icedid | c91847b9b00dddebd4f694412f2cc4c7346c15aa3cda2da856d9b0860a17ec50

Analysis

max time kernel
147s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
18/05/2024, 16:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

55a8da7ffdb5beeb293e27851793bb52_JaffaCakes118.dll
Size

211KB
MD5

55a8da7ffdb5beeb293e27851793bb52
SHA1

35fa0d2ce0d459524b79e3b3b839b50639a8052e
SHA256

c91847b9b00dddebd4f694412f2cc4c7346c15aa3cda2da856d9b0860a17ec50
SHA512

28ddd40b08bf83e89b0c92d89159e79f0103d7add097ab099a26103eb31f52a4ec9669290ccfa588d7075e71d712b34c10b625d644a425107535208307dbdb53
SSDEEP

6144:6ZLwRyyWMa3NIBkL6LDW8dTZdw702edvxiuYOO6umz4N:6ZLwRyyHadIBkLIi8dTL2SvguYOO1mkN

Score

10^/10

icedid banker loader trojan

Malware Config

Extracted

Family

icedid

ldrstar.casa

Signatures

IcedID, BokBot
IcedID is a banking trojan capable of stealing credentials.
trojan banker icedid

IcedID First Stage Loader 2 IoCs

loader

resource	yara_rule
behavioral2/memory/3380-1-0x0000000075170000-0x00000000751FC000-memory.dmp	IcedidFirstLoader
behavioral2/memory/3380-2-0x0000000075170000-0x00000000751FC000-memory.dmp	IcedidFirstLoader

Blocklisted process makes network request 16 IoCs

flow	pid	Process
45	3380	rundll32.exe
47	3380	rundll32.exe
48	3380	rundll32.exe
52	3380	rundll32.exe
55	3380	rundll32.exe
58	3380	rundll32.exe
67	3380	rundll32.exe
69	3380	rundll32.exe
76	3380	rundll32.exe
78	3380	rundll32.exe
84	3380	rundll32.exe
91	3380	rundll32.exe
94	3380	rundll32.exe
97	3380	rundll32.exe
98	3380	rundll32.exe
100	3380	rundll32.exe

Program crash 6 IoCs

pid	pid_target	Process	procid_target
3640	3380	WerFault.exe	82
456	3380	WerFault.exe	82
4868	3380	WerFault.exe	82
2416	3380	WerFault.exe	82
4356	3380	WerFault.exe	82
2768	3380	WerFault.exe	82

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3512 wrote to memory of 3380	3512	rundll32.exe	82
PID 3512 wrote to memory of 3380	3512	rundll32.exe	82
PID 3512 wrote to memory of 3380	3512	rundll32.exe	82

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\55a8da7ffdb5beeb293e27851793bb52_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3512
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\55a8da7ffdb5beeb293e27851793bb52_JaffaCakes118.dll,#1
  2⤵
  - Blocklisted process makes network request
  PID:3380
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3380 -s 640
    3⤵
    - Program crash
    PID:3640
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3380 -s 796
    3⤵
    - Program crash
    PID:456
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3380 -s 832
    3⤵
    - Program crash
    PID:4868
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3380 -s 1172
    3⤵
    - Program crash
    PID:2416
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3380 -s 1288
    3⤵
    - Program crash
    PID:4356
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3380 -s 1324
    3⤵
    - Program crash
    PID:2768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3380 -ip 3380
1⤵
PID:2900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3380 -ip 3380
1⤵
PID:4516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 3380 -ip 3380
1⤵
PID:3596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 3380 -ip 3380
1⤵
PID:4928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 3380 -ip 3380
1⤵
PID:1056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3380 -ip 3380
1⤵
PID:2424

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3380-0-0x00000000751A3000-0x00000000751A7000-memory.dmp

Filesize
16KB

Download
memory/3380-1-0x0000000075170000-0x00000000751FC000-memory.dmp

Filesize
560KB

Download
memory/3380-2-0x0000000075170000-0x00000000751FC000-memory.dmp

Filesize
560KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads