malware_traffic

2020-10-28 (Wednesday) - TA551 (Shathak) Japanese language Word docs with macros for IcedID

Oct 29th, 2020
1,422
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. 2020-10-28 (WEDNESDAY) - TA551 (SHATHAK) JAPANESE LANGUAGE WORD DOCS WITH MACROS FOR ICEDID:
  2.  
  3. CHAIN OF EVENTS:
  4.  
  5. - malspam --> password-protected zip attachment --> extracted Word doc --> enable macros --> installer DLL --> IcedID EXE
  6.  
  7. 14 EXAMPLES OF TA551 WORD DOCS WITH MACROS:
  8.  
  9. - df46960cb16b749c69d536c501c4ad51ded4c7f44d4586d5cce1a195bcfb7f52 document 10.28.2020.doc
  10. - 052c625996d17ea0d44107e675e867b14dc99ec76a64899f139a5023b1c1c63e figures_10.20.doc
  11. - 4c0fb50c49de9af1c87568777b653e41ba8152e2c41274111f81edd8c6f3d967 input,10.20.doc
  12. - 100dbae93e04c083b140a635e1701c0e4a84e640be2a8512edee213457e9ec26 legal paper,10.28.2020.doc
  13. - 4947bfccb80f14b758557dc6fa3e3bc28c543008f1d28b20e49c22c07beebd2a official paper_10.28.20.doc
  14. - c8f62e247bcbc8a7ac0e0aa80eb8a1022ba962dfe2edfb590a96aa7182b650f4 official paper,10.20.doc
  15. - 298c8430256aa6ae6ffca1d6d264b0d2d94d46ba778b6ebb8e2ba1e3031b6ff5 ordain-10.28.2020.doc
  16. - 923af0c7f838b3adaaf2aa1350e32b8348bdbf1827ab0081c455ec221e037b5a ordain_10.20.doc
  17. - 3a3a9116102f27898fdd83e4754fe5fb11a3fb490cdd739907dd2e4d654684b4 particulars-10.28.2020.doc
  18. - d4a522beaff1e77b2a624af43177bd2e36e9def82b8d3e3afc068bbd79bb5d64 prescribe .10.28.20.doc
  19. - e8c809c729f14b35f0b014bb153aa6a29f329a47fb6ccdebf59b33988b181840 rule,10.28.2020.doc
  20. - 18b7ed2e5f8e0565291abacffedc9720d911200134091991a08b8d3ac2efe158 specifics-10.20.doc
  21. - 8faeb2b3a5ee7d05dfd15b9ac3a3798ef95667dc201033141891ff58a037f1b1 specifics,10.20.doc
  22. - 29053c91ac590151daa8fd7be9f6cb98f550a5f8ed91e42e90758fde98451c2f statistics-10.28.2020.doc
  23.  
  24. AT LEAST 6 DOMAINS HOSTING THE INSTALLER DLL:
  25.  
  26. - fade9400[.]com - 185.62.103[.]99
  27. - monster2064[.]com - 193.201.126[.]41
  28. - smooth8490[.]com - 81.29.143[.]137
  29. - space7873[.]com - 185.246.67[.]7
  30. - spot6327[.]com - 54.38.60[.]5
  31. - wild2486[.]com - 93.189.42[.]107
  32.  
  33. URLS FOR INSTALLER DLL:
  34.  
