Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
02-05-2024 10:26
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
0e3d9982ef71756615d59ccd5d05abbe_JaffaCakes118.dll
Resource
win7-20240220-en
windows7-x64
4 signatures
150 seconds
General
-
Target
0e3d9982ef71756615d59ccd5d05abbe_JaffaCakes118.dll
-
Size
406KB
-
MD5
0e3d9982ef71756615d59ccd5d05abbe
-
SHA1
c089fb31acf2284b4c33df45696b3750d98ae19c
-
SHA256
89e881e0beb8adc93f3b45e835e68355e855d951a44d18153b7f042989b353e0
-
SHA512
241b56a8fe6af00d80d4757522eefbc9e135e878b938b8eca4b8be6aae9411629d7687e1f476e8cd7a0957d6f1fce59fc9726011185e702dc0d5c501c1457a3a
-
SSDEEP
6144:MU/OLpMfgR6vtVIgyPFiChgkX7WOMeLpebnZgUe4A29pNwz:MU/OLCfvLqPACIeoFa4A29Dwz
Malware Config
Extracted
Family
icedid
C2
ldrruble.casa
Signatures
-
IcedID First Stage Loader 1 IoCs
Processes:
resource yara_rule behavioral1/memory/2272-1-0x0000000074830000-0x00000000748EF000-memory.dmp IcedidFirstLoader -
Blocklisted process makes network request 28 IoCs
Processes:
rundll32.exeflow pid process 3 2272 rundll32.exe 4 2272 rundll32.exe 6 2272 rundll32.exe 7 2272 rundll32.exe 9 2272 rundll32.exe 10 2272 rundll32.exe 14 2272 rundll32.exe 15 2272 rundll32.exe 17 2272 rundll32.exe 18 2272 rundll32.exe 20 2272 rundll32.exe 21 2272 rundll32.exe 22 2272 rundll32.exe 23 2272 rundll32.exe 25 2272 rundll32.exe 26 2272 rundll32.exe 28 2272 rundll32.exe 29 2272 rundll32.exe 31 2272 rundll32.exe 32 2272 rundll32.exe 34 2272 rundll32.exe 35 2272 rundll32.exe 37 2272 rundll32.exe 38 2272 rundll32.exe 40 2272 rundll32.exe 41 2272 rundll32.exe 43 2272 rundll32.exe 44 2272 rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
rundll32.exedescription pid process target process PID 2268 wrote to memory of 2272 2268 rundll32.exe rundll32.exe PID 2268 wrote to memory of 2272 2268 rundll32.exe rundll32.exe PID 2268 wrote to memory of 2272 2268 rundll32.exe rundll32.exe PID 2268 wrote to memory of 2272 2268 rundll32.exe rundll32.exe PID 2268 wrote to memory of 2272 2268 rundll32.exe rundll32.exe PID 2268 wrote to memory of 2272 2268 rundll32.exe rundll32.exe PID 2268 wrote to memory of 2272 2268 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\0e3d9982ef71756615d59ccd5d05abbe_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2268 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\0e3d9982ef71756615d59ccd5d05abbe_JaffaCakes118.dll,#12⤵
- Blocklisted process makes network request
PID:2272