malware_traffic

2020-06-23 - Valak (soft_sig: mad34) activity

Jun 23rd, 2020
1,083
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. 2020-06-23 - VALAK (SOFT_SIG: MAD34) ACTIVITY
  2.  
  3. NOTE:
  4.  
  5. - I am yet unable to find any documents with macros for today's activity. I stumbled across the URLs for the initial Valak DLL files and tested them on a lab host.
  6.  
  7. EXAMPLES OF INITIAL VALAK DLL FILES RETRIEVED BY WORD MACRO:
  8.  
  9. - cc9e434bc25472d2c3e3fa505ee20620bf12c5f431d1e0cd6652ae3af64129f2 2020-06-23-ynetz1.cab-from-fepz41.com.bin
  10. - 3444b9718db7fc74b4a02283d27e6dcc38f9880d6acf18fbb7122e12912ba963 2020-06-23-ynetz2.cab-from-fepz41.com.bin
  11. - 299d03ac452057470ae0c13cd20a32948320aa1867f580e38290522af343c302 2020-06-23-ynetz3.cab-from-fepz41.com.bin
  12. - 08758fca79f0589f50a2033681340563891b6f4da4b628d94eb9c8d4413f4be2 2020-06-23-ynetz4.cab-from-fepz41.com.bin
  13. - 01d83cb3a31f6e5be7ce57c81506b0792281ec464fb7d5761184699e61d15f06 2020-06-23-ynetz5.cab-from-fepz41.com.bin
  14. - 82cc0a0ed5ebb1f2c39633166f06829d478bc5fd27af7189588ae9863f8e5764 2020-06-23-ynetz6.cab-from-fepz41.com.bin
  15. - 97eb9b6262fab33ce0b10d69415749faf69842a15df6c78342db423ea347decf 2020-06-23-ynetz7.cab-from-fepz41.com.bin
  16. - 0e99598ec60e8c64fee526fca5b3fa0562b07e566c37f500878919d78bcb9bd4 2020-06-23-ynetz8.cab-from-fepz41.com.bin
  17. - 7e499a9ea954101c4d74dc635cfcc236959655b8921fe8a57bdc3adbd0371d75 2020-06-23-ynetz9.cab-from-fepz41.com.bin
  18. - 54631a3371c09acf7bdeb6c74f899627d05da0c75b71e7d6bac2761269249352 2020-06-23-ynetz10.cab-from-fepz41.com.bin
  19. - 6a5bf1bfccf3f36fce2124b710333b62f68fbc751d77fc9241021005aee85150 2020-06-23-ynetz11.cab-from-fepz41.com.bin
  20. - f3b156a0c655135bbed201e6e4adad77b5a1206ee012cffe46878f987f59868e 2020-06-23-ynetz12.cab-from-fepz41.com.bin
  21. - 1990f9782ef6e8b522eb2408d88d44e50bea4e835603d2f9ef5c364f5f87a8d7 2020-06-23-ynetz1.cab-from-qqm9lv.com.bin
  22. - 88cad7a48e19736b1d8af04ef7f123ed5f474996d079e386be726f732002a1d2 2020-06-23-ynetz2.cab-from-qqm9lv.com.bin
  23. - 7ef591a8508a659d07b854dc7b1c41b60f85344c3ea92eb3c1fa75a2e9569f73 2020-06-23-ynetz3.cab-from-qqm9lv.com.bin
  24. - f0469a7ab901fdef63b3325e51bdbee90f84e04220d696cd3f05b0d45e7be1df 2020-06-23-ynetz4.cab-from-qqm9lv.com.bin
  25. - d8eaf97a48c9ebcee83d828f6663d346df5d0eec78a7bd747e3b4ebd4c1db585 2020-06-23-ynetz5.cab-from-qqm9lv.com.bin
  26. - 997099b25849798329f01362577d54552f8e1873d6dcdcb5c793a9b8ab03d49e 2020-06-23-ynetz6.cab-from-qqm9lv.com.bin
  27. - defe95da33663c83222c8babfaae1be9dead36307f0262f5e7ef1fdb7558f58b 2020-06-23-ynetz7.cab-from-qqm9lv.com.bin
  28. - 8f322ebc904053007907521620d29801d88a001b637a169b23ab43e21c41f5d3 2020-06-23-ynetz8.cab-from-qqm9lv.com.bin
  29. - 33d8d318615e1be0786491b676389eaeb2c9b9c798a2a5f1e45d4bb90bcd5bd5 2020-06-23-ynetz9.cab-from-qqm9lv.com.bin
  30. - 72107699b9a78db221c18ef69b9b9b8b160952a9f6f3b3ce62c4fcbf471b7aad 2020-06-23-ynetz10.cab-from-qqm9lv.com.bin
  31. - 7d63e38a8e8607c244f19377e78702db60f62765bb256dd4747ec1eb087eca4f 2020-06-23-ynetz11.cab-from-qqm9lv.com.bin
  32. - 32217c9d79352151d1f2ca4a9db647d7fdf66cd866db387a6d537f1c16311bc2 2020-06-23-ynetz12.cab-from-qqm9lv.com.bin
  33.  
