malware_traffic

2020-10-27 (Tuesday) - TA551 (Shathak) Japanese-language Word docs with macros for IcedID

Oct 27th, 2020
1,651
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. 2020-10-27 (TUESDAY) - TA551 (SHATHAK) JAPANESE LANGUAGE WORD DOCS WITH MACROS FOR ICEDID:
  2.  
  3. NOTE:
  4.  
  5. - Today had a Japanese language template for all of the Word docs.
  6.  
  7. CHAIN OF EVENTS:
  8.  
  9. - malspam --> password-protected zip attachment --> extracted Word doc --> enable macros --> installer DLL --> IcedID EXE
  10.  
  11. 18 EXAMPLES OF TA551 WORD DOCS WITH MACROS:
  12.  
  13. - ea065175ef6a0454ad5fd8463e5ae31ba93c9f4cbf341c8ee0ed5708bea0d5ae adjure-10.20.doc
  14. - 8365f422960511f3ad83dcb877f017b2386a25f33639f894f4bf166d4470434f certificate 10.20.doc
  15. - 5d47bcb8c571e7f784c22cc3ee640dd59750537e219dc6e2beb645eef9dbf37a certificate.10.20.doc
  16. - c6ac3e232fd9ad0bb4be599e31531a29c186334a0adde94c65cd36f75fff0dbe charge-10.20.doc
  17. - 04cd2e745b64648d70ff159efccd46082fcfbe585014b8d90b769a229aac227b commerce .10.27.2020.doc
  18. - 71a680865e6d4eb1acee77a3ae4b8cf03dfb8b3df97f92401d210b73b845404a details,10.20.doc
  19. - 6346bceb0b37a62e8811451eed21512a9e178ce3e0842247893c2e762bb84c15 direct_10.20.doc
  20. - ce7e29a63e5708fe079cd2af8714fb8b98a0a076f570dc7ddd66c53ad3955886 documents-10.20.doc
  21. - 9534926e784013025e1febc229f9cf424d99acf517ddbec50dad5bf85787a590 figures,10.27.2020.doc
  22. - 043e9f2bd568cf3d3a6cbf02bb6b09e2264696b5d5c1b602c5148a405e3d6f48 instruct 10.20.doc
  23. - 6a7a959ba0929ee1a7b58b27b128ec7686021f24a339fcfdabcb2aa96e304948 intelligence.10.27.20.doc
  24. - ba0bd92667586990beef3d0b88105404eba6de54b7c5eba5417e6b825adb94d8 ordain 10.20.doc
  25. - 0096cd669a833d0a09a8d7f7577f45024c9ef3f150dec83242a2e56f8047abea ordain.10.20.doc
  26. - a71465cb2160b2f79d9fcdce4445afbc57af7d5a7698d162c9819517be3a0440 particulars,10.27.20.doc
  27. - 34b100faba875e8aa4cb7250929827ecc9cb581c748723105a6bdd037c860807 prescribe ,10.20.doc
  28. - 8574334c36df9f1299ebf7cbe21fe7d0cc4418303177d06d2e872147637ee23e question.10.27.20.doc
  29. - 0ed641d4c87f6c2fc2ce99dc599bcd23a6170a98a1c10930722fa8735797ce11 rule_10.20.doc
  30. - 783d6b61817c8c90cf67866db5cacc4ecf2e5eb7c7e1f5bd61bc67289f893263 specifics,10.27.2020.doc
  31.  
  32. AT LEAST 4 DOMAINS HOSTING THE INSTALLER DLL:
  33.  
  34. - moon6651[.]com - 45.128.207[.]209
  35. - space7873[.]com - 185.246.67[.]7
  36. - ticket6798[.]com - 185.159.129[.]88
  37. - virtual9408[.]com - 54.38.60[.]5
  38.  
  39. GET REQUESTS FOR INSTALLER DLL:
  40.  
  41. - GET /update/[random alphabetic string with backslashes and underscores]/tbqxj1
  42. - GET /update/[random alphabetic string with backslashes and underscores]/tbqxj2
  43. - GET /update/[random alphabetic string with backslashes and underscores]/tbqxj3
  44. - GET /update/[random alphabetic string with backslashes and underscores]/tbqxj4
  45. - GET /update/[random alphabetic string with backslashes and underscores]/tbqxj5
  46. - GET /update/[random alphabetic string with backslashes and underscores]/tbqxj6
  47. - GET /update/[random alphabetic string with backslashes and underscores]/tbqxj7
  48. - GET /update/[random alphabetic string with backslashes and underscores]/tbqxj8
  49. - GET /update/[random alphabetic string with backslashes and underscores]/tbqxj9
  50. - GET /update/[random alphabetic string with backslashes and underscores]/tbqxj10
  51. - GET /update/[random alphabetic string with backslashes and underscores]/tbqxj11
  52. - GET /update/[random alphabetic string with backslashes and underscores]/tbqxj12
  53.  
