ICE-IX 1.2.x.y trojan banker

Hunt Hypothesis

The ICE-IX 1.2.x.y trojan banker is likely being used to establish covert communication and exfiltrate data by leveraging Azure services, indicating potential long-term persistence and data theft. SOC teams should proactively hunt for this behavior to identify and mitigate stealthy adversary activity that may evade traditional detection methods.

YARA Rule

rule ice_ix_12xy : banker
{
	meta:
		author = "Jean-Philippe Teissier / @Jipe_"
		description = "ICE-IX 1.2.x.y trojan banker"
		date = "2013-01-12"
		filetype = "memory"
		version = "1.0" 
	
	strings:
		$regexp1= /bn1=.{32}&sk1=[0-9a-zA-Z]{32}/
		$a = "bn1="
		$b = "&sk1="
		$c = "mario"								//HardDrive GUID artifact
		$d = "FIXME"
		$e = "RFB 003.003"							//VNC artifact
		$ggurl = "http://www.google.com/webhp"

	condition:
		$regexp1 or ($a and $b) or all of ($c,$d,$e,$ggurl) 
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 7 string patterns in its detection logic.

• Source Rule

False Positive Guidance

• Scenario: Scheduled System Maintenance Task
  Description: A legitimate system maintenance task, such as a Windows Task Scheduler job that runs ice-ix.exe as part of a software update or patching process.
  Filter/Exclusion: Check for Process.parent_process_name == "schtasks.exe" or Process.command_line_contains("schtasks.exe")

• Scenario: Admin Tool for Network Configuration
  Description: A network administrator uses a legitimate tool like netsh or ipconfig to configure network settings, which may result in the execution of ice-ix.exe as part of a script or automation.
  Filter/Exclusion: Filter by Process.parent_process_name == "netsh.exe" or Process.command_line_contains("netsh")

• Scenario: Antivirus or Endpoint Protection Scan
  Description: A security tool such as Windows Defender or CrowdStrike Falcon runs a scan and temporarily executes ice-ix.exe as part of its scanning process.
  Filter/Exclusion: Filter by Process.parent_process_name == "WindowsDefender.exe" or Process.parent_process_name == "CrowdStrikeFalcon.exe"

• Scenario: Software Deployment via SCCM
  Description: A System Center Configuration Manager (SCCM) deployment package includes a legitimate tool named ice-ix.exe that is executed during software installation.
  Filter/Exclusion: Check for Process.parent_process_name == "ccmexec.exe" or Process.command_line_contains("SCCM")

• Scenario: Log File Parsing or Monitoring Tool
  Description: A log analysis tool like Splunk or ELK Stack (Logstash, Filebeat) may execute ice-ix.exe as part of parsing or monitoring system logs.
  Filter/Exclusion: Filter by `Process.parent_process_name == “spl