malware_traffic

2020-11-24 (Tuesday) - TA551 (Shathak) Word docs with English template push IcedID

Nov 24th, 2020 (edited)
1,746
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. 2020-11-24 (TUESDAY) - TA551 (SHATHAK) WORD DOCS WITH ENGLISH LANGUAGE TEMPLATE PUSH ICEDID:
  2.  
  3. CHAIN OF EVENTS:
  4.  
  5. - malspam --> password-protected zip attachment --> extracted Word doc --> enable macros --> installer DLL --> IcedID DLL
  6.  
  7. 4 EXAMPLES OF TA551 WORD DOCS WITH MACROS:
  8.  
  9. - 37db367c01e40ee2f05a5966d6670e07fd3292c01f4da8ffd77c0e3c96a79464 deed contract.11.20.doc
  10. - 81a9a90300cb711fe2ee8ef3cd168f41a4dcb9947a36d7bcda30867360d99ea4 details-11.20.doc
  11. - 3175b6ee197e76e17fe22e8176f66ecfcd2f4de7320fe51430680bfd646bab9c enjoin_11.24.2020.doc
  12. - 4de0cdd480990aad05acf6c178e4711cd05bf0bc83b4c65fe0e0c0003832f5d6 material.11.20.doc
  13.  
  14. AT LEAST 2 DOMAINS HOSTING THE INSTALLER DLL:
  15.  
  16. - fu-vapor8895[.]com - 188.120.255[.]68
  17. - l-laptop6658.com - 45.12.4[.]233
  18.  
  19. EXAMPLES OF URLS FOR INSTALLER DLL:
  20.  
  21. - GET /share/92Lm_79ASH7srFlVPcgJDwPjNam8WuGkr0Ta/lxnt10
  22. - GET /share/kvNqzh1tF4Y8zyxtL/HQpK6K42Wr8SP9PLJSqxc5h/ROwPcKsG/dbULREqlb1Kj0_RRT/Dfnj/lxnt10
  23. - GET /share/ftmGhE2v0ebFH4Ov6R3xRPcAwdPuJrrdgxEsNuRFL4MorzVrs6dRDXqY/lxnt11
  24. - GET /share/bFcvKlFJrlxvKewsj5d4pQxQlUhXmWO0qOzilaW5CrJ4C0N/UdTfvkJ1QNftf2_PVj_wV98/lxnt11
  25.  
  26. 4 EXAMPLES OF INSTALLER DLLS:
  27.  
  28. - 1b145cd12882ab58ddb7bdb833e11f9e11b3eb9ce721d75cc6197f87ba4fd341
  29. - 8d142bd62fdc3de06cda080afcac67b600fa29ef527a11640c928199a8610f3e
  30. - cdce92800d0038fb078462a722230636754ffca7bf31b85ce7b494ed33d2eee3
  31. - d47cf4ec1a51c17befc01722d5ff603cfbd338ccff442669e765bf8dc20c6b54
  32.  
  33. EXAMPLES OF LOCATION FOR THE INSTALLER DLL FILES:
  34.  
  35. - C:\Users\[username]\AppData\Local\Temp\CMLWU.pdf
  36. - C:\Users\[username]\AppData\Local\Temp\FpVjp.pdf
  37. - C:\Users\[username]\AppData\Local\Temp\Fxrri.pdf
  38. - C:\Users\[username]\AppData\Local\Temp\mGhdt.pdf
  39.  
  40. DLL RUN METHOD:
  41.  
  42. - rundll32.exe [filename],ShowDialogA -r
  43.  
  44. HTTPS TRAFFIC TO LEGITIMATE DOMAINS CAUSED BY INSTALLER DLL:
  45.  
  46. - port 443 - facebook.com
  47. - port 443 - www.facebook.com
  48. - port 443 - instagram.com
  49. - port 443 - www.instagram.com
  50. - port 443 - www.tumblr.com
  51. - port 443 - twitter.com
  52.  
  53. AT LEAST 2 DIFFERENT DOMAINS FOR HTTPS TRAFFIC GENERATED BY INSTALLER DLLS:
  54.  
