2020-06-24 (Wednesday): Valak activity - Soft_sig: mad35

1. 2020-06-24 (WEDNESDAY): VALAK ACTIVITY - SOFT_SIG: MAD35
2.  
3. NOTE:
4.  
5. - As usual from a US location, I got IcedID (Bokbot) as the follow-up malware
6.  
7. EXAMPLES OF WORD DOCS WITH MACROS FOR VALAK:
8.  
9. - 7e2ae571fd689bff2673097c92a334e0032f87274fbacb7dc5580ac3da51eb97 adjure,06.24.2020.doc
10. - de92bed55173005abc2336c8ac0261ae08f33769f5d9ebb9dd9d24d312e5b32c adjure_06.20.doc
11. - 5285083f25a2b285aa08bcbfef6e189b826ed3889bc76f50be38deea0f42e695 bid 06.20.doc
12. - 3f25d2c2039a2658d5846f4a2eef0294b91b430e7622fe883e35163b9e166995 charge 06.20.doc
13. - c65fd1f06f54ddb8156eb2e7b09c58c14329234b48fa879f4d59631c3f6976e9 commerce -06.20.doc
14. - 629ce9a17b978471c1740d0a2931f5043c3e51f52ec5dc351019255f4161d266 commerce _06.20.doc
15. - bec6c619dd6514ecbc6b8b66dc833576de3fbbbbd5a99551add6c7acc87174b8 document.06.20.doc
16. - cfced51dd1f230397d0d498f15587f93a5409a14b6d332c9398750258c4782e1 document_06.20.doc
17. - 7f86bef0240110c979d04e50f8911aaca607ad9a1041b4ecff0a025365f95500 documents.06.24.2020.doc
18. - 7f44765f5a4ceea218564770e10b399ae5d96660fea1ffde04dff3b454959fc4 file 06.20.doc
19. - 17dd8ba7deac9a0efd89ec7bf3c3ed72c05e35dea2494e92a17d9d6808795320 file 06.24.20.doc
20. - 084df2038f17b7baf3f9feec455cb5280dea237a5643d824a060c6f3078c871c file-06.20.doc
21. - c84df62a03548cab7532e3e7ad0ad012b869558d833900916986f898b6e1310d instrument indenture-06.24.2020.doc
22. - d5bcc6f4dace1429b02acf1c8999a9f68127d5aaab985cb4d555e0d7c0ae80c8 legal paper 06.24.20.doc
23. - a7fdf5fe6f3b1c5a3ac529ca19b479e78465f957b06e5de0e0b41c351f1966c8 legislate-06.20.doc
24. - ad919a28ec0f166b356b5b4873952a479655dd524cc6895feed5afb25b4a24a2 material,06.24.2020.doc
25. - cfaab7a4f5d1c4ea47c6f44cd9e2ebb620a2c9561dbe3e244f7e7a9a5311de00 material.06.20.doc
26. - d43312c67cf6faa84efabd89d3c87e6dc4e107ba673cc03a6c3303e18e015eaf particulars 06.24.2020.doc
27. - 53da1a9d1ceb735c58571327c79aa67a49bdff71ad766e38677f14fe041b92e8 particulars.06.20.doc
28. - 931e10ef0a41c709de57181248e6b727ad20cf5ff57d7b3cc027e7383e90bbdb specifics_06.20.doc
29.  
30. DOMAINS HOSTING THE INITIAL VALAK DLL:
31.  
32. - a9nq0z[.]com
33. - e7xfxb[.]com
34. - ihgd1u[.]com
35. - gma7im[.]com
36. - gx6995[.]com
37. - mbzrrt[.]com
38. - w0j3oq[.]com
39.  
40. URLS FOR THE INTIAL VALAK DLL:
41.  
42. - GET /unbbmevd/d76.php?l=ftywl1.cab
43. - GET /unbbmevd/d76.php?l=ftywl2.cab
44. - GET /unbbmevd/d76.php?l=ftywl3.cab
45. - GET /unbbmevd/d76.php?l=ftywl4.cab
46. - GET /unbbmevd/d76.php?l=ftywl5.cab
47. - GET /unbbmevd/d76.php?l=ftywl6.cab
48. - GET /unbbmevd/d76.php?l=ftywl7.cab
49. - GET /unbbmevd/d76.php?l=ftywl8.cab
50. - GET /unbbmevd/d76.php?l=ftywl9.cab
51. - GET /unbbmevd/d76.php?l=ftywl10.cab
52. - GET /unbbmevd/d76.php?l=ftywl11.cab
53. - GET /unbbmevd/d76.php?l=ftywl12.cab
54.  
