malware_traffic

2020-06-24 (Wednesday): Valak activity - Soft_sig: mad35

Jun 24th, 2020
1,799
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. 2020-06-24 (WEDNESDAY): VALAK ACTIVITY - SOFT_SIG: MAD35
  2.  
  3. NOTE:
  4.  
  5. - As usual from a US location, I got IcedID (Bokbot) as the follow-up malware
  6.  
  7. EXAMPLES OF WORD DOCS WITH MACROS FOR VALAK:
  8.  
  9. - 7e2ae571fd689bff2673097c92a334e0032f87274fbacb7dc5580ac3da51eb97 adjure,06.24.2020.doc
  10. - de92bed55173005abc2336c8ac0261ae08f33769f5d9ebb9dd9d24d312e5b32c adjure_06.20.doc
  11. - 5285083f25a2b285aa08bcbfef6e189b826ed3889bc76f50be38deea0f42e695 bid 06.20.doc
  12. - 3f25d2c2039a2658d5846f4a2eef0294b91b430e7622fe883e35163b9e166995 charge 06.20.doc
  13. - c65fd1f06f54ddb8156eb2e7b09c58c14329234b48fa879f4d59631c3f6976e9 commerce -06.20.doc
  14. - 629ce9a17b978471c1740d0a2931f5043c3e51f52ec5dc351019255f4161d266 commerce _06.20.doc
  15. - bec6c619dd6514ecbc6b8b66dc833576de3fbbbbd5a99551add6c7acc87174b8 document.06.20.doc
  16. - cfced51dd1f230397d0d498f15587f93a5409a14b6d332c9398750258c4782e1 document_06.20.doc
  17. - 7f86bef0240110c979d04e50f8911aaca607ad9a1041b4ecff0a025365f95500 documents.06.24.2020.doc
  18. - 7f44765f5a4ceea218564770e10b399ae5d96660fea1ffde04dff3b454959fc4 file 06.20.doc
  19. - 17dd8ba7deac9a0efd89ec7bf3c3ed72c05e35dea2494e92a17d9d6808795320 file 06.24.20.doc
  20. - 084df2038f17b7baf3f9feec455cb5280dea237a5643d824a060c6f3078c871c file-06.20.doc
  21. - c84df62a03548cab7532e3e7ad0ad012b869558d833900916986f898b6e1310d instrument indenture-06.24.2020.doc
  22. - d5bcc6f4dace1429b02acf1c8999a9f68127d5aaab985cb4d555e0d7c0ae80c8 legal paper 06.24.20.doc
  23. - a7fdf5fe6f3b1c5a3ac529ca19b479e78465f957b06e5de0e0b41c351f1966c8 legislate-06.20.doc
  24. - ad919a28ec0f166b356b5b4873952a479655dd524cc6895feed5afb25b4a24a2 material,06.24.2020.doc
  25. - cfaab7a4f5d1c4ea47c6f44cd9e2ebb620a2c9561dbe3e244f7e7a9a5311de00 material.06.20.doc
  26. - d43312c67cf6faa84efabd89d3c87e6dc4e107ba673cc03a6c3303e18e015eaf particulars 06.24.2020.doc
  27. - 53da1a9d1ceb735c58571327c79aa67a49bdff71ad766e38677f14fe041b92e8 particulars.06.20.doc
  28. - 931e10ef0a41c709de57181248e6b727ad20cf5ff57d7b3cc027e7383e90bbdb specifics_06.20.doc
  29.  
  30. DOMAINS HOSTING THE INITIAL VALAK DLL:
  31.  
  32. - a9nq0z[.]com
  33. - e7xfxb[.]com
  34. - ihgd1u[.]com
  35. - gma7im[.]com
  36. - gx6995[.]com
  37. - mbzrrt[.]com
  38. - w0j3oq[.]com
  39.  
  40. URLS FOR THE INTIAL VALAK DLL:
  41.  
  42. - GET /unbbmevd/d76.php?l=ftywl1.cab
  43. - GET /unbbmevd/d76.php?l=ftywl2.cab
  44. - GET /unbbmevd/d76.php?l=ftywl3.cab
  45. - GET /unbbmevd/d76.php?l=ftywl4.cab
  46. - GET /unbbmevd/d76.php?l=ftywl5.cab
  47. - GET /unbbmevd/d76.php?l=ftywl6.cab
  48. - GET /unbbmevd/d76.php?l=ftywl7.cab
  49. - GET /unbbmevd/d76.php?l=ftywl8.cab
  50. - GET /unbbmevd/d76.php?l=ftywl9.cab
  51. - GET /unbbmevd/d76.php?l=ftywl10.cab
  52. - GET /unbbmevd/d76.php?l=ftywl11.cab
  53. - GET /unbbmevd/d76.php?l=ftywl12.cab
  54.  
