malware_traffic

2020-09-17 (Thursday) TA551 (Shathak) Word docs pushing IcedID

Sep 17th, 2020 (edited)
2,283
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. 2020-09-17 (THURSDAY) - TA551 (SHATHAK) WORD DOCS WITH MACROS FOR ICEDID:
  2.  
  3. CHAIN OF EVENTS:
  4.  
  5. - malspam --> password-protected zip attachment --> extracted Word doc --> enable macros --> installer DLL --> IcedID EXE
  6.  
  7. 20 EXAMPLES OF TA551 WORD DOCS WITH MACROS FOR ICEDID:
  8.  
  9. - 2c9638c033bce20c40f600de6d7c2462dd1cde8964416609bcb5b737846f9e27 adjure.09.17.2020.doc
  10. - 454b4158285e38304a09aa563ae64d63a555fa288bcca9abbb33a8da4b62e67a adjure_09.20.doc
  11. - b338bf704cbdcf2cd949974e5c1b76e16df69c975c9736571a6f30753a6f02d2 bid 09.17.2020.doc
  12. - 51798d1dc563782372d76ea34750802554f0eb3f519f321926ee73566e39dca1 command 09.20.doc
  13. - 503bd08da5457f6b520479ec0611b93ae9064ef69a9b160ae94f9c46fd42dbb1 details 09.17.2020.doc
  14. - 8dd8c88ad6966fa3a72904c7df0ff42867c06fd07670947b92a9908b6c53219b docs.09.20.doc
  15. - c46868add39e4ebca74f73c8d3d54abe4cdb11cacac92065227bf82fdaff190e enjoin 09.17.2020.doc
  16. - 044b69875fa520c2c005c4a80131116cc0eb46395717d4b997a363a5809d41fe figures 09.17.2020.doc
  17. - 3a09f9c3af7ead734054a93ee27139efa6fa6bb2e92ad9e08e08266024159cec files 09.17.2020.doc
  18. - 3f3ee7b06c0e20bda4e2654ccdd3288e7f2669d675eb7d316c0880704986c28b files 09.20.doc
  19. - 6d66748213eccb7dad819da9dd2e88ceb2c426ed668805bde513f5e1a9d5f71e instrument indenture,09.20.doc
  20. - 77b1a1bde83e2f3a6b282529074e22669c967b34a08ac09d43d78ed70234ef5c intelligence-09.17.20.doc
  21. - 46edf64e6a58d67ecdc25e2084e0aa320583367f543439f2f3620c0e5566c536 legal agreement_09.17.2020.doc
  22. - 467b9d3e4c3e1b25cd6e6de004331511197cfecd16aad46f3252b10f554571dc legal agreement_09.20.doc
  23. - b8b928c892d2023679fae63870ff4a18e9158ab1c7def1a4070c833b0edc9aa5 legislate,09.17.2020.doc
  24. - ff40d50e1e5ede99e3193d26253816be4d4e3931f8ae429a0628265c7d5233ec ordain.09.20.doc
  25. - c2b2c36520c9516d6a780deeee5e4559e698dff96674b8c240f22024d7a5872c report 09.20.doc
  26. - 22aa60b43cf539d0bbd584d2db4fca99ed9f87b76dd9704085557b0cfea16a47 report.09.17.2020.doc
  27. - 0d952dd0a8c3cf20d96269842e82fe263f40074c936df5b8380ef94d2904aa86 report.09.20.doc
  28. - b174ad2027ba5b61237d4e1b7bc2f7320b610fe0835be34f4a961016a687a831 specifics_09.20.doc
  29.  
  30. AT LEAST 8 DOMAINS HOSTING THE ICEDID DLL:
  31.  
  32. - c6ut9we[.]com - 87.251.64[.]4
  33. - g94ju4[.]com - 89.235.184[.]190
  34. - gjb3sd1[.]com - 185.118.165[.]230
  35. - m6vtrk[.]com - 77.222.52[.]177
  36. - p3gcak[.]com - 185.117.73[.]59
  37. - pvi24bu[.]com - 185.219.41[.]156
  38. - ue4j6g[.]com - 194.40.243[.]128
  39. - xgsxdae[.]com - 62.109.2[.]150
  40.  
  41. URLS FOR ICEDID DLL:
  42.  