55. EXAMPLES OF INITIAL VALAK DLL:
56.  
57. - 0f0d870fcad3e935d191e4076bfdc3812c278c3bdb6ec2233d71d9cf14a04a17 C:\ProgramData\40060179.dat
58. - 59b5aaa1b9d1225610007636ef70dec8f0f1889661d12690d02494718f7df54b C:\ProgramData\51508.jpg
59. - e229806eefc3c76ed0a917969928ddce461a4e3934f9cb331f12b4d9c1ad6826 C:\ProgramData\51508.jpg
60. - 73872d1c97da41772d51fec33613cc1de32b27b43ec5135d1a1c357de5fb9d77 C:\ProgramData\23196138.dat
61. - 1bd323c57344a8b38ac22ceec92707ba3b6a30d29b66fc32e163649ea7de8a0f C:\ProgramData\29757.jpg
62. - 59b5aaa1b9d1225610007636ef70dec8f0f1889661d12690d02494718f7df54b C:\ProgramData\33060.jpg
63. - 8ce9c42220de87bf0dedab305d7874d286726ac18bae834c80e0d6eba8438df7 C:\ProgramData\35604.jpg
64. - 481659d344a246a19eb516b01ea71e074e893f6ab4ba9de11c24fba15a8ec9fc C:\ProgramData\48041329.dat
65. - 659812b78542044d9ebb46743ecda037762a71a49f05322d5fa9bd8b3337d0d4 C:\ProgramData\49988373.dat
66. - 59b5aaa1b9d1225610007636ef70dec8f0f1889661d12690d02494718f7df54b C:\ProgramData\51508.jpg
67. - 59b5aaa1b9d1225610007636ef70dec8f0f1889661d12690d02494718f7df54b C:\ProgramData\56446.jpg
68. - be14ed801453c78d6c80992705cfe0e7eb03f808d2b28704ffa2925cdc46fdc9 C:\ProgramData\77994156.dat
69. - 8421811ca6b95b3a4f3610184af94f4295a57cc7aaca20062dd42acd76186733 C:\ProgramData\83511024.dat
70.  
71. RUN METHOD FOR VALAK DLL:
72.  
73. - regsvr32.exe -s [filename]
74. - Can also be done using: rundll32.exe [filename],DllRegisterServer
75.  
76. INITIAL SCRIPT FILE DROPPED FOR VALAK INFECTION:
77.  
78. - 88f34842ffadf864ff44e4f3b28fc2a3e4614d0e2e4f836f140d12d3121568c2 C:\Users\Public\mUDSqcHQn.pAnNR
79.  
80. DECOY DOMAINS FOR VALAK POST-INFECTION TRAFFIC:
81.  
82. - e87.dspb.akamaidege[.]net
83. - insiderppe.cloudapp[.]net
84. - pagead46.l.doubleclick[.]net
85.  
86. MALICIOUS DOMAINS FOR VALAK POST-INFECTION TRAFFIC:
87.  
88. - thepicklepilot[.]com
89. - joonaskallinen[.]com
90. - xfitnessproducts[.]com
91. - 59xidd-fuel[.]com
92. - 19geds-space[.]com
93. - 55sfors-cask[.]com
94.  
95. VALAK EXE HIDDEN VIA ADS AND MADE PERSISTENT THROUGH SCHEDULED TASK:
96.  
97. - a2e683ed3b00ce43517b0ffa99177b19e18ab4c0a27198082e2197801f22b0ed C:\Users\Public\WSUDIAG.EVTX:80cfabcd
98. - a2e683ed3b00ce43517b0ffa99177b19e18ab4c0a27198082e2197801f22b0ed C:\Users\Public\WSUDIAG.EVTX:9c31fd9d
99.  
100. INITIAL ICEDID EXE FOUND ON VALAK-INFECTED HOST:
101.  
102. - 9ef0f3b08d66a83ca24735016556964efad5c50023d9638bf94e45d9a29febbf C:\Users\[username]\AppData\Local\Temp\~5394765.exe
103.  
104. ICEDID PERSISTENT ON INFECTED WINDOWS HOST:
105.  
106. - 39a9cd9816d520124a30a2d623a105c5cbb8f66c2de21650153a46642801091e C:\Users\[username]\AppData\Local\Xurare3\bodads.exe
107.  
108. DOMAINS FROM HTTPS TRAFFIC SEEN DURING ICEDID INFECTION:
109.  
110. - load4th[.]casa
111. - sweeteator[.]best
112. - plutiasitop[.]top