gbermudez2

DanaBot Writeup

April 28, 2025

Link: Danabot Lab

Summary

• Tools used: Wireshark, VirusTotal, VirtualBox (Windows 10 VM)
• MITRE ATT&CK Tactics: Execution, Command and Control

Procedure

1. This scenario involves a .pcap file containing network traffic from the DanaBot malware. Wireshark will be a useful tool for analyzing the traffic here, so let’s see what we can discover here!

   

2. First, I need to find out the attacker’s IP used for Initial Access.

   • To narrow down any IPs looking to retrieve info, I performed a “http.request.method==GET” search.

     

   • This narrows down the possible IPs to merely four.
   • My next idea was to search the network traffic of each IP listed above to spot any signs of activity. It’s possible that all of these IPs are malicious, but since I’m looking for the Initial Access IP, the one I’m looking for will be the earliest one.

   • To start off, I searched for the first IP with “ip.addr==62.173.142.148”.

     

   • That’s weird… TCP PDU seems oddly suspicious. I decided to follow the TCP stream to get more insights, and lo-and-behold:

     

   • This seems like a jumbled mess. I did some research and found an article by cyfirma detailing the vulnerability, which mentions the use of a JavaScript file filled with “meaningless variable declarations to avoid static detections”.

   • This is further solidified by the fact that the TCP stream states that the filename is “allegato_708.js”. It seems I didn’t have to look far to find the culprit!

     

3. Now that we know the file used for Initial Access, I can get the file hash and do some further analysis.

   • Wireshark has a neat option to export HTTP objects. While the exact filename isn’t there, this login.php file matches the line number with the TCP stream I examined.

     

   • This file has malicious properties, so using a VM would be necessary to do any analysis. Also, the file would be automatically quarantined by Windows Defender, so it’s important to allow these files on a safe environment.

     

   • With the file unquarantined, I could get the SHA256 hash of the malware file using PowerShell.

   

4. Inputting the retrieved hash on VirusTotal can give us valuable insights. Immediately I notice that 25 vendors marked the file as malicious, and the malware contains the tags “obfuscated”, “long-sleeps”, and “spreader”.

   • For infostealing campaigns, this makes sense, considering that long-term persistence and detection evasion across multiple endpoints is necessary for data exfiltration.

     

   • According to further analysis information on any.run, this malware uses the wscript.exe process to execute the malware.

     

5. Going back to the Wireshark analysis, there seems to be other files within the .pcap that may be worth analyzing. I decided to investigate on the resources.dll file later in the file.

   • .dll files being in network traffic definitely raises some eyebrows, so perhaps it could give more information.

     

   • Unlike the login.php file that Windows Defender detected earlier, this one clearly detects it as DanaBot!

     

6. I got the file hash of this second malicious file using PowerShell once again (this time, the MD5 hash):

   

   • I put the hash into VirusTotal out of curiosity, and it gave all the signs pointing towards malicious activity.

     

Success!