icedid | 3626c5c04745f7318a313d26345c7c16450ff57b1a22fba0e57f8e03de0b8946

Analysis

max time kernel
148s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
28-05-2024 18:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7ddd2eb2b4bd1f7c615e92e57d725768_JaffaCakes118.dll
Size

211KB
MD5

7ddd2eb2b4bd1f7c615e92e57d725768
SHA1

99a81f0d385051b41df44a53a753b8c3e1862982
SHA256

3626c5c04745f7318a313d26345c7c16450ff57b1a22fba0e57f8e03de0b8946
SHA512

c95a1a32f8e32c0ef576420a9e80827a70007db83deb0251ba18c63f23e66777615a995156f84cf13ed46acf87c4e73ade3c17ee874c74e8660c266462759f36
SSDEEP

6144:6ZLwUyyWMa3NIBkL6LDW8dTZdw702edvxiuYOO6umz4N:6ZLwUyyHadIBkLIi8dTL2SvguYOO1mkN

Score

10^/10

icedid banker loader trojan

Malware Config

Extracted

Family

icedid

ldrstar.casa

Signatures

IcedID, BokBot
IcedID is a banking trojan capable of stealing credentials.
trojan banker icedid

IcedID First Stage Loader 2 IoCs

loader

resource	yara_rule
behavioral2/memory/2664-1-0x0000000075500000-0x000000007558C000-memory.dmp	IcedidFirstLoader
behavioral2/memory/2664-2-0x0000000075500000-0x000000007558C000-memory.dmp	IcedidFirstLoader

Blocklisted process makes network request 15 IoCs

flow	pid	Process
43	2664	rundll32.exe
44	2664	rundll32.exe
47	2664	rundll32.exe
50	2664	rundll32.exe
53	2664	rundll32.exe
61	2664	rundll32.exe
65	2664	rundll32.exe
71	2664	rundll32.exe
74	2664	rundll32.exe
82	2664	rundll32.exe
93	2664	rundll32.exe
96	2664	rundll32.exe
99	2664	rundll32.exe
100	2664	rundll32.exe
105	2664	rundll32.exe

Program crash 5 IoCs

pid	pid_target	Process	procid_target
4824	2664	WerFault.exe	83
3800	2664	WerFault.exe	83
4572	2664	WerFault.exe	83
2188	2664	WerFault.exe	83
2936	2664	WerFault.exe	83

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2348 wrote to memory of 2664	2348	rundll32.exe	83
PID 2348 wrote to memory of 2664	2348	rundll32.exe	83
PID 2348 wrote to memory of 2664	2348	rundll32.exe	83

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\7ddd2eb2b4bd1f7c615e92e57d725768_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2348
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\7ddd2eb2b4bd1f7c615e92e57d725768_JaffaCakes118.dll,#1
  2⤵
  - Blocklisted process makes network request
  PID:2664
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2664 -s 636
    3⤵
    - Program crash
    PID:4824
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2664 -s 796
    3⤵
    - Program crash
    PID:3800
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2664 -s 816
    3⤵
    - Program crash
    PID:4572
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2664 -s 1264
    3⤵
    - Program crash
    PID:2188
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2664 -s 1272
    3⤵
    - Program crash
    PID:2936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 2664 -ip 2664
1⤵
PID:3516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2664 -ip 2664
1⤵
PID:3444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2664 -ip 2664
1⤵
PID:1744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 2664 -ip 2664
1⤵
PID:4508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 2664 -ip 2664
1⤵
PID:1788

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2664-1-0x0000000075500000-0x000000007558C000-memory.dmp

Filesize
560KB

Download
memory/2664-0-0x0000000075533000-0x0000000075537000-memory.dmp

Filesize
16KB

Download
memory/2664-2-0x0000000075500000-0x000000007558C000-memory.dmp

Filesize
560KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads