API tools faq
paste
malware_traffic

2020-10-28 (Wednesday) - TA551 (Shathak) Japanese language Word docs with macros for IcedID

malware_traffic
Oct 29th, 2020
8,547
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 4.40 KB | None | 0 0
raw download clone embed print report
  1. 2020-10-28 (WEDNESDAY) - TA551 (SHATHAK) JAPANESE LANGUAGE WORD DOCS WITH MACROS FOR ICEDID:
  2.  
  3. CHAIN OF EVENTS:
  4.  
  5. - malspam --> password-protected zip attachment --> extracted Word doc --> enable macros --> installer DLL --> IcedID EXE
  6.  
  7. 14 EXAMPLES OF TA551 WORD DOCS WITH MACROS:
  8.  
  9. - df46960cb16b749c69d536c501c4ad51ded4c7f44d4586d5cce1a195bcfb7f52 document 10.28.2020.doc
  10. - 052c625996d17ea0d44107e675e867b14dc99ec76a64899f139a5023b1c1c63e figures_10.20.doc
  11. - 4c0fb50c49de9af1c87568777b653e41ba8152e2c41274111f81edd8c6f3d967 input,10.20.doc
  12. - 100dbae93e04c083b140a635e1701c0e4a84e640be2a8512edee213457e9ec26 legal paper,10.28.2020.doc
  13. - 4947bfccb80f14b758557dc6fa3e3bc28c543008f1d28b20e49c22c07beebd2a official paper_10.28.20.doc
  14. - c8f62e247bcbc8a7ac0e0aa80eb8a1022ba962dfe2edfb590a96aa7182b650f4 official paper,10.20.doc
  15. - 298c8430256aa6ae6ffca1d6d264b0d2d94d46ba778b6ebb8e2ba1e3031b6ff5 ordain-10.28.2020.doc
  16. - 923af0c7f838b3adaaf2aa1350e32b8348bdbf1827ab0081c455ec221e037b5a ordain_10.20.doc
  17. - 3a3a9116102f27898fdd83e4754fe5fb11a3fb490cdd739907dd2e4d654684b4 particulars-10.28.2020.doc
  18. - d4a522beaff1e77b2a624af43177bd2e36e9def82b8d3e3afc068bbd79bb5d64 prescribe .10.28.20.doc
  19. - e8c809c729f14b35f0b014bb153aa6a29f329a47fb6ccdebf59b33988b181840 rule,10.28.2020.doc
  20. - 18b7ed2e5f8e0565291abacffedc9720d911200134091991a08b8d3ac2efe158 specifics-10.20.doc
  21. - 8faeb2b3a5ee7d05dfd15b9ac3a3798ef95667dc201033141891ff58a037f1b1 specifics,10.20.doc
  22. - 29053c91ac590151daa8fd7be9f6cb98f550a5f8ed91e42e90758fde98451c2f statistics-10.28.2020.doc
  23.  
  24. AT LEAST 6 DOMAINS HOSTING THE INSTALLER DLL:
  25.  
  26. - fade9400[.]com - 185.62.103[.]99
  27. - monster2064[.]com - 193.201.126[.]41
  28. - smooth8490[.]com - 81.29.143[.]137
  29. - space7873[.]com - 185.246.67[.]7
  30. - spot6327[.]com - 54.38.60[.]5
  31. - wild2486[.]com - 93.189.42[.]107
  32.  
  33. URLS FOR INSTALLER DLL:
  34.  
