Overview

overview

10

Static

static

3

ad88c54c37...18.dll

windows7-x64

10

ad88c54c37...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240611-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15-06-2024 08:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ad88c54c37ce7d75790df768ef14e2f5_JaffaCakes118.dll

  • Size

    211KB

  • MD5

    ad88c54c37ce7d75790df768ef14e2f5

  • SHA1

    298d7ba10332a0b9d220533ba337c2455d2f70e2

  • SHA256

    9c2b9591aa625e3dd4d8eae345b24e331bf731c9d5fa6455ac8e79bd6ec5d0d0

  • SHA512

    51c9b720c0a3e04d32e222b63a68e47accd3732992391897ed4db80b7160dab4cb72c150de185bc0b005878107fa556ba4a0154ff18c83e212b12aef9d847325

  • SSDEEP

    6144:6ZLwyyyWMa3NIBkL6LDW8dTZdw702edvxiuYOO6umz4N:6ZLwyyyHadIBkLIi8dTL2SvguYOO1mkN

Score
10/10
icedidbankerloadertrojan

Malware Config

Extracted

Family

icedid

C2

ldrstar.casa

Signatures

  • IcedID, BokBot

    IcedID is a banking trojan capable of stealing credentials.

    trojanbankericedid
  • IcedID First Stage Loader 2 IoCs
    loader
  • Blocklisted process makes network request 15 IoCs
  • Program crash 5 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\ad88c54c37ce7d75790df768ef14e2f5_JaffaCakes118.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2172
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\ad88c54c37ce7d75790df768ef14e2f5_JaffaCakes118.dll,#1
      2⤵
      • Blocklisted process makes network request
      PID:3184
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3184 -s 636
        3⤵
        • Program crash
        PID:2076
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3184 -s 800
        3⤵
        • Program crash
        PID:1964
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3184 -s 836
        3⤵
        • Program crash
        PID:4052
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3184 -s 1108
        3⤵
        • Program crash
        PID:4904
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3184 -s 1004
        3⤵
        • Program crash
        PID:5008
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3184 -ip 3184
    1⤵
      PID:1408
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3184 -ip 3184
      1⤵
        PID:1692
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3184 -ip 3184
        1⤵
          PID:4100
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3184 -ip 3184
          1⤵
            PID:4048
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 3184 -ip 3184
            1⤵
              PID:3516

            Network

            MITRE ATT&CK Matrix

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • memory/3184-0-0x0000000075103000-0x0000000075107000-memory.dmp

              Filesize

              16KB

              Download

            • memory/3184-1-0x00000000750D0000-0x000000007515C000-memory.dmp

              Filesize

              560KB

              Download

            • memory/3184-2-0x00000000750D0000-0x000000007515C000-memory.dmp

              Filesize

              560KB

              Download