malware_traffic

2020-10-20 (Tuesday) - TA551 (shathak) Word docs push IcedID

Oct 21st, 2020
1,143
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. 2020-10-20 (TUESDAY) - TA551 (SHATHAK) WORD DOCS WITH MACROS FOR ICEDID:
  2.  
  3. CHAIN OF EVENTS:
  4.  
  5. - malspam --> password-protected zip attachment --> extracted Word doc --> enable macros --> installer DLL --> IcedID malware
  6.  
  7. 20 EXAMPLES OF TA551 WORD DOCS WITH MACROS:
  8.  
  9. - 05f6290301015b21d682fafebf09f8977aa90a9c2dfc15941b9405b620b68b6d charge.010.20.2020.doc
  10. - 52fa2def2b9e4189b1aeb1f91d7d0165f3bb344b69c9c0bdd029ebccd95ad100 command_010.20.20.doc
  11. - 825a14c317b5f2284e573b7ee92fb0890c390bf181ed0f3098a089368437af8d decree_010.20 copy.doc
  12. - 825a14c317b5f2284e573b7ee92fb0890c390bf181ed0f3098a089368437af8d decree_010.20.doc
  13. - f0a494813c3806654094dfbd046a942bb96b6d62bb1d63c3b254322e21dc46c0 details,010.20.2020.doc
  14. - d1459a88b196ba1dfd255066feb9ef2655bfe2599a7139adb5059f19e3e450eb direct 010.20.20.doc
  15. - ca9b7276bf105413d56c04035ec5c03a3f11b299a909589bd92ec0e9cbe4c9e2 direct.010.20.2020.doc
  16. - 357ccefba10d43c0502c97fceb8d465e1c902bf24402146e938f451ff11dca39 docs-010.20.2020.doc
  17. - 2b3f1434a39bbc209450442a4ca6cc54219f3300780b5d9befb7ef622a685aaa document-010.20.20.doc
  18. - 4aef7ab42b5c5df0d536c65ec5161a76ee4df7b66075ea875d4c3dac0b2f1f92 documents_010.20.doc
  19. - 66cf070eb74978c9c88da7d02efd24c5691cfddf39602f1ad2467ab6a095b373 facts,010.20.2020.doc
  20. - 4d12df94b84a0fe3c96ba796c60c9172d28fe4b437d0c3deb1663511ffe4927e file,010.20.2020.doc
  21. - 45b2e313fb54c7334a201c7b13a6ec7ce1db6f604266e3c9f2f85eeff3c4bb28 inquiry.010.20.2020.doc
  22. - 9f2db3f52027102c0a9e225766bcf63bc8a949ae164b280b8f65ada8bd937f68 legal agreement-010.20.doc
  23. - 7d97f4ad7bc3f62a6a12afa449febf78e21eb4a71e799a53a877d5a9c1c7f7b1 legal paper,010.20.doc
  24. - 05ec2931b0562d7e999f7ec400875d994d1629a3592ba4df28086327580815a1 ordain,010.20.doc
  25. - 98128bc0d5bfe3bb8d057330d440671317f20628f41a0f8ebc54340c4f17fb6e prescribe 010.20.doc
  26. - 12728dcd608d0e635b5341fcd82e96d5b57bde3f31cbc20e6b113ee7f6b10b48 question 010.20.doc
  27. - 2e9bedb2af9fbfcd2f970ac78be4f0ea111f6023f7cbfc293b2f8b22de2f1f2a require 010.20.20.doc
  28. - ba83b48a660695baf0724965a7ed516cdf29c99fa417d787b11835b75556c5f0 tell 010.20.doc
  29.  
  30. AT LEAST 9 DOMAINS HOSTING THE INSTALLER DLL:
  31.  
  32. - b7nfcx4[.]com - 185.103.109[.]51
  33. - bsls9ny[.]com - 194.40.243[.]61
  34. - cte64uc3ede65oq[.]com - 193.187.174[.]162
  35. - g33r59eug[.]com - 80.85.158[.]53
  36. - egmr6csa9qsg[.]com - 45.129.237[.]33
  37. - gm9rlei16lamz5[.]com - 178.250.157[.]193
  38. - p4uk749i8t6vay[.]com - 149.154.64[.]179
  39. - rbjh933kw0xx65x8[.]com - 45.8.124[.]36
  40. - xf8z9878f[.]com - 62.109.14[.]179
  41.  
  42. URLS FOR INSTALLER DLL:
  43.  
  44. - GET /_bxlzcpjlmpxlkzblf_zhlsplspz/wtlmwrqnnxfwgzzlkvzdbvnp_mphdqpggxfljvffj_.php?l=chfon1.ppt&lhe=[20 character string]
  45.  
  46. - NOTE 1: URLS used chfon1.ppt through chfon15.ppt
  47. - NOTE 2: 20 character string at the end is random lower-case alpha-numeric letters and underscores
  48.  
  49. Examples:
  50.  
  51. - hxxp://bsls9ny[.]com/_bxlzcpjlmpxlkzblf_zhlsplspz/wtlmwrqnnxfwgzzlkvzdbvnp_mphdqpggxfljvffj_.php?l=chfon4.ppt&lhe=hcqjvtfezhsogtrdxdfs
  52.  
