malware_traffic

2020-12-09 (Wednesday) - TA551 (Shathak) Word docs with English template push IcedID

Dec 9th, 2020 (edited)
1,522
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. 2020-12-09 (WEDNESDAY) - TA551 (SHATHAK) WORD DOCS WITH ENGLISH TEMPLATES PUSH ICEDID:
  2.  
  3. CHAIN OF EVENTS:
  4.  
  5. - malspam --> password-protected zip attachment --> extracted Word doc --> enable macros --> installer DLL --> IcedID DLL
  6.  
  7. 14 EXAMPLES OF TA551 WORD DOCS WITH MACROS:
  8.  
  9. - 55d904b83f04acb4118df9b2bd3ebbd44b9553b0aabcfff7b68d674ddb6052cc charge-12.20.doc
  10. - 40a2ad9eb3f20c7d4378fe86fca0a18f89230aa06d73a99ae2f08a32eccebede charge.12.20.doc
  11. - 79d039cacf9d5c4011b56709c53de1a8be20010484a69d118ac91fcce6f2c253 commerce ,12.09.2020.doc
  12. - c2862d0a5b6df4769c3d1e99f32e785a6744d824ec59324c8927ee3b8f1bddfb file.12.09.2020.doc
  13. - e27ec64bfb5e248f294855366e6cfe5884874a77a9ec5429843c3da37bd0428e input-12.20.doc
  14. - c8a23fdac88331fe7aaf6c8bf7002a20dd37371c3a1662fc7c8c30a265b33cde legal paper_12.09.2020.doc
  15. - 549cb76628b35238ae936cf8802162b8b6514b633be15fce41c086410f5292fe material 12.20.doc
  16. - 34ff76103583c35bebe706f721e1e692a7c34b226eb32fa96de9dcd4c8db7ddc official paper.12.20.doc
  17. - fb78f78b3a35febc164afbacc6eb2c1a9579555940a8427ffc44706aee4bfd5e ordain,12.20.doc
  18. - c4275b08193c896015c7bcda2a4e0d940331b0806c6b32a68e32acbf78988075 particulars 12.20.doc
  19. - 70366cc7897ffce122d00bfc52803e9baf22f06e728c9839c0a3d187e77d1229 require_12.20.doc
  20. - 827fb38b70c105c9b5c7855942a787e057a26b51ba63b20410eba23f3ed59545 rule_12.09.2020.doc
  21. - e841bfa72acf31d51d4bd4fbc5397851d36b5e5f778ed3d1c335cfe7d69c8645 specifics 12.20.doc
  22. - a262ce0eeea4532b07b75a0755d0717cdbfb034753a991695368fde3eaf671a3 tell.12.20.doc
  23.  
  24. AT LEAST 6 DOMAINS HOSTING THE INSTALLER DLL:
  25.  
  26. - kmp481car[.]com - 45.144.29[.]128
  27. - kwi296dream[.]com - 45.142.215[.]153
  28. - rdi162skull[.]com - 178.250.157[.]157
  29. - tmzr158drip[.]com - 212.109.199[.]151
  30. - vqvm656stem[.]com - 45.140.146[.]31
  31. - xiptk734that[.]com - 45.140.146[.]37
  32.  
  33. EXAMPLES OF URLS FOR INSTALLER DLL:
  34.  