  54. EXAMPLES:
  55.  
  56. - GET /update/SMWPRGgVrUkFbZPpQxZIItpHRzrV/XNzFe/tbqxj1
  57. - GET /update/xtJLxerFWqJeOqxsRlVbRXSrgSkmfIZybmvePQYUTvIODzmHfO/yKE/tbqxj2
  58. - GET /update/m_POYFUTKfHUgFzEMFzXshqbKj_kWdLpJRVQqLMZNHJvVAkuZq/fTOHqQsZgcgdR_RLTLFTwHcVjWTEa/tbqxj3
  59. - GET /update/FGwAGrrKkUzTfd_pvGWqExvrgijQIZCcgbdKfcJwmjEKvhYQGSQNxAmzQZRPVQjlDZ_ApRrVMlSsZ_KXE/tbqxj4
  60. - GET /update/jzAZdqNV/qLptGYPUQNrsuJIRXwGRLCwAxQyArEwOh_KzdF_LQIvwNOtTevfptmRhPRPcEqb/tbqxj6
  61. - GET /update/holebHDRTyvjHNCKIKWprLWNKAJfLiGsXgYsmdCsKI_/tbqxj8
  62. - GET /update/XGPogQbgsafkUhgIq_F_zwm/nO/xVhnc/hturStjSm/tbqxj9
  63. - GET /update/qqOQccpolFmwCmTnTmURcfZPByI_lqzPNvPfTfvLQjqdJtpOYeWT/WRFlVYjJTKqWAf_KhCjsSselY/tbqxj12
  64.  
  65. 5 EXAMPLES OF INSTALLER DLLS:
  66.  
  67. - d14bb95a4d6e4d39c5d6d6ff49f5e057c1ecd039c56ce8e0a9befaac109109c1
  68. - e78cec26b2161c90b29869ab28fe59fc8224de56dc231cb7164bfbb043642f87
  69. - 57c343fea2c50431d4193ca7fec8543377e2b13fd26bf88ba0cd86f39efd8ebb
  70. - dbf7c332a6f9e08aa4d508dd3bc004cb3089d5eeb6c5fc105c18d6920f2ecc36
  71. - f48c86c1b8852dbbc17c494a64641769a6e37bbcb5a185f120a017b1f183b278
  72.  
  73. LOCATION FOR THE INSTALLER DLL FILES:
  74.  
  75. - C:\Users\public\12345.txt
  76.  
  77. DLL RUN METHOD:
  78.  
  79. - regsvr32.exe [filename]
  80.  
  81. HTTPS TRAFFIC TO LEGITIMATE DOMAINS CAUSED BY INSTALLER DLL:
  82.  
  83. - port 443 - support.microsoft[.]com
  84. - port 443 - www.intel[.]com
  85. - port 443 - support.apple[.]com
  86. - port 443 - support.oracle[.]com
  87. - port 443 - www.oracle[.]com
  88. - port 443 - help.twitter[.]com
  89.  
  90. AT LEAST 1 URL FOR HTTPS TRAFFIC GENERATED BY INSTALLER DLLS:
  91.  
  92. - 167.71.234[.]172 port 443 - zomboboxer[.]top - GET /background.png
  93.  
  94. 2 EXAMPLES OF SHA256 HASHES FOR ICEDID DLLS CREATED BY INSTALLER:
  95.  
  96. - 0a150760e79eec44b344843de116abacb0244a229b4d10dbb8897ea742dc6b63 (initial)
  97. - 39d216bc849e4fc5a9f960b72f882bc95e18787028852243ed26b772239a2f0b (persistent)
  98.  
  99. HTTPS TRAFFIC TO MALICIOUS DOMAINS CAUSED BY THE ICEDID DLL FILES:
  100.  
  101. - 188.166.82[.]172 port 443 - maseratipirosh[.]top
  102. - 188.166.82[.]172 port 443 - tyrek87[.]cyou
  103. - 188.166.82[.]172 port 443 - fodsijjire[.]cyou
  104. - 188.166.82[.]172 port 443 - rivercoockinh[.]cyou
  105. - 188.166.82[.]172 port 443 - hdfouter[.]pw
RAW Paste Data