π™½π™΄πšƒπšπ™΄πš‚π™΄π™²
Here’s what CapLoader’s Alerts tab looks like after loading 2023-10-16-IcedID-infection.pcap from @malware_traffic. The malicious protocol alerts for GzipLoader, #BackConnect and #IcedID over TLS are obvious indicators of IcedID. But what about the periodic connections made every 5 minutes?
https://netresec.com/?b=23B6bcd
CapLoader 1.9.6 Released

CapLoader now detects even more malicious protocols and includes several new features such as JA4 fingerprints, API support for sharing IOCs to ThreatFox and OSINT lookups of malware families on Malpedia. The new CapLoader 1.9.6 release also comes with several improvements of the user interface, for[...]

Netresec
Nov 15, 2023 at 6:15pmWeb
Show threadπ™½π™΄πšƒπšπ™΄πš‚π™΄π™²Nov 15, 2023
IcedID’s 5 minute sleep timer becomes quite apparent if you look at a Gantt chart for the traffic with JA4 fingerprint t12d190800_d83cc789557e_7af1ed941c26
Show threadπ™½π™΄πšƒπšπ™΄πš‚π™΄π™²Nov 15, 2023
Kai Lu shared the following reverse engineered code of #IcedID's C2 communication loop on Fortinet’s blog back in 2019. The WaitForSingleObject(handle, 0x493E0u) call in the while(true) loop waits for 0x493e0 milliseconds (5 minutes) every time before it connects to the C2 server.
A Deep Dive Into IcedID Malware: Part II - Analysis of the Core IcedID Payload (Parent Process)

Learn more about the core IcedID payload, a banking trojan which performs web injection on browsers and acts as proxy to inspect and manipulate traffic. This is part two of a three part series.…

Fortinet Blog