Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
20-05-2024 12:17
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
5f06dd5222ad5f38c294c2a605d7a1ac_JaffaCakes118.dll
Resource
win7-20240508-en
4 signatures
150 seconds
General
-
Target
5f06dd5222ad5f38c294c2a605d7a1ac_JaffaCakes118.dll
-
Size
406KB
-
MD5
5f06dd5222ad5f38c294c2a605d7a1ac
-
SHA1
3852fff8fb9ac1a0dad431368c568e60aee40589
-
SHA256
1d916a05e07aa61bb84504cd7cf70e920549dde98a3eafebfde3e13d3137df24
-
SHA512
5b664878282689a9f898af90e59c3f3f06ce74503177874da4e58093b30c3a340870a9a94a0027d5f9f1a31b15733a73c5fc20c587a764df20f70ba94d50ec49
-
SSDEEP
6144:MU/OLpMfjR6vtVIgyPFiChgkX7WOMeLpebnZgUe4A29pNwz:MU/OLCfmLqPACIeoFa4A29Dwz
Malware Config
Extracted
Family
icedid
C2
ldrruble.casa
Signatures
-
IcedID First Stage Loader 1 IoCs
Processes:
resource yara_rule behavioral1/memory/2140-1-0x0000000074810000-0x00000000748CF000-memory.dmp IcedidFirstLoader -
Blocklisted process makes network request 32 IoCs
Processes:
rundll32.exeflow pid process 3 2140 rundll32.exe 4 2140 rundll32.exe 6 2140 rundll32.exe 7 2140 rundll32.exe 9 2140 rundll32.exe 10 2140 rundll32.exe 14 2140 rundll32.exe 15 2140 rundll32.exe 17 2140 rundll32.exe 18 2140 rundll32.exe 20 2140 rundll32.exe 21 2140 rundll32.exe 22 2140 rundll32.exe 23 2140 rundll32.exe 25 2140 rundll32.exe 26 2140 rundll32.exe 28 2140 rundll32.exe 29 2140 rundll32.exe 31 2140 rundll32.exe 32 2140 rundll32.exe 34 2140 rundll32.exe 35 2140 rundll32.exe 37 2140 rundll32.exe 38 2140 rundll32.exe 40 2140 rundll32.exe 41 2140 rundll32.exe 43 2140 rundll32.exe 44 2140 rundll32.exe 46 2140 rundll32.exe 47 2140 rundll32.exe 49 2140 rundll32.exe 50 2140 rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
rundll32.exedescription pid process target process PID 2136 wrote to memory of 2140 2136 rundll32.exe rundll32.exe PID 2136 wrote to memory of 2140 2136 rundll32.exe rundll32.exe PID 2136 wrote to memory of 2140 2136 rundll32.exe rundll32.exe PID 2136 wrote to memory of 2140 2136 rundll32.exe rundll32.exe PID 2136 wrote to memory of 2140 2136 rundll32.exe rundll32.exe PID 2136 wrote to memory of 2140 2136 rundll32.exe rundll32.exe PID 2136 wrote to memory of 2140 2136 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\5f06dd5222ad5f38c294c2a605d7a1ac_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\5f06dd5222ad5f38c294c2a605d7a1ac_JaffaCakes118.dll,#12⤵
- Blocklisted process makes network request