  35. - GET /update/GNg_gGJJQEELTaDBrzLev_GtTHMuY/EVZ_bl_DAURGKvMtYQlvPWhDlfjeBxHDlN/csyj1
  36. - GET /update/RQkTjtRH_SlEzPgTHZEIYIHCrx_ItKOesuxaw/lpJZIoSpVyWjWTYolLGjTKFZFEpf/fniYgIjLPr/csyj1
  37. - GET /update/lkddfjowlwiOIWEj/csyj2
  38. - GET /update/YerSnQzOhmTOcpndQGfKBSsdsq_HxLHQZzm/csyj2
  39. - GET /update/djMqKxc_BZCF_BJIRmjKmdcihghiSj/qE_iwuwuwuwu/csyj2
  40. - GET /update/jK/cfDbu_uGbvSBvQVduMnFOOvFsMhkRKipAmlDMhuJvQBFKcpLCTMSDpFGSqrrrJpIgO/csyj2
  41. - GET /update/EHZZbZqgSRXJYwcNsqpKXJOgs_blSyKNHsDOCgQoF/csyj3
  42. - GET /update/zKTq/lJwLxJqQgsVjUQfLF/qhZxTwcCCdTjF/DwFWVXNkrZFpwmqcbN/mbVRwspbQZMLrlWmIPG/csyj5
  43. - GET /update/sc/WKOKYVQSqhgUAczW/OtL/kjdxRVJjVzKjPiqYMkXU_YmDbbYehshVYVx/TnpMFcgK/hrfvLEj/csyj6
  44. - GET /update/IyArlmEnb/QZPZqwK/hLDaRcEdhBcC/SvekG/wwFVZwpFvIc_K_W/DfQWgPuzEdbrSTUOdAPWbVKrk/csyj8
  45. - GET /update/djMqKxc_BZCF_BJlRmjKmdcihghiSj/wJuzcnBhc/MD/qE_ZWFKbwfWZMCCWgfHU_DNxAcBRlHncRHr/csyj9
  46.  
  47. 9 EXAMPLES OF INSTALLER DLLS:
  48.  
  49. - 0d9e37f606cdad29cd4597f30a2b77b33bed16de9854db0c8914240cc6f73a12
  50. - 507d78bd65364f63a854604fd97321403e4dc43d1517baec24da8ec231adf456
  51. - 54dca9845df87267ca0dee48f8cb7d24df8756e04974ebc26db59ec6566d8a00
  52. - 95cb65f38627923b19b54148a2c848a9c06a1f329b437deefdaa7d66edd12d9e
  53. - 98349371cda4e1ff6b41bc73a83105876c01ec4c85a5415e4acc22752c8b96f6
  54. - a50b59f7acf0b334e5157e655dc3a8aa61c7cdf6ecf50e55fcca5a39153a579f
  55. - a683de41288a3655a95ffd5e61743211077eff9acebbf129e7614a064b9bfbf4
  56. - c9fb4ff0bd9eefbdb77a43a2098b4b1332225392bc38d21a0181f9faf57e92dd
  57. - cc0439a0b3312d3843bc920000218079f7bffbab020df10f7a2eb3e33753ad29
  58.  
  59. LOCATION FOR THE INSTALLER DLL FILES:
  60.  
  61. - C:\Users\public\12345.txt
  62.  
  63. DLL RUN METHOD:
  64.  
  65. - regsvr32.exe [filename]
  66.  
  67. HTTPS TRAFFIC TO LEGITIMATE DOMAINS CAUSED BY INSTALLER DLL:
  68.  
  69. - port 443 - www.intel.com
  70. - port 443 - support.oracle.com
  71. - port 443 - www.oracle.com
  72. - port 443 - support.apple.com
  73. - port 443 - support.microsoft.com
  74. - port 443 - help.twitter.com
  75.  
  76. AT LEAST 1 URL FOR HTTPS TRAFFIC GENERATED BY INSTALLER DLLS:
  77.  
  78. - 167.71.234[.]172 port 443 - zomboboxer[.]top - GET /background.png
  79.  
  80. 2 EXAMPLES OF SHA256 HASHES FOR ICEDID DLL CREATED BY INSTALLER:
  81.  
  82. - 6ac0970d4b2a3ff0a279f1632c28c31f2f3c12e935dc3307d034292aead8a4fc (initial)
  83. - 9d488caa82f902169233f2726c62acccb679adabb5af04a1d7184f0cdc8158f4 (persistent)
  84.  
  85. HTTPS TRAFFIC TO MALICIOUS DOMAINS CAUSED BY THE ICEDID DLL FILES (SAME AS YESTERDAY'S SAMPLE):
  86.  
  87. - 188.166.82[.]172 port 443 - maseratipirosh[.]top
  88. - 188.166.82[.]172 port 443 - tyrek87[.]cyou
  89. - 188.166.82[.]172 port 443 - fodsijjire[.]cyou
  90. - 188.166.82[.]172 port 443 - rivercoockinh[.]cyou
  91. - 188.166.82[.]172 port 443 - hdfouter[.]pw
RAW Paste Data