malware_traffic

2020-09-21 (Monday) TA551 (Shathak) Word docs pushing IcedID

Sep 21st, 2020 (edited)
1,324
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. 2020-09-21 (MONDAY) - TA551 (SHATHAK) WORD DOCS WITH MACROS FOR ICEDID:
  2.  
  3. CHAIN OF EVENTS:
  4.  
  5. - malspam --> password-protected zip attachment --> extracted Word doc --> enable macros --> installer DLL --> IcedID EXE
  6.  
  7. 12 EXAMPLES OF TA551 WORD DOCS WITH MACROS FOR ICEDID:
  8.  
  9. - 9f240737183f8b52fc33daa475e11a3fc0655538728e56edc71ff49626549ada certificate 09.20.doc
  10. - 2d2f0a3e263c64c98457a3d4bce8a22d53d1c7f9c2326dcdd1578cb5037587fe commerce -09.21.2020.doc
  11. - 3e12c287478608aafc8ef1abeba25c526863e9e47d78d314cfc20077d73ae653 commerce ,09.20.doc
  12. - 562956706eb0b658fcad5f23d11c4a8670dda18666b04bf7127f9b1ac1be8907 docs.09.21.20.doc
  13. - 2925f852e2fc04c4849b5e47306373837305d9bf003e79ceb08762b505759259 document,09.20.doc
  14. - 0f9ae46bd910f799fd11c5cc46f7c3ffbc0a2f7280cc3fe867b763a5f5f64258 inquiry_09.20.doc
  15. - c37dd0bbd07f3acedf516c07c3fdc023b0ba5082c3959ddda9498fa6c52df09f instrument_indenture,09.20.doc
  16. - ad33adc035c689f4ab8f1d3cd49027b9ef804bb60c9a44bff2be585c02e794b3 legal agreement 09.21.2020.doc
  17. - 749140091ae47c29826a9f92a19381e060eff987299c2eb521f9ce833b2954f2 material_09.20.doc
  18. - c388475c08bcac2336e8b1efdf524d12a6194818e3c8194516b953fba654ac8f prescribe 09.20.doc
  19. - 8e9e0af52ff82cdc71e27bf27b157ef3adc00d3078a949d4deeb16a5e4225874 require 09.21.2020.doc
  20. - c3da3134de3b14d168e4e0f29c7c893ff3920b9d5ed6e566e0e15c4348ad9659 statistics,09.20.doc
  21.  
  22. AT LEAST 10 DOMAINS HOSTING THE ICEDID DLL:
  23.  
  24. - csxciyt[.]com - 83.166.214[.]17
  25. - dsb5vd[.]com - 185.159.129[.]44
  26. - f9pv81[.]com - 185.219.40[.]246
  27. - hq1m7wt[.]com - 37.230.117[.]49
  28. - ldzcb4[.]com - 185.135.81[.]234
  29. - lkcij4k[.]com - 185.87.51[.]204
  30. - k21ddmo[.]com - 212.109.221[.]95
  31. - mwd3sq[.]com - 194.31.237[.]38
  32. - q9d2ya[.]com - 80.87.197[.]19
  33. - rb16q6a[.]com - 89.223.100[.]173
  34.  
  35. URLS FOR ICEDID DLL:
  36.  
  37. - GET /foqa/kucow.php?l=kofo1.cab
  38. - GET /foqa/kucow.php?l=kofo2.cab
  39. - GET /foqa/kucow.php?l=kofo3.cab
  40. - GET /foqa/kucow.php?l=kofo4.cab
  41. - GET /foqa/kucow.php?l=kofo5.cab
  42. - GET /foqa/kucow.php?l=kofo6.cab
  43. - GET /foqa/kucow.php?l=kofo7.cab
  44. - GET /foqa/kucow.php?l=kofo8.cab
  45. - GET /foqa/kucow.php?l=kofo9.cab
  46. - GET /foqa/kucow.php?l=kofo10.cab
  47. - GET /foqa/kucow.php?l=kofo11.cab
  48. - GET /foqa/kucow.php?l=kofo12.cab
  49. - GET /foqa/kucow.php?l=kofo13.cab
  50. - GET /foqa/kucow.php?l=kofo14.cab
  51. - GET /foqa/kucow.php?l=kofo15.cab
  52. - GET /foqa/kucow.php?l=kofo16.cab
  53. - GET /foqa/kucow.php?l=kofo17.cab
  54. - GET /foqa/kucow.php?l=kofo18.cab
  55.  
  56. 12 EXAMPLES OF ICEDID INSTALLER DLLS:
  57.  
