icedid | a95efda438fdee4b4866287c2cfe9d89772a46c5d9d22377c8c63e43b2c93295

Analysis

max time kernel
146s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
05-05-2024 22:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

198895bd9f49e2dc78c0f82420bb6f87_JaffaCakes118.dll
Size

211KB
MD5

198895bd9f49e2dc78c0f82420bb6f87
SHA1

f6c2077832d52f082631fe8e3efabef6c329a8a0
SHA256

a95efda438fdee4b4866287c2cfe9d89772a46c5d9d22377c8c63e43b2c93295
SHA512

2d365edfc61ed9610ad7caa9a82be757339214e91508e89a156ce118170a552291881c4527a22a397214c35839b2a12c04b20404274cc8624bf54308dc01d574
SSDEEP

6144:6ZLweyyWMa3NIBkL6LDW8dTZdw702edvxiuYOO6umz4:6ZLweyyHadIBkLIi8dTL2SvguYOO1mk

Score

10^/10

icedid banker loader trojan

Malware Config

Extracted

Family

icedid

ldrstar.casa

Signatures

IcedID, BokBot
IcedID is a banking trojan capable of stealing credentials.
trojan banker icedid

IcedID First Stage Loader 3 IoCs

loader

Processes:

resource	yara_rule
behavioral2/memory/1656-1-0x0000000075070000-0x00000000750FC000-memory.dmp	IcedidFirstLoader
behavioral2/memory/1656-2-0x0000000075070000-0x00000000750FC000-memory.dmp	IcedidFirstLoader
behavioral2/memory/1656-3-0x0000000075070000-0x00000000750FC000-memory.dmp	IcedidFirstLoader

Blocklisted process makes network request 12 IoCs

Processes:

rundll32.exe

flow	pid	process
50	1656	rundll32.exe
52	1656	rundll32.exe
54	1656	rundll32.exe
61	1656	rundll32.exe
64	1656	rundll32.exe
71	1656	rundll32.exe
73	1656	rundll32.exe
77	1656	rundll32.exe
79	1656	rundll32.exe
83	1656	rundll32.exe
84	1656	rundll32.exe
86	1656	rundll32.exe

Program crash 5 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid pid_target process target process

1860 1656 WerFault.exe rundll32.exe
1236 1656 WerFault.exe rundll32.exe
4432 1656 WerFault.exe rundll32.exe
2728 1656 WerFault.exe rundll32.exe
4584 1656 WerFault.exe rundll32.exe

pid	pid_target	process	target process
1860	1656	WerFault.exe	rundll32.exe
1236	1656	WerFault.exe	rundll32.exe
4432	1656	WerFault.exe	rundll32.exe
2728	1656	WerFault.exe	rundll32.exe
4584	1656	WerFault.exe	rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 4656 wrote to memory of 1656	4656	rundll32.exe	rundll32.exe
PID 4656 wrote to memory of 1656	4656	rundll32.exe	rundll32.exe
PID 4656 wrote to memory of 1656	4656	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\198895bd9f49e2dc78c0f82420bb6f87_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4656

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\198895bd9f49e2dc78c0f82420bb6f87_JaffaCakes118.dll,#1
2⤵
- Blocklisted process makes network request
PID:1656

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1656 -s 636
3⤵
- Program crash
PID:1860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1656 -s 796
3⤵
- Program crash
PID:1236

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1656 -s 816
3⤵
- Program crash
PID:4432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1656 -s 1212
3⤵
- Program crash
PID:2728

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1656 -s 1212
3⤵
- Program crash
PID:4584

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3720 --field-trial-handle=2252,i,16504368816373493055,9578615028378602855,262144 --variations-seed-version /prefetch:8
1⤵
PID:3108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 1656 -ip 1656
1⤵
PID:4772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 1656 -ip 1656
1⤵
PID:988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1656 -ip 1656
1⤵
PID:796

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1656 -ip 1656
1⤵
PID:4596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1656 -ip 1656
1⤵
PID:4392

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1656-0-0x00000000750A3000-0x00000000750A7000-memory.dmp

Filesize
16KB

Download
memory/1656-1-0x0000000075070000-0x00000000750FC000-memory.dmp

Filesize
560KB

Download
memory/1656-2-0x0000000075070000-0x00000000750FC000-memory.dmp

Filesize
560KB

Download
memory/1656-3-0x0000000075070000-0x00000000750FC000-memory.dmp

Filesize
560KB

Download