Overview

overview

10

Static

static

3

04a1c81b1b...18.dll

windows7-x64

10

04a1c81b1b...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    141s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240419-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28-04-2024 07:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    04a1c81b1bb3b37e86d2a43aef5ff880_JaffaCakes118.dll

  • Size

    211KB

  • MD5

    04a1c81b1bb3b37e86d2a43aef5ff880

  • SHA1

    1daf08516a85baa7abf5d2d51b4db965808cf632

  • SHA256

    530001e38045813d7276694c428b64b4dc5a15b77f2b3cc757f64b8d34bcf815

  • SHA512

    881034af36cff20176df88d5c9b91badd4119ec25c24046e46899309d2b260603cf9a00da3e1dc19a9fb5b1f5766da178ed5efa7c9bd3e8daa1a820258e5811f

  • SSDEEP

    6144:6ZLwRyyWMa3NIBkL6LDW8dTZdw702edvxiuYOO6umz4N:6ZLwRyyHadIBkLIi8dTL2SvguYOO1mkN

Score
10/10
icedidbankerloadertrojan

Malware Config

Extracted

Family

icedid

C2

ldrstar.casa

Signatures

  • IcedID, BokBot

    IcedID is a banking trojan capable of stealing credentials.

    trojanbankericedid
  • IcedID First Stage Loader 1 IoCs
    loader
  • Program crash 4 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\04a1c81b1bb3b37e86d2a43aef5ff880_JaffaCakes118.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:812
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\04a1c81b1bb3b37e86d2a43aef5ff880_JaffaCakes118.dll,#1
      2⤵
        PID:3704
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 3704 -s 644
          3⤵
          • Program crash
          PID:3000
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 3704 -s 796
          3⤵
          • Program crash
          PID:2856
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 3704 -s 836
          3⤵
          • Program crash
          PID:3764
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 3704 -s 836
          3⤵
          • Program crash
          PID:924
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3704 -ip 3704
      1⤵
        PID:4688
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3704 -ip 3704
        1⤵
          PID:3572
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3704 -ip 3704
          1⤵
            PID:2228
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 3704 -ip 3704
            1⤵
              PID:3524

            Network

            MITRE ATT&CK Matrix

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • memory/3704-0-0x00000000749C0000-0x0000000074A4C000-memory.dmp

              Filesize

              560KB

              Download

            • memory/3704-1-0x0000000001050000-0x0000000001051000-memory.dmp

              Filesize

              4KB

              Download

            • memory/3704-2-0x00000000749C0000-0x0000000074A4C000-memory.dmp

              Filesize

              560KB

              Download

            • memory/3704-4-0x0000000001050000-0x0000000001051000-memory.dmp

              Filesize

              4KB

              Download