  34. SCRIPT FILE FROM INFECTED WINDOWS HOST WHEN VALAK DLL WAS SUCCESSFULLY RUN:
  35.  
  36. - 1afcf5a12826605506aec192c985023c95918fb21f01e75e44b067f3c7596b4a C:\Users\Public\VXoT_mDBJ.Wxa_X
  37.  
  38. SCRIPT FILE FROM INFECTED WINDOWS HOST USED TO KEEP VALAK INFECTION PERSISTENT:
  39.  
  40. - c7d58120b99d7ef2f1d124168e49e2b20df6b96252b0e2474192c826d21a09e2 C:\Users\Public\WsuUpdate.js
  41.  
  42. FILE NAME USED FOR ALTERNATE DATA STREAM (ADS) TO HIDE VALAK EXE:
  43.  
  44. - 9bb0eae6dbc37e2a6fe0773c92ce5409cd199ce3de2a0b41c159f3bdcc653a76 C:\Users\Public\WSUDIAG.EVTX (note: I did not find ADS with today's file)
  45.  
  46. VALAK MALWARE INFO:
  47.  
  48. - SOFT_SIG: mad34
  49. - SOFT_VERSION: 40
  50.  
  51. URLS FOR VALAK DLL:
  52.  
  53. - hxxp://fepz41[.]com/unbbmevd/d76.php?l=ynetz1.cab
  54. - hxxp://fepz41[.]com/unbbmevd/d76.php?l=ynetz2.cab
  55. - hxxp://fepz41[.]com/unbbmevd/d76.php?l=ynetz3.cab
  56. - hxxp://fepz41[.]com/unbbmevd/d76.php?l=ynetz4.cab
  57. - hxxp://fepz41[.]com/unbbmevd/d76.php?l=ynetz5.cab
  58. - hxxp://fepz41[.]com/unbbmevd/d76.php?l=ynetz6.cab
  59. - hxxp://fepz41[.]com/unbbmevd/d76.php?l=ynetz7.cab
  60. - hxxp://fepz41[.]com/unbbmevd/d76.php?l=ynetz8.cab
  61. - hxxp://fepz41[.]com/unbbmevd/d76.php?l=ynetz9.cab
  62. - hxxp://fepz41[.]com/unbbmevd/d76.php?l=ynetz10.cab
  63. - hxxp://fepz41[.]com/unbbmevd/d76.php?l=ynetz11.cab
  64. - hxxp://fepz41[.]com/unbbmevd/d76.php?l=ynetz12.cab
  65.  
  66. - hxxp://qqm9lv[.]com/unbbmevd/d76.php?l=ynetz1.cab
  67. - hxxp://qqm9lv[.]com/unbbmevd/d76.php?l=ynetz2.cab
  68. - hxxp://qqm9lv[.]com/unbbmevd/d76.php?l=ynetz3.cab
  69. - hxxp://qqm9lv[.]com/unbbmevd/d76.php?l=ynetz4.cab
  70. - hxxp://qqm9lv[.]com/unbbmevd/d76.php?l=ynetz5.cab
  71. - hxxp://qqm9lv[.]com/unbbmevd/d76.php?l=ynetz6.cab
  72. - hxxp://qqm9lv[.]com/unbbmevd/d76.php?l=ynetz7.cab
  73. - hxxp://qqm9lv[.]com/unbbmevd/d76.php?l=ynetz8.cab
  74. - hxxp://qqm9lv[.]com/unbbmevd/d76.php?l=ynetz9.cab
  75. - hxxp://qqm9lv[.]com/unbbmevd/d76.php?l=ynetz10.cab
  76. - hxxp://qqm9lv[.]com/unbbmevd/d76.php?l=ynetz11.cab
  77. - hxxp://qqm9lv[.]com/unbbmevd/d76.php?l=ynetz12.cab
  78.  
  79. DECOY DOMAINS USED DURING VALAK INFECTION:
  80.  
  81. - e87.dspb.akamaidege[.]net
  82. - insiderppe.cloudapp[.]net
  83. - pagead46.l.doubleclick[.]net
  84.  
  85. MALICIOUS DOMAINS USED DURING VALAK INFECTION:
  86.  
  87. - cloptio[.]com
  88. - 50kmission[.]com
  89. - fast-pacedworld[.]com
  90. - 82geod-misery[.]com
  91. - 76leof-nerve[.]com
  92. - 29degod-soil[.]com
RAW Paste Data