icedid | 86747b573f7f2f20d75754e073411b56e93515eba22cf5c4307a24059e662b16

Analysis

max time kernel
145s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
12-09-2024 21:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dd11fb3c9d76df104dd54cab9eabc403_JaffaCakes118.exe
Size

228KB
MD5

dd11fb3c9d76df104dd54cab9eabc403
SHA1

63f7f1b2281f82bec711ab3dc490abde5a24f288
SHA256

86747b573f7f2f20d75754e073411b56e93515eba22cf5c4307a24059e662b16
SHA512

1532121e4d03955f5a4c33bd622a5da09357b37448ea923dacf12ca98e77af822de1dc3af3cd773f23d175c9b1cf5c42e914b01dbd150528d62e46b738f01949
SSDEEP

3072:DvbniW198DEYusGG2dIcnnhIm3fbk/1WJC6qidEIiCu8o3Bo84/X3wrbiW14:DJX8DAsGGDchISj95+CuOX/

Score

10^/10

icedid 3940132575 banker discovery loader trojan

Malware Config

Extracted

Family

icedid

Botnet

3940132575

besitxavier.best

nazifestivo.best

Attributes

auth_var
2
url_path
/audio/

Extracted

Family

icedid

Signatures

IcedID, BokBot
IcedID is a banking trojan capable of stealing credentials.
trojan banker icedid

IcedID Second Stage Loader 3 IoCs

loader

resource	yara_rule
behavioral1/memory/2532-4-0x0000000000320000-0x0000000000326000-memory.dmp	IcedidSecondLoader
behavioral1/memory/2532-0-0x0000000000310000-0x0000000000318000-memory.dmp	IcedidSecondLoader
behavioral1/memory/2532-9-0x0000000000300000-0x0000000000305000-memory.dmp	IcedidSecondLoader

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dd11fb3c9d76df104dd54cab9eabc403_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2532	dd11fb3c9d76df104dd54cab9eabc403_JaffaCakes118.exe
2532	dd11fb3c9d76df104dd54cab9eabc403_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\dd11fb3c9d76df104dd54cab9eabc403_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\dd11fb3c9d76df104dd54cab9eabc403_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2532-4-0x0000000000320000-0x0000000000326000-memory.dmp

Filesize
24KB

Download
memory/2532-8-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/2532-0-0x0000000000310000-0x0000000000318000-memory.dmp

Filesize
32KB

Download
memory/2532-9-0x0000000000300000-0x0000000000305000-memory.dmp

Filesize
20KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads