malware_traffic

2020-10-07 (Wednesday) - TA551 (shathak) Word docs push IcedID

Oct 7th, 2020
1,657
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. 2020-10-07 (WEDNESDAY) - TA551 (SHATHAK) WORD DOCS WITH MACROS FOR ICEDID:
  2.  
  3. CHAIN OF EVENTS:
  4.  
  5. - malspam --> password-protected zip attachment --> extracted Word doc --> enable macros --> installer DLL --> IcedID EXE
  6.  
  7. 20 EXAMPLES OF TA551 WORD DOCS WITH MACROS FOR ICEDID:
  8.  
  9. - 0beef303ce25104d0339c45c9639a79759e016bc38f4b7d9bde2217e3ef00cfe certificate 010.20.doc
  10. - 1806778270543a608fa6e000a27b7facb3ddbbd4991204cc374d3b8c18fb9947 decree-010.07.20.doc
  11. - 14595a04048cdb18e66681333efd287f8464a4a4cfc2ba2bc72fa768e7c6e51c deed contract_010.20.doc
  12. - 30c0ba71e4cf1230ededb4fa1ee9d5d8165dae62c5e48bedd3d87716358b354d details.010.20.doc.doc
  13. - 28fe243038d1b1630ea282eb67201629bed594f32cb2bdb471577d0b1ae6663f direct_010.20.doc
  14. - efe0e55ce9cbffb3304ba29b2ccf904506c7a3c237a8b5327e6c38a9adbf9f01 document_010.20.doc
  15. - 964f34b2785d759c77b280381ac5119e7f8f77f2385c7015a1fe499716b15a10 file 010.20.doc
  16. - 00bcfe86c9940936cf0e09d0a796d42684ce9b9eb3deebdbc73e1b2a84648f00 input,010.20.doc
  17. - 471e585c63ddfe300f7cd4cb857beab0e4ca2502bad0856ecdfe1a54c761ca77 inquiry.010.07.2020.doc
  18. - b6e264b6533923e55670e0973dee4e1f8c99b51f7638d6875f056c8c0d39b58a instruct 010.20.doc
  19. - d1cda1c16fb3e976e4a08e370762b0de16d16b5a7ad2b9e68484090e7ceb0517 instrument indenture-010.20.doc
  20. - b5fe08c2c40034ce38db39477c543b7760f286664e32fb2efd19d3b9810d57c7 legal agreement.010.07.2020.doc
  21. - 349b23c2a88d1dae6bfbf78068050f101cbe1006c5b323eeecd3cb55b95c2e8b material-010.20.doc
  22. - 20c2cf1cedb3df711cfe74121d7af5297c6d02685d8088fb5a38eca3cf1ed858 official paper 010.20.doc
  23. - 2ea61842af777d477c077e7b8880d25e0c8f04f6f86dd8e61ea45a3f4165514a ordain,010.07.2020.doc
  24. - 97f30b0a42e8e24c9efc0967691e9219cf3fbcdd6906b48a8c2cc0fcb3580825 ordain,010.20.doc
  25. - d4ce72135d503599a18c67154f39edaabc09f23c5215c55a657a56a45cc90b58 order_010.07.20.doc
  26. - 8ef00b908e4dbf8a32394782cd639019e5f182cf8a9bffca3abd0b123de1a19d prescribe -010.20.doc
  27. - def1892d7cb009bbc024ebef077e03fff3915e285eaef582ab9aaf69caec124a report-010.07.2020.doc
  28. - c367a4f55aacfbcad5d8066dd4352e2101f983305fb525d008ff80a4fe2938c8 specifics 010.07.2020.doc
  29.  
  30. AT LEAST 8 DOMAINS HOSTING THE INSTALLER DLL:
  31.  
  32. - a7d94ba[.]com - 185.144.31[.]168
  33. - chu576f[.]com - 45.10.110[.]4
  34. - gb6r8qo[.]com - 37.46.131[.]111
  35. - jv9b74[.]com - 193.201.126[.]220
  36. - mkba3y[.]com - 83.166.243[.]64
  37. - p78m58[.]com - 45.128.206[.]114
  38. - ss02vx[.]com - 194.40.243[.]176
  39. - tqbx93[.]com - 185.62.103[.]82
  40.  
  41. URLS FOR ICEDID DLL:
  42.  
