danabot | 0a38204354bdd03ca06520f5482cc057a926eef96944a2a179c370b9f64f4842

Analysis

max time kernel
143s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
29-05-2024 00:53

Target

7efdce6925f9d0a47262bf6909dee878_JaffaCakes118.exe
Size

847KB
MD5

7efdce6925f9d0a47262bf6909dee878
SHA1

c2675a34536fbb0e637b3b63ca5671f93a7f9484
SHA256

0a38204354bdd03ca06520f5482cc057a926eef96944a2a179c370b9f64f4842
SHA512

7f5ac9a34891642b056cd37c0f54c3cc86caab581df6a4d62d1279efe38449b0bc63bbd305eecaf382fadba7022c6791293711ec9855920dbf82a0a07347a80d
SSDEEP

24576:WbTUojyk1O/sDcxLx+gGBWDvKe0VR7Ev3b7YpQKZ445fm:gy7Gs78V9Ev3fYpvf

Score

10^/10

Family

danabot

58.58.210.181

222.175.52.161

149.53.185.172

81.63.70.192

195.123.246.209

149.154.159.213

2.255.189.191

187.198.70.207

139.113.48.33

244.28.200.120

rsa_pubkey.plain

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot
Danabot x86 payload 1 IoCs
Detection of Danabot x86 payload, mapped in memory during the execution of its loader.
botnet

Processes:

resource yara_rule

C:\Users\Admin\AppData\Local\Temp\7EFDCE~1.DLL family_danabot
Blocklisted process makes network request 2 IoCs

Processes:

rundll32.exe

flow pid process

20 4888 rundll32.exe
26 4888 rundll32.exe
Deletes itself 1 IoCs

Processes:

regsvr32.exe

pid process

3212 regsvr32.exe
Loads dropped DLL 2 IoCs

Processes:

regsvr32.exerundll32.exe

pid process

3212 regsvr32.exe
4888 rundll32.exe

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\7EFDCE~1.DLL	family_danabot

flow	pid	process
20	4888	rundll32.exe
26	4888	rundll32.exe

pid	process
3212	regsvr32.exe

pid	process
3212	regsvr32.exe
4888	rundll32.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

7efdce6925f9d0a47262bf6909dee878_JaffaCakes118.exeregsvr32.exe

description	pid	process	target process
PID 4828 wrote to memory of 3212	4828	7efdce6925f9d0a47262bf6909dee878_JaffaCakes118.exe	regsvr32.exe
PID 4828 wrote to memory of 3212	4828	7efdce6925f9d0a47262bf6909dee878_JaffaCakes118.exe	regsvr32.exe
PID 4828 wrote to memory of 3212	4828	7efdce6925f9d0a47262bf6909dee878_JaffaCakes118.exe	regsvr32.exe
PID 3212 wrote to memory of 4888	3212	regsvr32.exe	rundll32.exe
PID 3212 wrote to memory of 4888	3212	regsvr32.exe	rundll32.exe
PID 3212 wrote to memory of 4888	3212	regsvr32.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\7efdce6925f9d0a47262bf6909dee878_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\7efdce6925f9d0a47262bf6909dee878_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4828

C:\Users\Admin\AppData\Local\Temp\7EFDCE~1.DLL
Filesize
630KB

MD5
ce0b269731d60133a55af84b5bd7c363

SHA1
50070c522234226e4092d44a3c28f6eab3385172

SHA256
c32050bf67ef51c18ce3cbd6c0b4db2e1d9fbbc58185282fae6017ee6fc22dd6

SHA512
a4fee6dd30c37589b4a60982d299ffdd855b978d2c0bed225e363580cc341614fc62e9f2e02bbd2f4bd90560af666ad90092127df88cfabf39eddfd1e99f9006

Download Submit
memory/4828-1-0x0000000000400000-0x00000000004E0000-memory.dmp

Filesize
896KB

Download
memory/4888-5-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download