malware_traffic

2020-09-08 (Tuesday) TA551 (Shathak) Word docs pushing IcedID

Sep 8th, 2020 (edited)
11,161
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 5.27 KB | None | 0 0
  1. 2020-09-08 (TUESDAY) - TA551 (SHATHAK) WORD DOCUMENTS WITH MACROS PUSHING ICEDID MALWARE:
  2.  
  3. CHAIN OF EVENTS:
  4.  
  5. - malspam --> password-protected zip attachment --> extracted Word doc --> enable macros --> installer DLL --> IcedID EXE
  6.  
  7. NOTE: All doc and DLL samples have been submitted to https://bazaar.abuse.ch/
  8.  
  9. 16 EXAMPLES OF SHA256 HASHES FOR WORD DOCS WITH MACROS FOR ICEDID:
  10.  
  11. - 51f8f1167b40f867c44898a739ccd0612dfc1709a896ec91470fe94edc7ea7c9 bid-09.20.doc
  12. - 0be6c27416ed3da2dc17ba74d2a60db780e3ef91cd9958421a43aa3af771a18f charge_09.08.2020.doc
  13. - a36cefea02d8250a14a7b5a8525b868f1f6c035c8fafbfddab5f9d39cf8acd8c command-09.20.doc
  14. - 0d85c4734527a209eb5c2478481ea36b9aa2db0606af11f78f9b9708dc56e3c2 details 09.08.2020.doc
  15. - 7ac102d074423438acb79c9e4262c29e00b31109bd8d2b5e3b5f6fd307897d99 direct.09.08.2020.doc
  16. - be237b8e1ac44e456f9a5d0ae53a393fe7836f1f2220b36c2346fcc1160845bc docs 09.20.doc
  17. - 1dc9d1e827c6eba438454a31c497224289ccc6a2ff3158acd36388af65bc8b3d document_09.20.doc
  18. - bf2a4e47439fa2cb8ab4ea9e90226b78bd90e72427d818ac72512bcbbbe87223 figures_09.08.2020.doc
  19. - ae4421dc9e044ebe144f074041c413c0be116606511cbc749ed84f2a971132c7 inquiry.09.08.2020.doc
  20. - bae9f2deb123d81eb97d5ff4f327acde75f780cb4049516c0d685555c692faa7 instruct 09.20.doc
  21. - 7df8fe12814e5916e46478cc2d833262055a29a601fad78528316acbdb8ac1d0 intelligence.09.20.doc
  22. - c12f4522d7d258e1fc98b178bf75ee78265db3cea8b14fe47851610e2f5b6da4 legal agreement.09.20.doc
  23. - a3cb1c98976df6c768638d42f365f89fb1e2eeacb4390e0d1a797d4bb025218d official paper_09.20.doc
  24. - f234a7d86e3c05261c8e15472ff52b7815765ac5b1e6256428c2d0fdfa2e3a18 question-09.20.doc
  25. - d90dae062092bbb4fc9e0c6e9e65cf6d8b286c01a1428c71ea0845d7f20619db require,09.20.doc
  26. - b7c1781076ebfe90e2a7eb60456dcd1f7d8503973866816fc997e7371da8d9e6 statistics-09.20.doc
  27.  
  28. AT LEAST 9 DOMAINS HOSTING THE INSTALLER DLL:
  29.  
  30. - ctq41z[.]com - 45.10.88[.]99
  31. - dr8hiw8[.]com - 194.40.243[.]73
  32. - jrvg0ao[.]com - 185.66.13[.]110
  33. - kr50pf[.]com - 5.253.62[.]109
  34. - lhxlihz[.]com - 185.117.75[.]53
  35. - rflf84[.]com - 77.222.52[.]130
  36. - s0vufk[.]com - 45.89.66[.]72
  37. - spcang[.]com - 185.228.233[.]131
  38. - z30of5[.]com - 193.187.173[.]213
  39.  
  40. GET REQUESTS FOR THE INSTALLER DLL:
  41.  
  42. - GET /fucy/jubiw.php?l=gava1.cab
  43. - GET /fucy/jubiw.php?l=gava2.cab
  44. - GET /fucy/jubiw.php?l=gava3.cab
  45. - GET /fucy/jubiw.php?l=gava4.cab
  46. - GET /fucy/jubiw.php?l=gava5.cab
  47. - GET /fucy/jubiw.php?l=gava6.cab
  48. - GET /fucy/jubiw.php?l=gava7.cab
  49. - GET /fucy/jubiw.php?l=gava8.cab
  50. - GET /fucy/jubiw.php?l=gava9.cab
  51. - GET /fucy/jubiw.php?l=gava10.cab
  52. - GET /fucy/jubiw.php?l=gava11.cab
  53. - GET /fucy/jubiw.php?l=gava12.cab
  54. - GET /fucy/jubiw.php?l=gava13.cab
  55. - GET /fucy/jubiw.php?l=gava14.cab
  56.  
