malware_traffic

2020-09-16 (Wednesday) TA551 (Shathak) Word docs pushing IcedID

Sep 16th, 2020
2,115
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. 2020-09-16 (WEDNESDAY) - TA551 (SHATHAK) WORD DOCS WITH MACROS FOR ICEDID:
  2.  
  3. CHAIN OF EVENTS:
  4.  
  5. - malspam --> password-protected zip attachment --> extracted Word doc --> enable macros --> installer DLL --> IcedID EXE
  6.  
  7. 20 EXAMPLES OF TA551 WORD DOCS WITH MACROS FOR ICEDID:
  8.  
  9. - 9af952156e641712cc7072ff0bf85f4d2b5fad5c322c590e8b951974ce946d42 adjure,09.16.2020.doc
  10. - 93c7c35535a1cd749025f7760096e5fce3e0b1502b06c636b055479f3f531ce2 adjure_09.16.2020.doc
  11. - e61c99806aaa9d32d527cb346ee4ea8175e51cb07a2f8e53aee905d05e1f6190 deed contract-09.20.doc
  12. - e24db3e7f085b87a1ef337da7501af54af171c7005f0c7da13af8a08ff4bafbf details-09.20.doc
  13. - 57d08413af6d9fc3664764e014167fd106ced8015c669fe27a1eadd6077529b4 documents-09.20.doc
  14. - 1b7fc60bf597b5384b24dd340a1cee14082a1ce62a1a3e583affd343b55e7214 file 09.16.20.doc
  15. - 3b460c06f60ddd9abd026267b6f4279ead330d3902ce13cb13b9b44e109156ad file_09.16.2020.doc
  16. - 1140ced6f1344c92140f61c482f1af02cb615837389e1ef7bcdd86db3c050365 inquiry,09.20.doc
  17. - f594fad1f819e0d9547fa5a391a6b79f9237b1748a06138c3ac205f5cfc05d4f intelligence,09.16.2020.doc
  18. - 8d3795163d8c5ea1d6578410692831e833dbfcd3fb9791fef4069c8fbe33de4d legal agreement-09.16.2020.doc
  19. - 4bf24278b4b75d6c7e9d1f143735ac3518ed659c9dcc3f7aa89d15304af7072e legislate 09.16.20.doc
  20. - 98f503a60b3b2638b4cb36ab7f320a311d990fe962c94b17ed2a094ee47b3845 ordain,09.20.doc
  21. - f095c392c2bb991383d489af3e4621cf03fc349fa3cfd80f4c5fb81e75242670 question 09.16.2020.doc
  22. - 917011fbe73effd994c7dd28db0b6d722a3136b97ebfdc964c0c72e7b244b65e question,09.20.doc
  23. - 046f37a5e93f87189cd7324585c7c2bbb1317de92fa8919d831fcbc522d491a6 question.09.20.doc
  24. - c4ee9a8ea3c86b40fac69b02540d38e1a0ea6b12efbe3aff98d6e5b90a2befcb report-09.16.2020.doc
  25. - 6426e2de29bcbe2f7d9d6588eee823b043b7ca524ed6a87f6484cd36d7c74869 require 09.16.2020.doc
  26. - 672590acdfe5c2c398d52433e1100edc07e866a9004e80a10a98da0e193983c0 require-09.16.2020.doc
  27. - 5c21e983912e6cdcfd3f588de112fbe36eb005d76242b099b23e74abe1506ddd specifics 09.20.doc
  28. - a7343e22ce3a595766cd600db45438efa674d8168ef0bba26bd5560b909c5709 tell 09.20.doc
  29.  
  30. AT LEAST 10 DOMAINS HOSTING THE ICEDID DLL:
  31.  
  32. - ab94z0[.]com 193.201.126[.]25
  33. - bl3cavy[.]com 185.98.87[.]54
  34. - c1c2l0i[.]com - 93.189.41[.]178
  35. - cztixxy[.]com 83.166.243[.]201
  36. - fffufk[.]com - 195.93.173[.]116
  37. - safj3ng[.]com 109.248.250[.]2
  38. - swf1fas[.]com 85.117.233[.]251
  39. - tq9kma[.]com 95.213.224[.]9
  40. - vdnu32a[.]com 194.36.189[.]133
  41. - vsav42a[.]com 194.61.2[.]43
  42.  
  43. URLS FOR ICEDID DLL:
  44.  