  35. - GET /analytics/sKPz8YnKlz/DHBHTYfvwwxMTRbdLKlvAFlXSDcUiIrf5kmWjGNMKM/kazu1?GXw=UvUuVyGyborCdAkT&Cj=BKpLQE&CBD=QXIXppXbbugR&MRS_=MSKUYgnNSn
  36. - GET /analytics/mGNSLVqe3H4GI7BPlSEmZMHjrm5ZREJAtjAej80JA93tC40gK/kazu2?tyDYE=TExZlR&xT=nFnfOSKSN&dcAi=DRYlOiMUmPJj&dnx=LXWjXZRWwvXp
  37. - GET /analytics/FN5EtodrghfabTmTkPXZDLDQxo73t629TuxgHS_b7HRig_/kazu4?QvQ=lKAZjnjMd&jc=OglqZRj&ChRjL=WvOmUAUzbegcbdST&MFBt=TZwXwDUPfx
  38. - GET /analyticsB2u7Klst5luqlKrqdt8qS9cHl7XnsZiPxvITWGMGw0d8C/kazu4?DaT=hflDKnIGnZ&g_=qwAWYdvZIGnZ_W&Oj=xuRABoNifgpeHhgc&qKB=nwrqEdkvOfXkhUWv&Utg=RGIRkwGOnCxA
  39. - GET /analytics/6dKU1M5rx_zpz2g6gSRoAt0Kklp34gmjp4dRz8ZDtcLPraW8bxENZipCk8mICyzys/kazu11?vF=SpCHqscAaXqY&EQwJv=lYfZwaAr&hI=kCVyZkJhkIIbA&QiEv=_RFCNaHXIq&VBTRI=NeWMnlT_bVRVWHhh&Mi=TXPqKPESAMLoTv&hdP=AlNyghfUGX
  40. - GET /6fYAnkKOpKV6C10bEZY8mHpd6D7IP39CDhgc7kf6Pqb8SivcvCleEQvhgkKJmrqdX/kazu12?EPP=fYTvkxpYZlU&ANvwB=hOUbUvtakESGOYvun&rL=OHvSZf&PpTGQ=YtBefhZufWNI_YU&Ci=wGtLRJY
  41. - GET /analytics/5gjVMMDlTZF8xvg8VU61DO1zMGM5580yHiwoca/GjQsjJswKWlZUlO6cW48t/kazu13?n_GR=hktPStlOf&OUOa=IfHtqSIbqjU&U_=ZJnkUy&XFZJl=ECfFkjHft&cEB=gaZoYFKAgyjoL
  42. - GET /analytics/vsE7DlYFhZT2T/cbEZ52NvE2Uuhi916vM03kEBrc5Kf/kazu14?XogU=RDDH_VGE&dvAk=suQEMBIATBtdhlU&mFctP=YVELv_&wHn=LYOUkXwrLlD&ZR=qCMYuC&phj=QumHCDvlGQ
  43. - GET /analytics/1MdBZLml/dbSCC5jT_/KKeXJPJk9Xez7tKNOkXx21BU4ctt7vCV/kazu14?QOK=_fqQbEv&TuN=rPg_ZZEK_&lPNf=QRwNQFEdv_kr&UeNBD=WNUHcg
  44. - GET /analytics/Utlg8DY4rEfNV8BJqpgS1VQzbZbwxNxmAR85LmO/kazu15?xkMCU=BBOlUx&SFV=jkvIjdDgzeXeIUAHR&nAS=fTQUwDggdF&dnO=HpcFBoO&AeJsn=jQNprDYPEaFS
  45.  
  46. 10 EXAMPLES OF INSTALLER DLLS:
  47.  
  48. - 00d40edb59b25bddab24435a5ad31a6c4323af9fa1a9ce0a0c7ebcc12865290d
  49. - 2b6958bf09ad3778fa0dc0d0fb591fa7b5636a72114f370ff043e62be93c0cef
  50. - 50227ae8a524f84e7055fe571ea71f1ce4bef458a95b2c8272078e2faebcd267
  51. - 75e884c728be8a3f8ce9bc1f6fe387cf424196597924b6d631a14774d412066f
  52. - 7dbb3a885e52aba26d917cfc552922fca06ea925e3828bba2e2a986406609d30
  53. - 804835cfe890684802f9d68dde657eead77195c329568a4d1cfa68cc29ce3f2b
  54. - 87b199644ea7ccd1a520ea7c3116f1248002bf2b2e936558382c515595048fae
  55. - 9899bb0aa5a962286889e03066e7697858c2d27b00adb8cc0ac72c73b7d51ae5
  56. - 9a41a675d1cc7821626ae8f217521e2a16d6cd4b4e0ec0f00d383935f61c786c
  57. - bf9f5d5448f9d4a22790916f93ba84b426af864e9f05de9361cdedc566148d03
  58.  
