icedid | 9d075b18bd7c1a71d298cbbac829ff9753f43caaf9e06681206adc78f45b68fa

Analysis

max time kernel
147s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
16-05-2024 11:48

Target

4aeb39eb230acd4a186a28d12a9d4354_JaffaCakes118.dll
Size

120KB
MD5

4aeb39eb230acd4a186a28d12a9d4354
SHA1

d36068381db2169c5d24e725968d5de3684f6bc3
SHA256

9d075b18bd7c1a71d298cbbac829ff9753f43caaf9e06681206adc78f45b68fa
SHA512

7e1b01e32c9a5ed787303df72d65e17b297b3b713dbe21c551460d5a8f8457a147eb0f67087f7f41fc24aacf856f2fcf029b9701885c04a01d5ebf5cd5bd7aae
SSDEEP

3072:za+dUDMZJjkzSzh25YohAUwr3XnsOOujmZOtg:wMZSzSzhA1rwDXnhZCSg

Score

10^/10

Family

icedid

loadwe4.casa

IcedID, BokBot
IcedID is a banking trojan capable of stealing credentials.
trojan banker icedid

IcedID First Stage Loader 4 IoCs

loader

Processes:

resource	yara_rule
behavioral2/memory/4904-4-0x00000000029C0000-0x00000000029C8000-memory.dmp	IcedidFirstLoader
behavioral2/memory/4904-1-0x0000000001100000-0x000000000110A000-memory.dmp	IcedidFirstLoader
behavioral2/memory/4904-7-0x0000000001060000-0x0000000001068000-memory.dmp	IcedidFirstLoader
behavioral2/memory/4904-8-0x0000000002A30000-0x0000000002A36000-memory.dmp	IcedidFirstLoader

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

regsvr32.exe

description	pid	process	target process
PID 2160 wrote to memory of 4904	2160	regsvr32.exe	regsvr32.exe
PID 2160 wrote to memory of 4904	2160	regsvr32.exe	regsvr32.exe
PID 2160 wrote to memory of 4904	2160	regsvr32.exe	regsvr32.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\4aeb39eb230acd4a186a28d12a9d4354_JaffaCakes118.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:2160
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\4aeb39eb230acd4a186a28d12a9d4354_JaffaCakes118.dll
  2⤵
  PID:4904

memory/4904-4-0x00000000029C0000-0x00000000029C8000-memory.dmp

Filesize
32KB

Download
memory/4904-1-0x0000000001100000-0x000000000110A000-memory.dmp

Filesize
40KB

Download
memory/4904-7-0x0000000001060000-0x0000000001068000-memory.dmp

Filesize
32KB

Download
memory/4904-8-0x0000000002A30000-0x0000000002A36000-memory.dmp

Filesize
24KB

Download