icedid | 9c2b9591aa625e3dd4d8eae345b24e331bf731c9d5fa6455ac8e79bd6ec5d0d0

Analysis

max time kernel
147s
max time network
151s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
15-06-2024 08:27

Target

ad88c54c37ce7d75790df768ef14e2f5_JaffaCakes118.dll
Size

211KB
MD5

ad88c54c37ce7d75790df768ef14e2f5
SHA1

298d7ba10332a0b9d220533ba337c2455d2f70e2
SHA256

9c2b9591aa625e3dd4d8eae345b24e331bf731c9d5fa6455ac8e79bd6ec5d0d0
SHA512

51c9b720c0a3e04d32e222b63a68e47accd3732992391897ed4db80b7160dab4cb72c150de185bc0b005878107fa556ba4a0154ff18c83e212b12aef9d847325
SSDEEP

6144:6ZLwyyyWMa3NIBkL6LDW8dTZdw702edvxiuYOO6umz4N:6ZLwyyyHadIBkLIi8dTL2SvguYOO1mkN

Score

10^/10

Family

icedid

ldrstar.casa

IcedID, BokBot
IcedID is a banking trojan capable of stealing credentials.
trojan banker icedid

IcedID First Stage Loader 2 IoCs

loader

Processes:

resource	yara_rule
behavioral1/memory/2372-0-0x0000000074A20000-0x0000000074AAC000-memory.dmp	IcedidFirstLoader
behavioral1/memory/2372-2-0x0000000074A20000-0x0000000074AAC000-memory.dmp	IcedidFirstLoader

Blocklisted process makes network request 34 IoCs

Processes:

rundll32.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 2204 wrote to memory of 2372	2204	rundll32.exe	rundll32.exe
PID 2204 wrote to memory of 2372	2204	rundll32.exe	rundll32.exe
PID 2204 wrote to memory of 2372	2204	rundll32.exe	rundll32.exe
PID 2204 wrote to memory of 2372	2204	rundll32.exe	rundll32.exe
PID 2204 wrote to memory of 2372	2204	rundll32.exe	rundll32.exe
PID 2204 wrote to memory of 2372	2204	rundll32.exe	rundll32.exe
PID 2204 wrote to memory of 2372	2204	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\ad88c54c37ce7d75790df768ef14e2f5_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2204
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\ad88c54c37ce7d75790df768ef14e2f5_JaffaCakes118.dll,#1
  2⤵
  - Blocklisted process makes network request
  PID:2372

memory/2372-0-0x0000000074A20000-0x0000000074AAC000-memory.dmp

Filesize
560KB

Download
memory/2372-1-0x0000000074A53000-0x0000000074A57000-memory.dmp

Filesize
16KB

Download
memory/2372-2-0x0000000074A20000-0x0000000074AAC000-memory.dmp

Filesize
560KB

Download