  59. EXAMPLES OF LOCATION FOR THE INSTALLER DLL FILES:+
  60.  
  61. - C:\ProgramData\a68ZHI.pdf
  62. - C:\ProgramData\aBTxr.pdf
  63. - C:\ProgramData\aeigp.pdf
  64. - C:\ProgramData\aFAXy.pdf
  65. - C:\ProgramData\aLtuD.pdf
  66. - C:\ProgramData\amE7F.pdf
  67. - C:\ProgramData\aMIlcj.pdf
  68. - C:\ProgramData\aOhCq.pdf
  69.  
  70. DLL RUN METHOD:
  71.  
  72. - rundll32.exe [filename],ShowDialogA -r
  73.  
  74. HTTPS TRAFFIC TO LEGITIMATE DOMAINS CAUSED BY INSTALLER DLL:
  75.  
  76. - port 443 - facebook.com
  77. - port 443 - www.facebook.com
  78. - port 443 - instagram.com
  79. - port 443 - www.instagram.com
  80. - port 443 - twitter.com
  81. - port 443 - www.tumblr.com
  82.  
  83. AT LEAST 1 DOMAIN FOR HTTPS TRAFFIC GENERATED BY INSTALLER DLLS:
  84.  
  85. - 188.166.88[.]45 port 443 - berringheavy[.]best
  86.  
  87. 2 EXAMPLES OF SHA256 HASHES FOR ICEDID DLL CREATED BY INSTALLER:
  88.  
  89. - cff21f166032bfc7895266f21d7e4b46d8e299a9012c85db6922f36e1965dc32 (initial)
  90. - 31d8a3551ab27eb493d57b851f406952d7287dee0b2072270427dc5f797dac51 (persistent)
  91.  
  92. HTTPS TRAFFIC TO MALICIOUS DOMAINS CAUSED BY THE ICEDID DLL FILES:
  93.  
  94. - 139.59.101[.]19 port 443 - phillifighters[.]cyou
  95. - 139.59.101[.]19 port 443 - aviaaero[.]pw
  96. - 139.59.101[.]19 port 443 - orsibataan[.]pw
  97.  
  98. MALWARE RETRIEVED FROM AN INFECTED WINDOWS HOST:
  99.  
  100. - SHA256 hash: a021af0a9cf1cb86b0b6c17a72821fd523d78c2a0583e523b534f5adcbbc4db2
  101. - File size: 446,847 bytes
  102. - File location: C:\Users\[username]\AppData\Local\Temp\000610bc.png
  103. - File type: PNG image data, 334 x 310, 8-bit/color RGB, non-interlaced
  104. - File description: PNG file with encoded data used to create initial IcedID DLL
  105.  
  106. - SHA256 hash: cff21f166032bfc7895266f21d7e4b46d8e299a9012c85db6922f36e1965dc32
  107. - File size: 442,368 bytes
  108. - File location: C:\Users\[username]\AppData\Local\Documentaddress.dat
  109. - File description: Initial IcedID DLL created by Installer DLL using encoded data from above PNG file
  110. - Run method: regsvr32.exe /s [filename]
  111.  
  112. - SHA256 hash: f6ea81aaf9a07e24a82b07254a8ed4fcf63d5a8e6ea7b57062f4c5baf9ef8bf2
  113. - File size: 678,288 bytes
  114. - File location: C:\Users\[username]\AppData\[username]\Extaofac1.png
  115. - File type: PNG image data, 605 x 399, 8-bit/color RGB, non-interlaced
  116. - File description: PNG file with encoded data created after initial IcedID DLL appears
  117.  
  118. - SHA256 hash: 31d8a3551ab27eb493d57b851f406952d7287dee0b2072270427dc5f797dac51
  119. - File size: 442,368 bytes
  120. - File location: C:\Users\[username]\AppData\[username]\[username]\Arutxesb3.dll
  121. - File description: IcedID DLL persistent on the infected Windows host
  122. - Run method: regsvr32.exe /s [filename]
RAW Paste Data