Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- 2020-11-24 (TUESDAY) - TA551 (SHATHAK) WORD DOCS WITH ENGLISH LANGUAGE TEMPLATE PUSH ICEDID:
- CHAIN OF EVENTS:
- - malspam --> password-protected zip attachment --> extracted Word doc --> enable macros --> installer DLL --> IcedID DLL
- 4 EXAMPLES OF TA551 WORD DOCS WITH MACROS:
- - 37db367c01e40ee2f05a5966d6670e07fd3292c01f4da8ffd77c0e3c96a79464 deed contract.11.20.doc
- - 81a9a90300cb711fe2ee8ef3cd168f41a4dcb9947a36d7bcda30867360d99ea4 details-11.20.doc
- - 3175b6ee197e76e17fe22e8176f66ecfcd2f4de7320fe51430680bfd646bab9c enjoin_11.24.2020.doc
- - 4de0cdd480990aad05acf6c178e4711cd05bf0bc83b4c65fe0e0c0003832f5d6 material.11.20.doc
- AT LEAST 2 DOMAINS HOSTING THE INSTALLER DLL:
- - fu-vapor8895[.]com - 188.120.255[.]68
- - l-laptop6658.com - 45.12.4[.]233
- EXAMPLES OF URLS FOR INSTALLER DLL:
- - GET /share/92Lm_79ASH7srFlVPcgJDwPjNam8WuGkr0Ta/lxnt10
- - GET /share/kvNqzh1tF4Y8zyxtL/HQpK6K42Wr8SP9PLJSqxc5h/ROwPcKsG/dbULREqlb1Kj0_RRT/Dfnj/lxnt10
- - GET /share/ftmGhE2v0ebFH4Ov6R3xRPcAwdPuJrrdgxEsNuRFL4MorzVrs6dRDXqY/lxnt11
- - GET /share/bFcvKlFJrlxvKewsj5d4pQxQlUhXmWO0qOzilaW5CrJ4C0N/UdTfvkJ1QNftf2_PVj_wV98/lxnt11
- 4 EXAMPLES OF INSTALLER DLLS:
- - 1b145cd12882ab58ddb7bdb833e11f9e11b3eb9ce721d75cc6197f87ba4fd341
- - 8d142bd62fdc3de06cda080afcac67b600fa29ef527a11640c928199a8610f3e
- - cdce92800d0038fb078462a722230636754ffca7bf31b85ce7b494ed33d2eee3
- - d47cf4ec1a51c17befc01722d5ff603cfbd338ccff442669e765bf8dc20c6b54
- EXAMPLES OF LOCATION FOR THE INSTALLER DLL FILES:
- - C:\Users\[username]\AppData\Local\Temp\CMLWU.pdf
- - C:\Users\[username]\AppData\Local\Temp\FpVjp.pdf
- - C:\Users\[username]\AppData\Local\Temp\Fxrri.pdf
- - C:\Users\[username]\AppData\Local\Temp\mGhdt.pdf
- DLL RUN METHOD:
- - rundll32.exe [filename],ShowDialogA -r
- HTTPS TRAFFIC TO LEGITIMATE DOMAINS CAUSED BY INSTALLER DLL:
- - port 443 - facebook.com
- - port 443 - www.facebook.com
- - port 443 - instagram.com
- - port 443 - www.instagram.com
- - port 443 - www.tumblr.com
- - port 443 - twitter.com
- AT LEAST 2 DIFFERENT DOMAINS FOR HTTPS TRAFFIC GENERATED BY INSTALLER DLLS:
- - 143.110.185[.]84 port 443 - futuduramatios[.]best
- - 143.110.185[.]84 port 443 - suitecasecourt[.]cyou
- 3 EXAMPLES OF SHA256 HASHES FOR ICEDID DLL CREATED BY INSTALLER:
- - 6610a12184a15e0fe2f3c8d2f730aa7a4497386a10487138cfe1e019ec3f1f2a (initial both runs)
- - f25862e2ae2bc1af4a3117c22317abac677b278645135013cdd43e47868d536b (persistent 1st run)
- - 1a4f63c7c5b4e3e26cce157c4e0d6ed8c1fef956c4033b96df9159d27169445d (persistent 2nd run)
- HTTPS TRAFFIC TO MALICIOUS DOMAINS CAUSED BY THE ICEDID DLL FILES:
- - 68.183.54[.]143 port 443 - afromadness[.]club
- - 68.183.54[.]143 port 443 - 9seeallcars[.]best
- - 167.71.224[.]39 port 443 - pareomedeo[.]club
- - 167.71.224[.]39 port 443 - servepeolor[.]top
- - 167.71.224[.]39 port 443 - wasserwoman[.]top
- - 68.183.54[.]143 port 443 - initiativeuntimed[.]cyou
- DNS QUERIES FOR ADDITIONAL DOMAINS CAUSED BY ICEDID DURING THE SECOND RUN:
- - astroglippers[.]club - No such name
- - muslerafootball[.]best - No such name
- - regardlessnotice[.]top - No such name
- MALWARE RETRIEVED FROM AN INFECTED WINDOWS HOST FROM THE FIRST RUN:
- - SHA256 hash: cdce92800d0038fb078462a722230636754ffca7bf31b85ce7b494ed33d2eee3
- - File size: 228,864 bytes
- - File location: hxxp://fu-vapor8895[.]com/share/92Lm_79ASH7srFlVPcgJDwPjNam8WuGkr0Ta/lxnt10
- - File location: C:\Users\[username]\AppData\Local\Temp\Fxrri.pdf
- - File description: Installer DLL retrieved by Word macro
- - SHA256 hash: d4df9780c1d93538eb34c9db64aa87dd5a5ee718b3392dbe7f6719de053ef3ca
- - File size: 112,511 bytes
- - File location: C:\Users\[username]\AppData\Local\Temp\00070a5e.png
- - File type: PNG image data, 482 x 561, 8-bit/color RGB, non-interlaced
- - File description: PNG file with encoded data used to create initial IcedID DLL
- - SHA256 hash: 6610a12184a15e0fe2f3c8d2f730aa7a4497386a10487138cfe1e019ec3f1f2a
- - File size: 108,032 bytes
- - File location: C:\Users\[username]\AppData\Local\Accesshover.dat
- - File description: Initial IcedID DLL created from the above PNG file
- - SHA256 hash: cc1030c4c7486f5295444acb205fa9c9947ad41427b6b181d74e7e5fe4e6f8a9
- - File size: 677,968 bytes
- - File location: C:\Users\[username]\AppData\Roaming\yaaksaac3\[username]\iyxoac.png
- - File type: PNG image data, 789 x 431, 8-bit/color RGB, non-interlaced
- - File description: Another encoded PNG file created after above DLL is run
- - SHA256 hash: f25862e2ae2bc1af4a3117c22317abac677b278645135013cdd43e47868d536b
- - File size: 108,032 bytes
- - File location: C:\Users\[username]\AppData\Local\{261F864B-8892-4100-2EDE-BDC115A72551}\nivude1.dll
- - File description: IcedID DLL persistent on the infected Windows host
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement