malware_traffic

2020-10-14 (Wednesday) - TA551 (Shathak) Word docs push IcedID

Oct 14th, 2020
1,603
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. 2020-10-14 (WEDNESDAY) - TA551 (SHATHAK) WORD DOCS WITH MACROS FOR ICEDID:
  2.  
  3. CHAIN OF EVENTS:
  4.  
  5. - malspam --> password-protected zip attachment --> extracted Word doc --> enable macros --> installer DLL --> IcedID EXE
  6.  
  7. NOTE:
  8.  
  9. - As part of the infection process, Word macros from today's wave created a copy of MSHTA.EXE saved as C:\Users\Public\in.com to run and HTML file with Javascript saved as C:\Users\Public\in.html.
  10.  
  11. 20 EXAMPLES OF TA551 WORD DOCS WITH MACROS FOR ICEDID:
  12.  
  13. - 9b153e5e5d2b637de5d6370dd3499207e7533e68af8bd77e5db8f9fd5b603e58 adjure 010.14.2020.doc
  14. - 1117b86e0ce1848b8955b7179d5e86d9aabb58d790bdc459545df5a1afba4143 adjure,010.20.doc
  15. - 7cd0eb70e309d108d305320882f261ab9d6a5af5937bffadade79191d139002b certificate 010.14.2020.doc
  16. - 3fd7e776861d6e22673ef53f90ffc8d6f3cd7963f655a0fdcd94b12a8ef00469 command 010.20.doc
  17. - 3db1065c09e317c8a2114d87695bceb61157e3ddd7d693d7143daae60e81226f command-010.14.20.doc
  18. - 5919ed5ef45599600051473cc342c11d2a9bdfdfeb2504ad89481fa630775b3d commerce -010.20.doc
  19. - 6a0f95283a40f325c0c2489f8cb6b1781d2ee553c1d44ed86795d61ea967fb47 commerce _010.20.doc
  20. - 213347251fc9f4b6812547ecfef2b3783789067ccffee1521eb88c36003a742e docs 010.20.doc
  21. - 7ace9d0f9f906f3b9151077698b386065e4e093418c7ba136c2aa4b91790f2b9 facts 010.20.doc
  22. - dcfbb405b77d475ece5c8ff18820293dc8de93eab3e67c481a3a09a6c28e7591 facts,010.20.doc
  23. - 2f97c22262ad2ea88a948b08c40662fe86232234b376f29582918044f0050aa7 figures.010.14.2020.doc
  24. - c8fcc2de3b0ed395e1455978c61cfe5640fda525569640ab73b0bd97d848bfaf figures_010.14.2020.doc
  25. - a04b9bea432dfe50a7526c1cd2392f369dad2801cd6a85d1a757946bccc5f381 input-010.20.doc
  26. - 6dc29a394cd2c86368edfa7d7721c5c56cd9deea4bdca045cf0eb76549a1152d instrument indenture.010.14.2020.doc
  27. - 555d2f6c1ecbb661b9aab93c79b5f895be592942ecb0a3a20da386c11f23143d legal agreement.010.20.doc
  28. - f48c78d02de1ec751ab4eecd01452b9d370b97514ca24384575de3b1d555b168 official paper_010.20.doc
  29. - 9b6aeea1915244ff07f391b7c855d96678f0f7ea43a646c84fdea47486dc7fff ordain.010.14.2020.doc
  30. - eca134d5ba493b631f1961738e4af190b9ffcb430fde25940e77c2ce91dc6815 question-010.14.2020.doc
  31. - bd8138c3d6c0934008e29896c0975f65fdca3d5fae105b9851725a37933176d9 require 010.20.doc
  32. - 304c7f8c6863bf44fb5c75f3d909b81937bc29169db3e2890d3535ea8cddd840 statistics_010.14.2020.doc
  33.  
  34. AT LEAST 8 DOMAINS HOSTING THE INSTALLER DLL:
  35.  
  36. - c7cyzl[.]com - 149.154.64[.]179
  37. - dsv3tk[.]com - 45.8.124[.]36
  38. - foud7v4[.]com - 45.12.4[.]207
  39. - i5hibsc[.]com - 185.98.87[.]52
  40. - tynupd[.]com - 83.166.241[.]191
  41. - vx1sz8[.]com - 178.250.156[.]190
  42. - wqmxf8k[.]com - 45.8.124[.]36
  43. - yg2zdng[.]com - 45.150.64[.]100
  44.  
