Analysis
-
max time kernel
147s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
27-05-2024 21:24
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
7a946bfc8ca85ad16bf66ecabb4ccdec_JaffaCakes118.dll
Resource
win7-20240221-en
windows7-x64
4 signatures
150 seconds
General
-
Target
7a946bfc8ca85ad16bf66ecabb4ccdec_JaffaCakes118.dll
-
Size
214KB
-
MD5
7a946bfc8ca85ad16bf66ecabb4ccdec
-
SHA1
0c5014dcdcf28f11f31c13e3fb3ef6ae5559f628
-
SHA256
8efa3aea51c2da764f118b7808fa096c3e3a841b676b1e046cdd6ad50cf8af3d
-
SHA512
f667e6badebdc6a8bc677bb54f073112b70b7896c41b04d40a47880d5ccb47082996fc2e04aeabb55888d92d269a3b1d650bdf190eb25f058560a311cbd326c3
-
SSDEEP
6144:54+U6OuNhTIXJnxeecA9ikbl4yB6ETGzM0yT:a+U6Oseh9cA/lV6ETGw0yT
Malware Config
Extracted
Family
icedid
C2
ldrshekel.casa
Signatures
-
IcedID First Stage Loader 1 IoCs
resource yara_rule behavioral1/memory/1652-1-0x0000000074E00000-0x0000000074E97000-memory.dmp IcedidFirstLoader -
Blocklisted process makes network request 32 IoCs
flow pid Process 3 1652 rundll32.exe 4 1652 rundll32.exe 6 1652 rundll32.exe 7 1652 rundll32.exe 11 1652 rundll32.exe 12 1652 rundll32.exe 14 1652 rundll32.exe 15 1652 rundll32.exe 17 1652 rundll32.exe 18 1652 rundll32.exe 20 1652 rundll32.exe 21 1652 rundll32.exe 23 1652 rundll32.exe 24 1652 rundll32.exe 25 1652 rundll32.exe 26 1652 rundll32.exe 28 1652 rundll32.exe 29 1652 rundll32.exe 31 1652 rundll32.exe 32 1652 rundll32.exe 34 1652 rundll32.exe 35 1652 rundll32.exe 37 1652 rundll32.exe 38 1652 rundll32.exe 39 1652 rundll32.exe 40 1652 rundll32.exe 42 1652 rundll32.exe 43 1652 rundll32.exe 45 1652 rundll32.exe 46 1652 rundll32.exe 48 1652 rundll32.exe 49 1652 rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2112 wrote to memory of 1652 2112 rundll32.exe 28 PID 2112 wrote to memory of 1652 2112 rundll32.exe 28 PID 2112 wrote to memory of 1652 2112 rundll32.exe 28 PID 2112 wrote to memory of 1652 2112 rundll32.exe 28 PID 2112 wrote to memory of 1652 2112 rundll32.exe 28 PID 2112 wrote to memory of 1652 2112 rundll32.exe 28 PID 2112 wrote to memory of 1652 2112 rundll32.exe 28
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\7a946bfc8ca85ad16bf66ecabb4ccdec_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2112 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\7a946bfc8ca85ad16bf66ecabb4ccdec_JaffaCakes118.dll,#12⤵
- Blocklisted process makes network request
PID:1652
-