  55. EXAMPLES OF INITIAL VALAK DLL:
  56.  
  57. - 0f0d870fcad3e935d191e4076bfdc3812c278c3bdb6ec2233d71d9cf14a04a17 C:\ProgramData\40060179.dat
  58. - 59b5aaa1b9d1225610007636ef70dec8f0f1889661d12690d02494718f7df54b C:\ProgramData\51508.jpg
  59. - e229806eefc3c76ed0a917969928ddce461a4e3934f9cb331f12b4d9c1ad6826 C:\ProgramData\51508.jpg
  60. - 73872d1c97da41772d51fec33613cc1de32b27b43ec5135d1a1c357de5fb9d77 C:\ProgramData\23196138.dat
  61. - 1bd323c57344a8b38ac22ceec92707ba3b6a30d29b66fc32e163649ea7de8a0f C:\ProgramData\29757.jpg
  62. - 59b5aaa1b9d1225610007636ef70dec8f0f1889661d12690d02494718f7df54b C:\ProgramData\33060.jpg
  63. - 8ce9c42220de87bf0dedab305d7874d286726ac18bae834c80e0d6eba8438df7 C:\ProgramData\35604.jpg
  64. - 481659d344a246a19eb516b01ea71e074e893f6ab4ba9de11c24fba15a8ec9fc C:\ProgramData\48041329.dat
  65. - 659812b78542044d9ebb46743ecda037762a71a49f05322d5fa9bd8b3337d0d4 C:\ProgramData\49988373.dat
  66. - 59b5aaa1b9d1225610007636ef70dec8f0f1889661d12690d02494718f7df54b C:\ProgramData\51508.jpg
  67. - 59b5aaa1b9d1225610007636ef70dec8f0f1889661d12690d02494718f7df54b C:\ProgramData\56446.jpg
  68. - be14ed801453c78d6c80992705cfe0e7eb03f808d2b28704ffa2925cdc46fdc9 C:\ProgramData\77994156.dat
  69. - 8421811ca6b95b3a4f3610184af94f4295a57cc7aaca20062dd42acd76186733 C:\ProgramData\83511024.dat
  70.  
  71. RUN METHOD FOR VALAK DLL:
  72.  
  73. - regsvr32.exe -s [filename]
  74. - Can also be done using: rundll32.exe [filename],DllRegisterServer
  75.  
  76. INITIAL SCRIPT FILE DROPPED FOR VALAK INFECTION:
  77.  
  78. - 88f34842ffadf864ff44e4f3b28fc2a3e4614d0e2e4f836f140d12d3121568c2 C:\Users\Public\mUDSqcHQn.pAnNR
  79.  
  80. DECOY DOMAINS FOR VALAK POST-INFECTION TRAFFIC:
  81.  
  82. - e87.dspb.akamaidege[.]net
  83. - insiderppe.cloudapp[.]net
  84. - pagead46.l.doubleclick[.]net
  85.  
  86. MALICIOUS DOMAINS FOR VALAK POST-INFECTION TRAFFIC:
  87.  
  88. - thepicklepilot[.]com
  89. - joonaskallinen[.]com
  90. - xfitnessproducts[.]com
  91. - 59xidd-fuel[.]com
  92. - 19geds-space[.]com
  93. - 55sfors-cask[.]com
  94.  
  95. VALAK EXE HIDDEN VIA ADS AND MADE PERSISTENT THROUGH SCHEDULED TASK:
  96.  
  97. - a2e683ed3b00ce43517b0ffa99177b19e18ab4c0a27198082e2197801f22b0ed C:\Users\Public\WSUDIAG.EVTX:80cfabcd
  98. - a2e683ed3b00ce43517b0ffa99177b19e18ab4c0a27198082e2197801f22b0ed C:\Users\Public\WSUDIAG.EVTX:9c31fd9d
  99.  
  100. INITIAL ICEDID EXE FOUND ON VALAK-INFECTED HOST:
  101.  
  102. - 9ef0f3b08d66a83ca24735016556964efad5c50023d9638bf94e45d9a29febbf C:\Users\[username]\AppData\Local\Temp\~5394765.exe
  103.  
  104. ICEDID PERSISTENT ON INFECTED WINDOWS HOST:
  105.  
  106. - 39a9cd9816d520124a30a2d623a105c5cbb8f66c2de21650153a46642801091e C:\Users\[username]\AppData\Local\Xurare3\bodads.exe
  107.  
  108. DOMAINS FROM HTTPS TRAFFIC SEEN DURING ICEDID INFECTION:
  109.  
  110. - load4th[.]casa
  111. - sweeteator[.]best
  112. - plutiasitop[.]top
RAW Paste Data