icedid | 24e4d25395afc41a3e9b860ae7fca1485ecbd3e432387a62c893412978f9a525

Analysis

max time kernel
146s
max time network
146s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
05-05-2024 21:10

Target

19478b0c47b758ea811f9a6b9857fcd9_JaffaCakes118.dll
Size

120KB
MD5

19478b0c47b758ea811f9a6b9857fcd9
SHA1

d8f506529cba7b603c598c4b6651f8b9ffe2c535
SHA256

24e4d25395afc41a3e9b860ae7fca1485ecbd3e432387a62c893412978f9a525
SHA512

4aa7a968f20db0eac8b86bf6ff430560b86c3e1ac6e672ccb034ca03530c4055e06fd3a8156bdf9077f141ffaaf81409cdba67bdbfab80c6ff50778ea3cfef7e
SSDEEP

3072:za+dUDMZJjkzSzh25YohAUwr3XnsOOujmZOt0:wMZSzSzhA1rwDXnhZCS0

Score

10^/10

Family

icedid

loadwe4.casa

IcedID, BokBot
IcedID is a banking trojan capable of stealing credentials.
trojan banker icedid

IcedID First Stage Loader 4 IoCs

loader

Processes:

resource	yara_rule
behavioral1/memory/1876-0-0x00000000001A0000-0x00000000001AA000-memory.dmp	IcedidFirstLoader
behavioral1/memory/1876-12-0x0000000000180000-0x0000000000188000-memory.dmp	IcedidFirstLoader
behavioral1/memory/1876-8-0x0000000000210000-0x0000000000216000-memory.dmp	IcedidFirstLoader
behavioral1/memory/1876-4-0x00000000001B0000-0x00000000001B8000-memory.dmp	IcedidFirstLoader

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

regsvr32.exe

description	pid	process	target process
PID 2416 wrote to memory of 1876	2416	regsvr32.exe	regsvr32.exe
PID 2416 wrote to memory of 1876	2416	regsvr32.exe	regsvr32.exe
PID 2416 wrote to memory of 1876	2416	regsvr32.exe	regsvr32.exe
PID 2416 wrote to memory of 1876	2416	regsvr32.exe	regsvr32.exe
PID 2416 wrote to memory of 1876	2416	regsvr32.exe	regsvr32.exe
PID 2416 wrote to memory of 1876	2416	regsvr32.exe	regsvr32.exe
PID 2416 wrote to memory of 1876	2416	regsvr32.exe	regsvr32.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\19478b0c47b758ea811f9a6b9857fcd9_JaffaCakes118.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:2416
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\19478b0c47b758ea811f9a6b9857fcd9_JaffaCakes118.dll
  2⤵
  PID:1876

memory/1876-0-0x00000000001A0000-0x00000000001AA000-memory.dmp

Filesize
40KB

Download
memory/1876-12-0x0000000000180000-0x0000000000188000-memory.dmp

Filesize
32KB

Download
memory/1876-8-0x0000000000210000-0x0000000000216000-memory.dmp

Filesize
24KB

Download
memory/1876-4-0x00000000001B0000-0x00000000001B8000-memory.dmp

Filesize
32KB

Download