> For the complete documentation index, see [llms.txt](https://faresbltagy.gitbook.io/footprintinglabs/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://faresbltagy.gitbook.io/footprintinglabs/cyberdefenders/danabot-lab.md).

# DanaBot Lab

Q1) What is the malicious file name used for initial access?

<figure><img src="/files/FXOHYUsY5sc4SqQWtKZM" alt=""><figcaption></figcaption></figure>

Answer:  allegato\_708.js

Q2) What is the sha256 hash of the file used for initial access?

From this report:<https://any.run/report/847b4ad90b1daba2d9117a8e05776f3f902dda593fb1252289538acf476c4268/a886894d-8ae4-4d59-a990-b59536885da8>

<figure><img src="/files/ryFDkOSWDsJqtsvfN10i" alt=""><figcaption></figcaption></figure>

Answer:  847b4ad90b1daba2d9117a8e05776f3f902dda593fb1252289538acf476c4268

Q3) What is the process used to execute the malicious file?

<figure><img src="/files/pmcA4JeYLTLU0ETIqJNX" alt=""><figcaption></figcaption></figure>

Answer:  wscript.exe

Q4) What is the extension of the second malicious file used by the attacker?

```
http
```

<figure><img src="/files/NPAHa36ZTfWjDDdjmYcY" alt=""><figcaption></figcaption></figure>

Answer:  .dll

Q5) What is the MD5 hash of the second malicious file?

From File- -> Export Objects -> HTTP

<figure><img src="/files/UdNy6us0EcxBSZHJwZoF" alt=""><figcaption></figcaption></figure>

```bash
md5sum resources.dll
```

<figure><img src="/files/NPF5A8Q4ondVQpGvNNyS" alt=""><figcaption></figcaption></figure>

Answer:  e758e07113016aca55d9eda2b0ffeebe

Q6) What is the IP address used by the attacker in initial access?

```
tcp.flags.syn == 1 && tcp.flags.ack == 0
```

<figure><img src="/files/WwAtQIHKOmqImokYOXy9" alt=""><figcaption></figcaption></figure>

Or from AnyRun:

<figure><img src="/files/XsS4QPOQc16gBWR9HqvJ" alt=""><figcaption></figcaption></figure>

Answer:  62.173.146.41

Q7) What is the last malicious IP address in the PCAP that is known to be used as CnC by DanaBot?

```
tcp.srcport != 433
```

<figure><img src="/files/Zc4tim1r2cqQrx5IEPG3" alt=""><figcaption></figcaption></figure>

Answer:  91.201.67.85


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://faresbltagy.gitbook.io/footprintinglabs/cyberdefenders/danabot-lab.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.