icedid | b85a0e5ff75ad8ccb59ea7214e9d76f2f70b17d4ba09eb210ce9e1f0d0f66677

Analysis

max time kernel
146s
max time network
147s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
29-07-2024 02:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

33305bd983f4293fa9d7b898c21f6bbc_JaffaCakes118.dll
Size

267KB
MD5

33305bd983f4293fa9d7b898c21f6bbc
SHA1

0341c6c63197e9c5134958fe5d88afbc00c8f798
SHA256

b85a0e5ff75ad8ccb59ea7214e9d76f2f70b17d4ba09eb210ce9e1f0d0f66677
SHA512

b14d3ff79a3c82449a81af418f04eb752f207e5ea8418056bfa1fced7368810a8f607c5e061fb98caf425d3232ab446a5fdcffe26ba41d73e4c1f4cc08e1bd56
SSDEEP

3072:WKCvsQ1ZkyvvaVH5wW760YyUu5VELUUtg7+HqOtTsTERJLGvumPOUIrLeAg0FujH:LQrkoCmvytr7UtkiBvPLiAOg3kaeXV6y

Score

10^/10

icedid banker discovery loader trojan

Malware Config

Extracted

Family

icedid

wertigohol.click

Signatures

IcedID, BokBot
IcedID is a banking trojan capable of stealing credentials.
trojan banker icedid

IcedID First Stage Loader 1 IoCs

loader

Processes:

resource	yara_rule
behavioral1/memory/2708-1-0x0000000073A50000-0x0000000073FA5000-memory.dmp	IcedidFirstLoader

Blocklisted process makes network request 36 IoCs

Processes:

rundll32.exe

flow	pid	process
3	2708	rundll32.exe
4	2708	rundll32.exe
6	2708	rundll32.exe
7	2708	rundll32.exe
10	2708	rundll32.exe
11	2708	rundll32.exe
13	2708	rundll32.exe
14	2708	rundll32.exe
16	2708	rundll32.exe
17	2708	rundll32.exe
18	2708	rundll32.exe
19	2708	rundll32.exe
21	2708	rundll32.exe
22	2708	rundll32.exe
24	2708	rundll32.exe
25	2708	rundll32.exe
27	2708	rundll32.exe
28	2708	rundll32.exe
30	2708	rundll32.exe
31	2708	rundll32.exe
32	2708	rundll32.exe
33	2708	rundll32.exe
35	2708	rundll32.exe
36	2708	rundll32.exe
38	2708	rundll32.exe
39	2708	rundll32.exe
41	2708	rundll32.exe
42	2708	rundll32.exe
44	2708	rundll32.exe
45	2708	rundll32.exe
47	2708	rundll32.exe
48	2708	rundll32.exe
50	2708	rundll32.exe
51	2708	rundll32.exe
53	2708	rundll32.exe
54	2708	rundll32.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
discovery

System Language Discovery
T1614.001

Processes:

rundll32.exe

description ioc process

Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 2092 wrote to memory of 2708	2092	rundll32.exe	rundll32.exe
PID 2092 wrote to memory of 2708	2092	rundll32.exe	rundll32.exe
PID 2092 wrote to memory of 2708	2092	rundll32.exe	rundll32.exe
PID 2092 wrote to memory of 2708	2092	rundll32.exe	rundll32.exe
PID 2092 wrote to memory of 2708	2092	rundll32.exe	rundll32.exe
PID 2092 wrote to memory of 2708	2092	rundll32.exe	rundll32.exe
PID 2092 wrote to memory of 2708	2092	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\33305bd983f4293fa9d7b898c21f6bbc_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2092
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\33305bd983f4293fa9d7b898c21f6bbc_JaffaCakes118.dll,#1
  2⤵
  - Blocklisted process makes network request
  - System Location Discovery: System Language Discovery
  PID:2708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2708-0-0x0000000073A93000-0x0000000073A97000-memory.dmp

Filesize
16KB

Download
memory/2708-1-0x0000000073A50000-0x0000000073FA5000-memory.dmp

Filesize
5.3MB

Download
memory/2708-4-0x0000000073A93000-0x0000000073A97000-memory.dmp

Filesize
16KB

Download