  57. 24 EXAMPLES OF SHA256 HASHES FOR DLL FILES USED TO INSTALL ICEDID:
  58.  
  59. - 03423958a6175e9162bd53c6f6323cc7c701af1be2b24c5ef60c31c8d2be302f
  60. - 0af2fcba1acc5852bbfc9836e3e7b134278a79a836b81b6b283dd7b4c1bbee8b
  61. - 1a5aebf1694792dde2b8c06e38c5258bbc3c9a5c249fda4575c42dc1619d95f5
  62. - 21e62f3e0612ab1a54251d046bba834605f291c20c9fe817a53aa44d08a8e237
  63. - 232f64509cb2aa61070228eee7bf808e64b98cd4dd0ef618bcbfd5a8a600e78b
  64. - 304c2b3e1fd8437dc8cd2c9e36d497410d7162a975a0c1f896c41bd1d5bf5e31
  65. - 36a913e36792320d3bd3aaf93b31d23d81c7e7ee86625bbcebd34f6c66831ee0
  66. - 3cc4d74a3f42cb8bac9a854a3ac8550aacd4a4660a9867da7abcfe1b900cbf82
  67. - 44bcbbfd3a706c0840fabb6a9b3f29b84684ecf71f7cf38fcf8dcbe81d9eacfc
  68. - 46447ef4fb40d94372e65dccd5704144f27046667723f546b947b8e55511f7af
  69. - 4d1e7ce0ed18606c7865aedaaa0a7721b589a49d728ecb1a5fc9748f37741bb7
  70. - 53ce707d338c0e2b41d5206f32333112c7ca512c29dd0a86bf52dfdbd679abb3
  71. - 5f44a62a928691259f4cc6ac14395adfaa70d5ea0b8a6ee3089176abd659e92e
  72. - 7033b1fc79288dbd66a78ef9b5744548c34bddc75c2715dcac74c0f14fbfdaf6
  73. - 7192f04d43d073a4fb9a2299884760850ea40853f52188675ae2e16af58dadde
  74. - 9d8c14be9d95cec94ff98f9c524399ade8524496787dd0f6cfe55044c3dae233
  75. - a316f685773d9729affe12ed5cb26cd7c5e4f0272f211c0befbee7ea8d6fc7ad
  76. - adf4775535b8a79df81a847a8eddcc7569ca973306112a8bc0f46610614650d2
  77. - b85e6caf4a068f3f8a284868cfdc318438770a1997c52f2ce55c4c5220cfcfba
  78. - cb9c404f67d9f2d0047378277658b38289fdc410b9953140b62829070af7053d
  79. - d12ebf9a567a56cdca41a52562502bb4aaa438b076e0820a98e11038f305a8aa
  80. - de9a0d32abf6471d264f745af2ca92e57923b4df238dbe50542e284bc3e221ad
  81. - e30001c350daa6f046df51266ecd951e1e438f0d79b09d045cbe86f9b8506877
  82. - ee1e5a594eabe32c219f38b174c673ead99d4961ce1a09909cdd9afacfbc3c81
  83.  
  84. LOCATION OF THE INSTALLER DLL FILES:
  85.  
  86. - C:\Users\[username]\AppData\Local\Temp\temp.tmp
  87. - C:\ProgramData\a5649.111
  88. - C:\ProgramData\acf75.111
  89. - C:\ProgramData\b0626.111
  90. - C:\ProgramData\beb6d.111
  91. - C:\ProgramData\c28be.111
  92. - C:\ProgramData\caed8.111
  93. - C:\ProgramData\e9aae.111
  94. - C:\ProgramData\ffb49.111
  95.  
  96. RUN METHOD FOR INSTALLER DLL:
  97.  
  98. - regsvr32.exe [filename]
  99.  
  100. AT LEAST 3 DIFFERENT URLS FOR HTTPS TRAFFIC GENERATED BY INSTALLER DLLS:
  101.  
  102. - 194.113.34[.]92 port 443 - ldfolkland[.]casa - GET /background.png
  103. - 159.65.137[.]90 port 443 - loudnavycomp[.]casa - GET /background.png
  104. - 159.65.137[.]90 port 443 - landbiofill[.]casa - GET /background.png
  105.  
  106. HTTPS TRAFFIC TO LEGITIMATE DOMAINS CAUSED BY INSTALLER DLL:
  107.  
  108. - port 443 - www.intel.com
  109. - port 443 - support.oracle.com
  110. - port 443 - www.oracle.com
  111. - port 443 - support.apple.com
  112. - port 443 - support.microsoft.com
  113. - port 443 - help.twitter.com
  114.  
  115. NOTE:
  116.  
  117. - I did not get the IcedID EXE today.
Add Comment
Please, Sign In to add comment