  58. - 1d916a05e07aa61bb84504cd7cf70e920549dde98a3eafebfde3e13d3137df24
  59. - 2de6bde148b9a42a65f5dae36c903811e56d702d7d319900877f2d5d74273236
  60. - 30ac7415f1cdd5984cdfe15961eb46211c444786c453cfe8525dacd7c76c28b6
  61. - 705e14735da74b107357a676c15b07c0f0c86888b8f98ba86e1029ff4e4858df
  62. - 7c94b78d14c95b438b0af4eb93596c2f7a64d8a9a1b2c9b300f5d4c43661a9b9
  63. - 89e881e0beb8adc93f3b45e835e68355e855d951a44d18153b7f042989b353e0
  64. - 8efa3aea51c2da764f118b7808fa096c3e3a841b676b1e046cdd6ad50cf8af3d
  65. - ad91cc0f5f38735a2a88df59382b93919a0f3112cae592f4a0477e20ef414469
  66. - c24e8099dffe2d9ddebc10b44b6d992043a7a88f0c24bdd7b462e750813dd92e
  67. - c53e0f2ba4d0ff61ed41d31cb5671c96ba8a98afbf32f1e76cd88e5061c20370
  68. - d4daab6448cab62e16091169f451e9b455a3607df6ceabccdd0610473d419a6c
  69. - ea1d92c3d94727066636b93e3cfe85331eb2865e15f86bc20978be99272ddb0d
  70.  
  71. EXAMPLES OF LOCATION FOR THE INSTALLER DLL FILE:
  72.  
  73. - C:\ProgramData\b467e.pdf
  74. - C:\ProgramData\cbd30.pdf
  75. - C:\ProgramData\dbf1f.pdf
  76. - C:\ProgramData\e325b.pdf
  77. - C:\ProgramData\ff2ac.pdf
  78. - C:\ProgramData\ffadc.pdf
  79.  
  80. DLL RUN METHOD:
  81.  
  82. - regsvr32.exe [filename]
  83.  
  84. AT LEAST x DIFFERENT URLS FOR HTTPS TRAFFIC GENERATED BY INSTALLER DLLS:
  85.  
  86. - 142.93.218[.]110 port 443 - ldrphound[.]casa - GET /background.png
  87. - 142.93.218[.]110 port 443 - ldrpeso[.]casa - GET /background.png
  88. - 134.122.55[.]164 port 443 - ldrruble[.]casa - GET /background.png
  89.  
  90. SHA256 HASHES FOR ICEDID EXE CREATED BY ICEDID INSTALLER (EXAMPLE 1 OF 2):
  91.  
  92. - 4aa11721ca11223bc5dd7d756c7fe5cc9d2d05d7e20f1e0b66c68fd0d59fb172 (initial)
  93. - 4ab7976b062def0c7c1231e2a8d663c8a2e0c14f305b573dbc0b8ff49d10f3ba (persistent)
  94.  
  95. HTTPS TRAFFIC TO MALICIOUS DOMAINS CAUSED BY THE ABOVE ICEDID EXE FILES:
  96.  
  97. - 134.122.101[.]157 port 443 - likofedo[.]club
  98. - 134.122.101[.]157 port 443 - doremifasol[.]online
  99. - 134.122.101[.]157 port 443 - 10hesadety[.]pw
  100. - 134.122.101[.]157 port 443 - bcertyou[.]cyou
  101. - 134.122.101[.]157 port 443 - 85.vumbut[.]best
  102.  
  103. SHA256 HASHES FOR ICEDID EXE CREATED BY ICEDID INSTALLER (EXAMPLE 2 OF 2):
  104.  
  105. - 5892f7ad0218286a2e52a5eedbea62c80532a70fa51b2d202b38ad2fcf61cedb (initial)
  106. - aa1c66821155d2d77cdc8e114c2b9cdf5bcc5ea35ecfd7d3681e254882080cca (persistent)
  107.  
  108. HTTPS TRAFFIC TO MALICIOUS DOMAINS CAUSED BY THE ABOVE ICEDID EXE FILES:
  109.  
  110. - 161.35.33[.]38 port 443 - gaagachelo[.]cyou
  111. - 161.35.33[.]38 port 443 - odnovoennbundes[.]cyou
  112. - 161.35.33[.]38 port 443 - obnaprimezert[.]cyou
  113. - 161.35.33[.]38 port 443 - sprbumazna[.]club
  114. - 161.35.33[.]38 port 443 - uragapediculez[.]top
  115.  
  116. HTTPS TRAFFIC TO LEGITIMATE DOMAINS CAUSED BY INSTALLER DLLS:
  117.  
  118. - port 443 - www.intel.com
  119. - port 443 - support.oracle.com
  120. - port 443 - www.oracle.com
  121. - port 443 - support.apple.com
  122. - port 443 - support.microsoft.com
  123. - port 443 - help.twitter.com
RAW Paste Data