Analysis
-
max time kernel
145s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
02-05-2024 10:26
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
0e3d9982ef71756615d59ccd5d05abbe_JaffaCakes118.dll
Resource
win7-20240220-en
windows7-x64
4 signatures
150 seconds
General
-
Target
0e3d9982ef71756615d59ccd5d05abbe_JaffaCakes118.dll
-
Size
406KB
-
MD5
0e3d9982ef71756615d59ccd5d05abbe
-
SHA1
c089fb31acf2284b4c33df45696b3750d98ae19c
-
SHA256
89e881e0beb8adc93f3b45e835e68355e855d951a44d18153b7f042989b353e0
-
SHA512
241b56a8fe6af00d80d4757522eefbc9e135e878b938b8eca4b8be6aae9411629d7687e1f476e8cd7a0957d6f1fce59fc9726011185e702dc0d5c501c1457a3a
-
SSDEEP
6144:MU/OLpMfgR6vtVIgyPFiChgkX7WOMeLpebnZgUe4A29pNwz:MU/OLCfvLqPACIeoFa4A29Dwz
Malware Config
Extracted
Family
icedid
C2
ldrruble.casa
Signatures
-
IcedID First Stage Loader 1 IoCs
Processes:
resource yara_rule behavioral2/memory/3164-1-0x0000000075680000-0x000000007573F000-memory.dmp IcedidFirstLoader -
Blocklisted process makes network request 13 IoCs
Processes:
rundll32.exeflow pid process 36 3164 rundll32.exe 39 3164 rundll32.exe 40 3164 rundll32.exe 43 3164 rundll32.exe 51 3164 rundll32.exe 54 3164 rundll32.exe 57 3164 rundll32.exe 60 3164 rundll32.exe 61 3164 rundll32.exe 69 3164 rundll32.exe 71 3164 rundll32.exe 73 3164 rundll32.exe 77 3164 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 3828 wrote to memory of 3164 3828 rundll32.exe rundll32.exe PID 3828 wrote to memory of 3164 3828 rundll32.exe rundll32.exe PID 3828 wrote to memory of 3164 3828 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\0e3d9982ef71756615d59ccd5d05abbe_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:3828 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\0e3d9982ef71756615d59ccd5d05abbe_JaffaCakes118.dll,#12⤵
- Blocklisted process makes network request
PID:3164