  43. - GET /gyxo/kijad.php?l=wymuq1.cab
  44. - GET /gyxo/kijad.php?l=wymuq2.cab
  45. - GET /gyxo/kijad.php?l=wymuq3.cab
  46. - GET /gyxo/kijad.php?l=wymuq4.cab
  47. - GET /gyxo/kijad.php?l=wymuq5.cab
  48. - GET /gyxo/kijad.php?l=wymuq6.cab
  49. - GET /gyxo/kijad.php?l=wymuq7.cab
  50. - GET /gyxo/kijad.php?l=wymuq8.cab
  51. - GET /gyxo/kijad.php?l=wymuq9.cab
  52. - GET /gyxo/kijad.php?l=wymuq10.cab
  53. - GET /gyxo/kijad.php?l=wymuq11.cab
  54. - GET /gyxo/kijad.php?l=wymuq12.cab
  55.  
  56. 12 EXAMPLES OF ICEDID INSTALLER DLL FILES:
  57.  
  58. - 0c14eb444aa68a0e20b405597c21afa4ca23c42a520dcc7d1b5852ebe28aa5c4
  59. - 107be51f21173306fa99e6468bdf5b0d49b58036296c5091e7f3b8a1b5250132
  60. - 18b4246ff80eaf7c4a30d86794a2ab83bf26662958b0e44931d9a7f58935952a
  61. - 1cce529e81c7bcad2feeed7b7368092f9545339b368c26156a248b467e0f9397
  62. - 283e5d0fe79022c059764ae982a27191962d0463b430ed278c0b61fac73bba9f
  63. - 3869de46f081e1373e68f81564b9bb4684f56844aa7dc59fa5a8f2d8eddeef9a
  64. - 3fd4fb0b21f1d754bd0a1457c76d194a5723e21900bfe6aef75c376079391e98
  65. - 9ed92ebc8b6cf8b5716f821db89d62312b5d46cc3845c79d4dae99b7033ea8d8
  66. - a6c0a6948ceaa9c40dbfd0fd9d9181dbee8586023f3679a51c6f112e490b9fbb
  67. - b2485de94c51ff3823b459f8918829182ec1102ab0b043a9d1f9eb6f3404f016
  68. - c52a0fd0e57e4770d98bf759019884669f61de0f1d22969f86c6b10ab181c3db
  69. - e0b1c175506c8e56eb9c90c7b96d736e4a60617371f2e41ed5a62e7bc217eca6
  70.  
  71. EXAMPLES OF LOCATION FOR THE INSTALLER DLL FILES:
  72.  
  73. - C:\ProgramData\hLGNm.pdf
  74. - C:\ProgramData\iccPw.pdf
  75. - C:\ProgramData\LZUmi.pdf
  76. - C:\ProgramData\MoYLB.pdf
  77. - C:\ProgramData\nvZDu.pdf
  78. - C:\ProgramData\pVBVW.pdf
  79. - C:\ProgramData\QtSIU.pdf
  80. - C:\ProgramData\txBVS.pdf
  81. - C:\ProgramData\wWCTG.pdf
  82. - C:\ProgramData\YAeeh.pdf
  83. - C:\ProgramData\ZmAqT.pdf
  84.  
  85. DLL RUN METHOD:
  86.  
  87. - regsvr32.exe [filename]
  88.  
  89. AT LEAST 3 DIFFERENT URLS FOR HTTPS TRAFFIC GENERATED BY INSTALLER DLL FILES TODAY:
  90.  
  91. - 161.35.111[.]71 port 443 - loadpascal[.]asia - GET /background.png
  92. - 161.35.111[.]71 port 443 - loadbmw[.]click - GET /background.png
  93. - 161.35.111[.]71 port 443 - loadmercedes[.]beer - GET /background.png
  94.  
  95. 2 EXAMPLES OF SHA256 HASHES FOR ICEDID EXE CREATED BY ICEDID INSTALLER:
  96.  
  97. - 10f061a6e7886335543a5be5d1bea1b262c48c4ef45b8404cfb6d1b0cd4568aa (initial)
  98. - f13f7953e8d1eab4f78b54e8d833108b7b847339f176f1b4d754e9fd4e8282b5 (persistent)
  99.  
  100. HTTPS TRAFFIC TO MALICIOUS DOMAINS CAUSED BY THE ICEDID EXE FILES:
  101.  
  102. - 178.62.243[.]45 port 443 - sepneretyiu[.]cyou
  103. - 178.62.243[.]45 port 443 - donmekrym[.]top
  104. - 178.62.243[.]45 port 443 - holubicoklire[.]top
  105. - 178.62.243[.]45 port 443 - grablihuiz[.]cyou
  106. - 178.62.243[.]45 port 443 - obnulenush[.]cyou
  107.  
  108. HTTPS TRAFFIC TO LEGITIMATE DOMAINS CAUSED BY INSTALLER DLLS:
  109.  
  110. - port 443 - support.apple.com
  111. - port 443 - help.twitter.com
  112. - port 443 - support.microsoft.com
  113. - port 443 - support.oracle.com
  114. - port 443 - www.oracle.com
  115. - port 443 - www.intel.com
RAW Paste Data