  45. - GET /vakos/nomyr.php?l=fyfy1.cab
  46. - GET /vakos/nomyr.php?l=fyfy2.cab
  47. - GET /vakos/nomyr.php?l=fyfy3.cab
  48. - GET /vakos/nomyr.php?l=fyfy4.cab
  49. - GET /vakos/nomyr.php?l=fyfy5.cab
  50. - GET /vakos/nomyr.php?l=fyfy6.cab
  51. - GET /vakos/nomyr.php?l=fyfy7.cab
  52. - GET /vakos/nomyr.php?l=fyfy8.cab
  53. - GET /vakos/nomyr.php?l=fyfy9.cab
  54. - GET /vakos/nomyr.php?l=fyfy10.cab
  55. - GET /vakos/nomyr.php?l=fyfy11.cab
  56. - GET /vakos/nomyr.php?l=fyfy12.cab
  57. - GET /vakos/nomyr.php?l=fyfy13.cab
  58. - GET /vakos/nomyr.php?l=fyfy14.cab
  59. - GET /vakos/nomyr.php?l=fyfy15.cab
  60. - GET /vakos/nomyr.php?l=fyfy16.cab
  61. - GET /vakos/nomyr.php?l=fyfy17.cab
  62. - GET /vakos/nomyr.php?l=fyfy18.cab
  63.  
  64. 10 EXAMPLES OF ICEDID INSTALLER DLLS:
  65.  
  66. - 02026f323eea8b841f056a23b376cc58ca54956dd3c8216f87564d71c6736e06
  67. - 0d3a18ae0018427bbf053669e07bcc3cd9bc248b04a6dd0c082694d20818b56c
  68. - 24e4d25395afc41a3e9b860ae7fca1485ecbd3e432387a62c893412978f9a525
  69. - 866aa2c9699ab1427f23c3754e7b94358366d2c55e2ff512f26f16a22fa443b8
  70. - 9d075b18bd7c1a71d298cbbac829ff9753f43caaf9e06681206adc78f45b68fa
  71. - c14f7ece9b6c84d7e81839663fdfcb3cd3eacd06503f02e1cd4ccd9bb90019ca
  72. - cae8b4d8837f9c91e253a2f12cc797247a3d92a81e2219eb291cf294c39653ee
  73. - d41dc7c994809fa657b8217c6be5ff4f42a7daa61a14f5e711ce4d822bdeba70
  74. - dba67ec7a7ce016c238893260e21737a6738f611e3bb7cef80d2bb47ddd7d140
  75. - f90a1824f690bcd5c333bd78de0164174fffb12160c26699d6cd17cc10b71a49
  76.  
  77. EXAMPLES OF LOCATION for THE INSTALLER DLL FILES:
  78.  
  79. - C:\Users\[username]\Documents\test.pdf
  80. - C:\[same location as Word document]\test.pdf
  81.  
  82. DLL RUN METHOD:
  83.  
  84. - regsvr32.exe [filename]
  85.  
  86. AT LEAST 2 DIFFERENT URLS FOR HTTPS TRAFFIC GENERATED BY INSTALLER DLLS:
  87.  
  88. - 134.122.55[.]164 port 443 - loadro3[.]casa - GET /background.png
  89. - 134.122.55[.]164 port 443 - loadwe4[.]casa - GET /background.png
  90.  
  91. 2 EXAMPLES OF SHA256 HASHES FOR ICEDID EXE CREATED BY ICEDID INSTALLER:
  92.  
  93. - badf5b6c2231f8b56f60d0e71cdadf4c0938626d39230776a6d5adb1f4c352f1 (initial)
  94. - 55b811ff83a8f8b574694151ba2f1d6e9b1b3902061e8973b24f1af32a90ddca (persistent)
  95.  
  96. HTTPS TRAFFIC TO MALICIOUS DOMAINS CAUSED BY THE ABOVE 2 ICEDID EXE FILES:
  97.  
  98. - 79.141.171[.]183 port 443 - allpikoloserdzwe[.]cyou
  99. - 79.141.171[.]183 port 443 - sipmptomsledy[.]top
  100. - 79.141.171[.]183 port 443 - obnaprimezert[.]cyou
  101. - 79.141.171[.]183 port 443 - sprbumazna[.]club
  102. - 79.141.171[.]183 port 443 - uragapediculez[.]top
  103.  
  104. HTTPS TRAFFIC TO LEGITIMATE DOMAINS CAUSED BY INSTALLER DLL:
  105.  
  106. - port 443 - www.intel.com
  107. - port 443 - support.oracle.com
  108. - port 443 - www.oracle.com
  109. - port 443 - support.apple.com
  110. - port 443 - support.microsoft.com
  111. - port 443 - help.twitter.com
RAW Paste Data