  55. - 143.110.185[.]84 port 443 - futuduramatios[.]best
  56. - 143.110.185[.]84 port 443 - suitecasecourt[.]cyou
  57.  
  58. 3 EXAMPLES OF SHA256 HASHES FOR ICEDID DLL CREATED BY INSTALLER:
  59.  
  60. - 6610a12184a15e0fe2f3c8d2f730aa7a4497386a10487138cfe1e019ec3f1f2a (initial both runs)
  61. - f25862e2ae2bc1af4a3117c22317abac677b278645135013cdd43e47868d536b (persistent 1st run)
  62. - 1a4f63c7c5b4e3e26cce157c4e0d6ed8c1fef956c4033b96df9159d27169445d (persistent 2nd run)
  63.  
  64. HTTPS TRAFFIC TO MALICIOUS DOMAINS CAUSED BY THE ICEDID DLL FILES:
  65.  
  66. - 68.183.54[.]143 port 443 - afromadness[.]club
  67. - 68.183.54[.]143 port 443 - 9seeallcars[.]best
  68. - 167.71.224[.]39 port 443 - pareomedeo[.]club
  69. - 167.71.224[.]39 port 443 - servepeolor[.]top
  70. - 167.71.224[.]39 port 443 - wasserwoman[.]top
  71. - 68.183.54[.]143 port 443 - initiativeuntimed[.]cyou
  72.  
  73. DNS QUERIES FOR ADDITIONAL DOMAINS CAUSED BY ICEDID DURING THE SECOND RUN:
  74.  
  75. - astroglippers[.]club - No such name
  76. - muslerafootball[.]best - No such name
  77. - regardlessnotice[.]top - No such name
  78.  
  79. MALWARE RETRIEVED FROM AN INFECTED WINDOWS HOST FROM THE FIRST RUN:
  80.  
  81. - SHA256 hash: cdce92800d0038fb078462a722230636754ffca7bf31b85ce7b494ed33d2eee3
  82. - File size: 228,864 bytes
  83. - File location: hxxp://fu-vapor8895[.]com/share/92Lm_79ASH7srFlVPcgJDwPjNam8WuGkr0Ta/lxnt10
  84. - File location: C:\Users\[username]\AppData\Local\Temp\Fxrri.pdf
  85. - File description: Installer DLL retrieved by Word macro
  86.  
  87. - SHA256 hash: d4df9780c1d93538eb34c9db64aa87dd5a5ee718b3392dbe7f6719de053ef3ca
  88. - File size: 112,511 bytes
  89. - File location: C:\Users\[username]\AppData\Local\Temp\00070a5e.png
  90. - File type: PNG image data, 482 x 561, 8-bit/color RGB, non-interlaced
  91. - File description: PNG file with encoded data used to create initial IcedID DLL
  92.  
  93. - SHA256 hash: 6610a12184a15e0fe2f3c8d2f730aa7a4497386a10487138cfe1e019ec3f1f2a
  94. - File size: 108,032 bytes
  95. - File location: C:\Users\[username]\AppData\Local\Accesshover.dat
  96. - File description: Initial IcedID DLL created from the above PNG file
  97.  
  98. - SHA256 hash: cc1030c4c7486f5295444acb205fa9c9947ad41427b6b181d74e7e5fe4e6f8a9
  99. - File size: 677,968 bytes
  100. - File location: C:\Users\[username]\AppData\Roaming\yaaksaac3\[username]\iyxoac.png
  101. - File type: PNG image data, 789 x 431, 8-bit/color RGB, non-interlaced
  102. - File description: Another encoded PNG file created after above DLL is run
  103.  
  104. - SHA256 hash: f25862e2ae2bc1af4a3117c22317abac677b278645135013cdd43e47868d536b
  105. - File size: 108,032 bytes
  106. - File location: C:\Users\[username]\AppData\Local\{261F864B-8892-4100-2EDE-BDC115A72551}\nivude1.dll
  107. - File description: IcedID DLL persistent on the infected Windows host
RAW Paste Data