icedid | a95efda438fdee4b4866287c2cfe9d89772a46c5d9d22377c8c63e43b2c93295

Analysis

max time kernel
149s
max time network
150s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
05-05-2024 22:44

Target

198895bd9f49e2dc78c0f82420bb6f87_JaffaCakes118.dll
Size

211KB
MD5

198895bd9f49e2dc78c0f82420bb6f87
SHA1

f6c2077832d52f082631fe8e3efabef6c329a8a0
SHA256

a95efda438fdee4b4866287c2cfe9d89772a46c5d9d22377c8c63e43b2c93295
SHA512

2d365edfc61ed9610ad7caa9a82be757339214e91508e89a156ce118170a552291881c4527a22a397214c35839b2a12c04b20404274cc8624bf54308dc01d574
SSDEEP

6144:6ZLweyyWMa3NIBkL6LDW8dTZdw702edvxiuYOO6umz4:6ZLweyyHadIBkLIi8dTL2SvguYOO1mk

Score

10^/10

Family

icedid

ldrstar.casa

IcedID, BokBot
IcedID is a banking trojan capable of stealing credentials.
trojan banker icedid
IcedID First Stage Loader 1 IoCs
loader

Processes:

resource yara_rule

behavioral1/memory/3028-1-0x00000000744E0000-0x000000007456C000-memory.dmp IcedidFirstLoader

resource	yara_rule
behavioral1/memory/3028-1-0x00000000744E0000-0x000000007456C000-memory.dmp	IcedidFirstLoader

Blocklisted process makes network request 34 IoCs

Processes:

rundll32.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 1068 wrote to memory of 3028	1068	rundll32.exe	rundll32.exe
PID 1068 wrote to memory of 3028	1068	rundll32.exe	rundll32.exe
PID 1068 wrote to memory of 3028	1068	rundll32.exe	rundll32.exe
PID 1068 wrote to memory of 3028	1068	rundll32.exe	rundll32.exe
PID 1068 wrote to memory of 3028	1068	rundll32.exe	rundll32.exe
PID 1068 wrote to memory of 3028	1068	rundll32.exe	rundll32.exe
PID 1068 wrote to memory of 3028	1068	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\198895bd9f49e2dc78c0f82420bb6f87_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1068

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\198895bd9f49e2dc78c0f82420bb6f87_JaffaCakes118.dll,#1
2⤵
- Blocklisted process makes network request
PID:3028

memory/3028-0-0x0000000074513000-0x0000000074517000-memory.dmp

Filesize
16KB

Download
memory/3028-1-0x00000000744E0000-0x000000007456C000-memory.dmp

Filesize
560KB

Download