DanaBot Triage

• Overview
  • References
  • Sample
• Analysis
  • Notes

Overview

Initially Danabot was operated as a malware as a service platform that specialized in information theft (banking credentials and other information). Currently (end of 2023) they appear to have pivoted to initial access for the purpose of deploying ransomware.

References

• From DarkGate to DanaBot
• Technical Analysis of DanaBot Obfuscation Techniques
• Zscaler Danabot Tools (Github)
• Malpedia: Danabot
• Spike in DanaBot Malware Activity
• IDR Tool

According to a post on X, Microsoft has detected Danabot (Storm-1044) infections leading to hands-on-keyboard activity by ransomware operator Storm-0216 (Twisted Spider, UNC2198), culminating in the deployment of Cactus ransomware. In this campaign, Danabot is distributed via malvertising.

Sample

7417ee2722871b2c667174acc43dd3e79fcdd41bef9a48209eeae0ed43179e1f

Analysis

For reference we have also download a known Danabot loader and core component.

• Loader: 2a3acdcd76575762b18c18c644a745125f55ce121f742d2aad962521bc7f25fd
• Core: 77ff83cc49d6c1b71c474a17eeaefad0f0a71df0a938190bf9a9a7e22531c292

We have the following C2s from the Esentire report. We can use these to confirm our work.

DanaBot C2  34.106.84.60:443
DanaBot C2  35.241.250.23:443
DanaBot C2  35.198.55.140:443
DanaBot C2  34.79.119.253:443

Notes

• based on the file size it is likely we are triaging the loader
• many of the APIs are resolved dynamically using hashing hashdb
• using the API resolving we can locate the main network component
• the following struct can be used with our sample

struct __attribute__((aligned(4))) net_ctxt
{
  int (__fastcall *MessageBoxW)(void *, const wchar_t *, const wchar_t *, unsigned int);
  int (__fastcall *wvsprintfW)(wchar_t *, const wchar_t *, va_list);
  int (__fastcall *CryptAcquireContextA)(void **, const char *, const char *, unsigned int, unsigned int);
  int (__fastcall *CryptReleaseContext)(void *, unsigned int);
  int (__fastcall *CryptCreateHash)(void *, unsigned int, void *, unsigned int, void **);
  int (__fastcall *CryptDeriveKey)(void *, unsigned int, void *, unsigned int, void **);
  int (__fastcall *CryptHashData)(void *, unsigned __int8 *, unsigned int, unsigned int);
  int (__fastcall *CryptDestroyHash)(void *);
  int (__fastcall *CryptDecrypt)(void *, void *, int, unsigned int, unsigned __int8 *, unsigned int *);
  int (__fastcall *CryptDestroyKey)(void *);
  void *(__fastcall *InternetOpenW)(const wchar_t *, unsigned int, const wchar_t *, const wchar_t *, unsigned int);
  void *(__fastcall *InternetConnectW)(void *, const wchar_t *, unsigned __int16, const wchar_t *, const wchar_t *, unsigned int, unsigned int, unsigned int);
  void *(__fastcall *HttpOpenRequestW)(void *, const wchar_t *, const wchar_t *, const wchar_t *, const wchar_t *, const wchar_t **, unsigned int, unsigned int);
  int (__fastcall *InternetQueryOptionW)(void *, unsigned int, void *, unsigned int *);
  int (__fastcall *InternetSetOptionW)(void *, unsigned int, void *, unsigned int);
  int (__fastcall *HttpSendRequestW)(void *, const wchar_t *, unsigned int, void *, unsigned int);
  int (__fastcall *InternetReadFile)(void *, void *, unsigned int, unsigned int *);
  int (__fastcall *InternetCloseHandle)(void *);
  wchar_t *(__fastcall *lstrcatW)(wchar_t *, const wchar_t *);
  void *(__fastcall *LoadLibraryA)(const char *);
  void *(__fastcall *GetProcAddress)(void *, const char *);
  int (__fastcall *WriteProcessMemory)(void *, void *, const void *, size_t, size_t *);
  void *(__fastcall *CreateThread)(void *, size_t, void *, void *, unsigned int, unsigned int *);
  void (__fastcall *ExitProcess)(unsigned int);
  unsigned int (__fastcall *WaitForSingleObject)(void *, unsigned int);
  int (__fastcall *TerminateThread)(void *, unsigned int);
  void (__fastcall *ExitThread)(unsigned int);
  double (__fastcall *fmod)(double, double);
  void *(__fastcall *VirtualAllocEx)(void *, void *, size_t, unsigned int, unsigned int);
  int (__fastcall *VirtualFree)(void *, size_t, unsigned int);
  void *(__fastcall *CreateFileW)(const wchar_t *, unsigned int, unsigned int, void *, unsigned int, unsigned int, void *);
  int (__fastcall *WriteFile)(void *, const void *, unsigned int, unsigned int *, void *);
  int (__fastcall *CloseHandle)(void *);
  int (__fastcall *SetEndOfFile)(void *);
  int (__fastcall *InitializeSecurityDescriptor)(void *, unsigned int);
  int (__fastcall *InitializeAcl)(void *, unsigned int, unsigned int);
  int (__fastcall *CreateWellKnownSid)(unsigned int, void *, void *, unsigned int *);
  int (__fastcall *AddAccessAllowedAce)(void *, unsigned int, unsigned int, void *);
  int (__fastcall *SetSecurityDescriptorDacl)(void *, int, void *, int);
  unsigned int (*RtlGetLastWin32Error)(void);
  DWORD *g_ptr_ip_1;
  WORD *g_ptr_port_1;
  DWORD *g_ptr_ip_2;
  WORD *g_ptr_port_2;
  DWORD *g_ptr_ip_3;
  WORD *g_ptr_port_3;
  DWORD *g_ptr_ip_4;
  WORD *g_ptr_port_4;
  DWORD dw0;
  DWORD dw1;
  DWORD dw2;
  DWORD dw3;
  DWORD dw4;
  DWORD random_ip_flag;
  DWORD c2_ptr;
  DWORD dw7;
  DWORD random_ip_seed;
  BYTE buff[4056];
};