  53. - hxxp://rbjh933kw0xx65x8[.]com/_bxlzcpjlmpxlkzblf_zhlsplspz/wtlmwrqnnxfwgzzlkvzdbvnp_mphdqpggxfljvffj_.php?l=chfon1.ppt&lhe=vowttxwamytebmdqfkcv
  54.  
  55. - hxxp://cte64uc3ede65oq[.]com/_bxlzcpjlmpxlkzblf_zhlsplspz/wtlmwrqnnxfwgzzlkvzdbvnp_mphdqpggxfljvffj_.php?l=chfon8.ppt&lhe=wmwelbfp_ob_pqjchbrl
  56.  
  57. - hxxp://g33r59eug[.]com/_bxlzcpjlmpxlkzblf_zhlsplspz/wtlmwrqnnxfwgzzlkvzdbvnp_mphdqpggxfljvffj_.php?l=chfon11.ppt&lhe=sjroljhppkmvgi_q_hfm
  58.  
  59. - htxxp://p4uk749i8t6vay[.]com/_bxlzcpjlmpxlkzblf_zhlsplspz/wtlmwrqnnxfwgzzlkvzdbvnp_mphdqpggxfljvffj_.php?l=chfon6.ppt&lhe=cgxnmmztlqrsgthykcgj
  60.  
  61. 10 EXAMPLES OF INSTALLER DLL FILES:
  62.  
  63. - 0585271d56833eff99561769bb27fbc98e0bdda5f539247bf838ee62a28bf4f4
  64. - 059c85ab99ed30c53fda03c14bacac9622512861acbfae16bfc6f515d07709b0
  65. - 4e6878db8d54213e7c8003b023547f32957285e1335875cee3052da37efcfcaf
  66. - 5069c3e89ab5e79ff53991f175ff2f113c147c7351beda4e52374fae4f90853c
  67. - 50c916244cec9cd3dd11d76e5198154bad38b94ba67b56071b6c03440659bd8d
  68. - 605d6dbb783fb7ffd54f5f8d9a3cbaf6aa23bbe5c7b384b3c9aa7a23b9b3c150
  69. - 663a448eafe2e093006cea58f9f747178f2c2036230e973acd89641d8611b44e
  70. - 6e6a69b8584b2da246d9bd09316898d59154159a57e87fb4c8bdd02071f85cd6
  71. - 8b6db170ac6eddb4a0d7b5d59b45e04423c39cfe4183104a9cf59d280e089a33
  72. - 920601e91179d453c9c7c751e6f6b557bb8cfd97e8243b77cf2a4532a336ad2c
  73.  
  74. EXAMPLES OF LOCATION FOR THE INSTALLER DLL FILES:
  75.  
  76. - C:\Users\Public\EyeuD.txt
  77. - C:\Users\Public\gOYgv.txt
  78. - C:\Users\Public\HlGKL.txt
  79. - C:\Users\Public\HsESD.txt
  80. - C:\Users\Public\LYpDf.txt
  81. - C:\Users\Public\PevXe.txt
  82. - C:\Users\Public\wNkeO.txt
  83.  
  84. INSTALLER DLL RUN METHOD:
  85.  
  86. - regsvr32.exe [filename]
  87.  
  88. HTTPS TRAFFIC TO LEGITIMATE DOMAINS CAUSED BY INSTALLER DLLS:
  89.  
  90. - port 443 - support.oracle.com
  91. - port 443 - www.oracle.com
  92. - port 443 - support.apple.com
  93. - port 443 - support.microsoft.com
  94. - port 443 - help.twitter.com
  95.  
  96. AT LEAST 2 DIFFERENT URLS FOR HTTPS TRAFFIC GENERATED BY INSTALLER DLLS:
  97.  
  98. - 46.101.0[.]125 port 443 - loadcessna[.]asia - GET /background.png
  99. - 46.101.0[.]125 port 443 - loadnelliko[.]click - GET /background.png
  100.  
  101. 2 EXAMPLES OF SHA256 HASHES FOR ICEDID MALWARE DLL CREATED BY INSTALLER:
  102.  
  103. - ba4253b54cb921073ad49e34cf931ca6f1bcdd79a53366f36240d42b7f132ccb (initial)
  104. - dc376b4c1d4acbdd5101df5d51bac34cc147b6fd499d741bc68145016fb3c574 (persistent)
  105.  
  106. ICEDID DLL RUN METHOD:
  107.  
  108. - regsvr32.exe /s [filename]
  109.  
  110. HTTPS TRAFFIC TO MALICIOUS DOMAINS CAUSED BY THE ICEDID MALWARE DLL FILES:
  111.  
  112. - 159.65.114[.]23 port 443 - filopipilo[.]top
  113. - 159.65.114[.]23 port 443 - familyfromforrest[.]club
  114. - 159.65.114[.]23 port 443 - fihokiliopo[.]pw
  115. - 159.65.114[.]23 port 443 - millogorillo[.]pw
  116. - 159.65.114[.]23 port 443 - mishagrisha[.]top
RAW Paste Data