  43. - GET /myzyn/mevap.php?l=fuzo1.cab
  44. - GET /myzyn/mevap.php?l=fuzo2.cab
  45. - GET /myzyn/mevap.php?l=fuzo3.cab
  46. - GET /myzyn/mevap.php?l=fuzo4.cab
  47. - GET /myzyn/mevap.php?l=fuzo5.cab
  48. - GET /myzyn/mevap.php?l=fuzo6.cab
  49. - GET /myzyn/mevap.php?l=fuzo7.cab
  50. - GET /myzyn/mevap.php?l=fuzo8.cab
  51. - GET /myzyn/mevap.php?l=fuzo9.cab
  52. - GET /myzyn/mevap.php?l=fuzo10.cab
  53. - GET /myzyn/mevap.php?l=fuzo11.cab
  54. - GET /myzyn/mevap.php?l=fuzo12.cab
  55.  
  56. 14 EXAMPLES OF ICEDID INSTALLER DLLS:
  57.  
  58. - 23be804db20cb450cf53fc82143ac34b9e741035c511af3e5c9880e7b3a70b3a
  59. - 3626c5c04745f7318a313d26345c7c16450ff57b1a22fba0e57f8e03de0b8946
  60. - 4df39fd80257e14192e2d2edc4500883edd7921e0be92d664ec4b995d8f82f24
  61. - 530001e38045813d7276694c428b64b4dc5a15b77f2b3cc757f64b8d34bcf815
  62. - 55bc7ae7ab1017eb75387291424a67b9655d52e9357005caacbbb997dada592c
  63. - 6571b88739b154807adbbe7b8d3ff75543887405f066489fb773a2186b862132
  64. - 74c2d430eb964fbf5b3a1e37bb6f8770e571ef8998f71d945a479bba4a42d2cc
  65. - 9c2b9591aa625e3dd4d8eae345b24e331bf731c9d5fa6455ac8e79bd6ec5d0d0
  66. - 9f8ff8da154960d17a3225675a85372e7a70aca93df8bdfb887eb22c16b4dfe3
  67. - a95efda438fdee4b4866287c2cfe9d89772a46c5d9d22377c8c63e43b2c93295
  68. - ab08d113bb0f4fb6aa96997d03853aac162f93d8e6926de224186ab35255f310
  69. - b5399025d73dfb850df68017dfa81ce5f83bd9eeb7db056fffeca55ad3bcea65
  70. - c91847b9b00dddebd4f694412f2cc4c7346c15aa3cda2da856d9b0860a17ec50
  71. - d67e1fd5d40e841c1aedbbf65d5f72a69da5ac54e48ae92da1f428c9f18d8363
  72.  
  73. EXAMPLES OF LOCATION FOR THE INSTALLER DLL FILES:
  74.  
  75. - C:\Users\[username]\Documents\b163d.pdf
  76. - C:\Users\[username]\Documents\ea799.pdf
  77. - C:\Users\[username]\Documents\f34b1.pdf
  78. - C:\[same directory as the Word doc]\a8635.pdf
  79. - C:\[same directory as the Word doc]\b163d.pdf
  80. - C:\[same directory as the Word doc]\d9a97.pdf
  81. - C:\[same directory as the Word doc]\dd009.pdf
  82. - C:\[same directory as the Word doc]\e6503.pdf
  83. - C:\[same directory as the Word doc]\ea799.pdf
  84. - C:\[same directory as the Word doc]\edcf3.pdf
  85.  
  86. DLL RUN METHOD:
  87.  
  88. - regsvr32.exe [filename]
  89.  
  90. AT LEAST 2 DIFFERENT URLS FOR HTTPS TRAFFIC GENERATED BY INSTALLER DLLS:
  91.  
  92. - 142.93.218[.]110 - port 443 - ldrmercury[.]casa - GET /background.png
  93. - 134.122.55[.]164 port 443 - ldrstar[.]casa - GET /background.png
  94.  
  95. 1 EXAMPLE OF SHA256 HASHES FOR ICEDID EXE CREATED BY ICEDID INSTALLER:
  96.  
  97. - eb413325acbb2ea289969e834c5237fc6376073f24674b7760d45b94dfaf8755
  98.  
  99. HTTPS TRAFFIC TO MALICIOUS DOMAINS CAUSED BY THE ICEDID EXE FILE:
  100.  
  101. - 79.141.171[.]183 port 443 - gaagachelo[.]cyou
  102. - 79.141.171[.]183 port 443 - odnovoennbundes[.]cyou
  103.  
  104. HTTPS TRAFFIC TO LEGITIMATE DOMAINS CAUSED BY INSTALLER DLL:
  105.  
  106. - port 443 - www.intel.com
  107. - port 443 - support.oracle.com
  108. - port 443 - www.oracle.com
  109. - port 443 - support.apple.com
  110. - port 443 - support.microsoft.com
  111. - port 443 - help.twitter.com
RAW Paste Data