  45. URLS FOR ICEDID DLL:
  46.  
  47. - GET /docat/hyra.php?l=dybe1.cab
  48. - GET /docat/hyra.php?l=dybe2.cab
  49. - GET /docat/hyra.php?l=dybe3.cab
  50. - GET /docat/hyra.php?l=dybe4.cab
  51. - GET /docat/hyra.php?l=dybe5.cab
  52. - GET /docat/hyra.php?l=dybe6.cab
  53. - GET /docat/hyra.php?l=dybe7.cab
  54. - GET /docat/hyra.php?l=dybe8.cab
  55. - GET /docat/hyra.php?l=dybe9.cab
  56. - GET /docat/hyra.php?l=dybe10.cab
  57. - GET /docat/hyra.php?l=dybe11.cab
  58. - GET /docat/hyra.php?l=dybe12.cab
  59. - GET /docat/hyra.php?l=dybe13.cab
  60. - GET /docat/hyra.php?l=dybe14.cab
  61. - GET /docat/hyra.php?l=dybe15.cab
  62. - GET /docat/hyra.php?l=dybe16.cab
  63. - GET /docat/hyra.php?l=dybe17.cab
  64. - GET /docat/hyra.php?l=dybe18.cab
  65.  
  66. 8 EXAMPLES OF ICEDID INSTALLER DLLS:
  67.  
  68. - 835311c50b675c6303b6ec069e6dd090ea490e6ed4a6a6621e856a4bf6f8dcc6
  69. - 99933acb9924e02af90c47a256c1aeef47b4b93ad787c0611a1722232ff96fa5
  70. - ab037590458a18587639666fe8a6b68e64b2bcae099df9c3b631e3ed4be1ce20
  71. - ee9d161ad1be9aeccee4c296424fe65c6cbe29b0cc3b3e3ac1b917a4601e7dd4
  72. - bbadde28126494cb587eae843c7febcdbd0b1bd67bba5213ca0d4e6a1d58e0d6
  73. - bd0bb23a35eaeb24dd86a89a614ac17f330a164fcb0182c4da0b191b7be3f52d
  74. - eefa08d95fe3273638d5597cc1c51781412eaf87fa3e8d2877a56c8f22c7c973
  75. - f40669f099d60042e67e676b2a24b17dc33f9aa00222c0dd71a4f8cde63d9732
  76.  
  77. EXAMPLES OF LOCATION FOR THE INSTALLER DLL FILES:
  78.  
  79. - C:\Users\[username]\AppData\Local\Temp\temp.tmp
  80.  
  81. DLL RUN METHOD:
  82.  
  83. - regsvr32.exe [filename]
  84.  
  85. HTTPS traffic to legitimate domains caused by the installer DLL files:
  86.  
  87. - port 443 - www.intel.com
  88. - port 443 - support.oracle.com
  89. - port 443 - www.oracle.com
  90. - port 443 - support.apple.com
  91. - port 443 - support.microsoft.com
  92. - port 443 - help.twitter.com
  93.  
  94. At least 2 different URLs for HTTPS traffic generated by the installer DLL files:
  95.  
  96. - 134.209.25[.]122 port 443 - huntysmally[.]top - GET /background.png
  97. - 134.209.25[.]122 port 443 - smalleryurta[.]club - GET /background.png
  98.  
  99. 2 examples of SHA256 hashes of IcedID EXEs created by installer DLLs:
  100.  
  101. - 78cba4c94ad3bbf06a43904c0281b95178aa56bcc56c14a6af48a7a151e1d360 (initial)
  102. - af459cb93ef9b02f0a1bc65a32c13ba9022323874be4fb5f979f1235e9146ee6 (presistent)
  103.  
  104. HTTPS traffic to malicious domains caused by the above IcedID EXE files (same as samples from yesterday):
  105.  
  106. - 143.110.176[.]28 - port 443 - minishtab[.]cyou
  107. - 143.110.176[.]28 - port 443 - novemberdejudge[.]cyou
  108. - 143.110.176[.]28 - port 443 - xoxofuck[.]cyou
  109. - 143.110.176[.]28 - port 443 - suddekaster[.]best
  110. - 143.110.176[.]28 - port 443 - sryvplanrespublican[.]cyou
RAW Paste Data