  35. - GET /update/GNg_gGJJQEELTaDBrzLev_GtTHMuY/EVZ_bl_DAURGKvMtYQlvPWhDlfjeBxHDlN/csyj1
  36. - GET /update/RQkTjtRH_SlEzPgTHZEIYIHCrx_ItKOesuxaw/lpJZIoSpVyWjWTYolLGjTKFZFEpf/fniYgIjLPr/csyj1
  37. - GET /update/lkddfjowlwiOIWEj/csyj2
  38. - GET /update/YerSnQzOhmTOcpndQGfKBSsdsq_HxLHQZzm/csyj2
  39. - GET /update/djMqKxc_BZCF_BJIRmjKmdcihghiSj/qE_iwuwuwuwu/csyj2
  40. - GET /update/jK/cfDbu_uGbvSBvQVduMnFOOvFsMhkRKipAmlDMhuJvQBFKcpLCTMSDpFGSqrrrJpIgO/csyj2
  41. - GET /update/EHZZbZqgSRXJYwcNsqpKXJOgs_blSyKNHsDOCgQoF/csyj3
  42. - GET /update/zKTq/lJwLxJqQgsVjUQfLF/qhZxTwcCCdTjF/DwFWVXNkrZFpwmqcbN/mbVRwspbQZMLrlWmIPG/csyj5
  43. - GET /update/sc/WKOKYVQSqhgUAczW/OtL/kjdxRVJjVzKjPiqYMkXU_YmDbbYehshVYVx/TnpMFcgK/hrfvLEj/csyj6
  44. - GET /update/IyArlmEnb/QZPZqwK/hLDaRcEdhBcC/SvekG/wwFVZwpFvIc_K_W/DfQWgPuzEdbrSTUOdAPWbVKrk/csyj8
  45. - GET /update/djMqKxc_BZCF_BJlRmjKmdcihghiSj/wJuzcnBhc/MD/qE_ZWFKbwfWZMCCWgfHU_DNxAcBRlHncRHr/csyj9
  46.  
  47. 9 EXAMPLES OF INSTALLER DLLS:
  48.  
  49. - 0d9e37f606cdad29cd4597f30a2b77b33bed16de9854db0c8914240cc6f73a12
  50. - 507d78bd65364f63a854604fd97321403e4dc43d1517baec24da8ec231adf456
  51. - 54dca9845df87267ca0dee48f8cb7d24df8756e04974ebc26db59ec6566d8a00
  52. - 95cb65f38627923b19b54148a2c848a9c06a1f329b437deefdaa7d66edd12d9e
  53. - 98349371cda4e1ff6b41bc73a83105876c01ec4c85a5415e4acc22752c8b96f6
  54. - a50b59f7acf0b334e5157e655dc3a8aa61c7cdf6ecf50e55fcca5a39153a579f
  55. - a683de41288a3655a95ffd5e61743211077eff9acebbf129e7614a064b9bfbf4
  56. - c9fb4ff0bd9eefbdb77a43a2098b4b1332225392bc38d21a0181f9faf57e92dd
  57. - cc0439a0b3312d3843bc920000218079f7bffbab020df10f7a2eb3e33753ad29
  58.  
  59. LOCATION FOR THE INSTALLER DLL FILES:
  60.  
  61. - C:\Users\public\12345.txt
  62.  
  63. DLL RUN METHOD:
  64.  
  65. - regsvr32.exe [filename]
  66.  
  67. HTTPS TRAFFIC TO LEGITIMATE DOMAINS CAUSED BY INSTALLER DLL:
  68.  
  69. - port 443 - www.intel.com
  70. - port 443 - support.oracle.com
  71. - port 443 - www.oracle.com
  72. - port 443 - support.apple.com
  73. - port 443 - support.microsoft.com
  74. - port 443 - help.twitter.com
  75.  
  76. AT LEAST 1 URL FOR HTTPS TRAFFIC GENERATED BY INSTALLER DLLS:
  77.  
  78. - 167.71.234[.]172 port 443 - zomboboxer[.]top - GET /background.png
  79.  
  80. 2 EXAMPLES OF SHA256 HASHES FOR ICEDID DLL CREATED BY INSTALLER:
  81.  
  82. - 6ac0970d4b2a3ff0a279f1632c28c31f2f3c12e935dc3307d034292aead8a4fc (initial)
  83. - 9d488caa82f902169233f2726c62acccb679adabb5af04a1d7184f0cdc8158f4 (persistent)
  84.  
  85. HTTPS TRAFFIC TO MALICIOUS DOMAINS CAUSED BY THE ICEDID DLL FILES (SAME AS YESTERDAY'S SAMPLE):
  86.  
  87. - 188.166.82[.]172 port 443 - maseratipirosh[.]top
  88. - 188.166.82[.]172 port 443 - tyrek87[.]cyou
  89. - 188.166.82[.]172 port 443 - fodsijjire[.]cyou
  90. - 188.166.82[.]172 port 443 - rivercoockinh[.]cyou
  91. - 188.166.82[.]172 port 443 - hdfouter[.]pw
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!