
Processes:
regsvr32.exepid process 3212 regsvr32.exe -
Loads dropped DLL 2 IoCs
Processes:
regsvr32.exerundll32.exepid process 3212 regsvr32.exe 4888 rundll32.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
7efdce6925f9d0a47262bf6909dee878_JaffaCakes118.exeregsvr32.exedescription pid process target process PID 4828 wrote to memory of 3212 4828 7efdce6925f9d0a47262bf6909dee878_JaffaCakes118.exe regsvr32.exe PID 4828 wrote to memory of 3212 4828 7efdce6925f9d0a47262bf6909dee878_JaffaCakes118.exe regsvr32.exe PID 4828 wrote to memory of 3212 4828 7efdce6925f9d0a47262bf6909dee878_JaffaCakes118.exe regsvr32.exe PID 3212 wrote to memory of 4888 3212 regsvr32.exe rundll32.exe PID 3212 wrote to memory of 4888 3212 regsvr32.exe rundll32.exe PID 3212 wrote to memory of 4888 3212 regsvr32.exe rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7efdce6925f9d0a47262bf6909dee878_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\7efdce6925f9d0a47262bf6909dee878_JaffaCakes118.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exeC:\Windows\system32\regsvr32.exe -s C:\Users\Admin\AppData\Local\Temp\7EFDCE~1.DLL f1 C:\Users\Admin\AppData\Local\Temp\7EFDCE~1.EXE@48282⤵
- Deletes itself
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\7EFDCE~1.DLL,f03⤵
- Blocklisted process makes network request
- Loads dropped DLL
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\7EFDCE~1.DLLFilesize
630KB
MD5ce0b269731d60133a55af84b5bd7c363
SHA150070c522234226e4092d44a3c28f6eab3385172
SHA256c32050bf67ef51c18ce3cbd6c0b4db2e1d9fbbc58185282fae6017ee6fc22dd6
SHA512a4fee6dd30c37589b4a60982d299ffdd855b978d2c0bed225e363580cc341614fc62e9f2e02bbd2f4bd90560af666ad90092127df88cfabf39eddfd1e99f9006
-
memory/4828-1-0x0000000000400000-0x00000000004E0000-memory.dmpFilesize
896KB
-
memory/4888-5-0x0000000000400000-0x00000000004AA000-memory.dmpFilesize
680KB