malware_traffic

2020-12-07 (Monday) - TA551 (Shathak) Word docs with English template push IcedID

Dec 7th, 2020 (edited)
2,314
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. 2020-12-07 (MONDAY) - TA551 (SHATHAK) WORD DOCS WITH ENGLISH TEMPLATE PUSH ICEDID:
  2.  
  3. CHAIN OF EVENTS:
  4.  
  5. - malspam --> password-protected zip attachment --> extracted Word doc --> enable macros --> installer DLL --> IcedID DLL
  6.  
  7. 10 EXAMPLES OF TA551 WORD DOCS WITH MACROS:
  8.  
  9. - 3e670878dd1bec8ea456d334a47600c9e174a380afd89d86725fa8e81b9bc8f4 certificate_12.20.doc
  10. - 55f3a89d2ca7bce56709fa843c39e0556c3960680ff9e66b7c3c897734828824 command,12.20.doc
  11. - 0cc40f89721a9d22358c612aa94164b3ce259da696798c2d6fde6ad7c82d396e commerce ,12.20.doc
  12. - 2dd512c4f4c8940207a3eadaf64ae639c0f295239a629466bb1f2d45253a8a93 direct-12.20.doc
  13. - 385794d14430b56014a7ec11add05404f0038dc39b6e0f6617c67a13128e176a dictate,12.07.2020.doc
  14. - 2016bab0c36eafaba9a47f2872310f48613e055492bb7b450ce807cec8ed0a53 files.12.20.doc
  15. - 7acb240bc3c034e23250eaa44f8352aa1810c9bbdfc97dfa9a8e9bd4297f1af5 files_12.20.doc
  16. - 9f727b8bb2c30ceb1c8d60520588ca81353eb18ef40b0de2f8401b01029781a2 input.12.07.2020.doc
  17. - aea06bc980d083aa2e2ae3ab821352033e663dc21739db859a274cf0556941f3 input-12.20.doc
  18. - ea85265f62418bd9f42f8fe23454517503eb7e29bc267a4e6526df8618c9039b legislate,12.07.2020.doc
  19.  
  20. AT LEAST 6 DOMAINS HOSTING THE INSTALLER DLL:
  21.  
  22. - bfc372alarm[.]com - 81.29.143[.]133
  23. - k741faint[.]com - 185.80.129[.]225
  24. - n687desert[.]com - 193.201.126[.]22
  25. - phfvg141cruel[.]com - 193.201.126[.]34
  26. - qs809erupt[.]com - 193.47.34[.]254
  27. - twvf572scout[.]com - 81.29.143[.]146
  28.  
  29. EXAMPLES OF URLS FOR INSTALLER DLL:
  30.  
  31. - GET /analytics/lj5lmXsb/Is64F5UGK5UEASi3y81IMMTLTJZFG/BTkmPhFTXqlPmsSTSK1WzNh3YXAzn0p78mqstc04/zzfp1?hLjj=morurDliqsm&YvtFL=YiMQxzSNhS&Pdx=fkBagAla&wcH=_eZAbvTDAzHi
  32. - GET /analytics/rksKzdm3wHGqhK6_7Ht3LBU0v9Bp63wep3MGdgDBHA8JZ8DmTu4B8SMhVqEj/zzfp5?Nw=OyzZljDoldpKJ&nxD=MdrmtRCeJlmmOHro&EpF=DPnSmNKa&a=_RTsxzz&ZFy=hxtZRwKvovtVp&byT=OnqhKgMKIgbd
  33. - GET /analytics/2OzBR4lkXXKrMxxTPfXk2Q7g2c4PTLUBEqBe8XQ0TNlFAmIjGmQqU58_Ge7aqDMec2ZLOhPVMZM/zzfp6?xO=KUBuvxcdxn&xMKej=APHAnKUhGa&ck=lxAFAZTpUrZ&RDNeq=MFrCYsGaYvhprYcuI
  34. - GET /analytics/YphTTjDQ65j6coqjXevFWKs20rHBDExuMhh1EHRz60qOtBjrpeIltGlXtlIxFB2QJ/zzfp10?wC=LuYNFvD&gNRAU=NNdymGdtsPswTCVPd&gnDoV=rQWkbotgQPfNqb&QhIgf=X_KjJvEfXsjzl&GYrZt=GSsAYmUf&RZV=LQHhLNgGHfar
  35. - GET /analytics/mVAQZZC32DqDIkxQn/COdVXlLdBsY1I8jO9ATa8fdVcwPIJTFS2R/zzfp13?zWrg=RBYcqwrnBjPMkmR&RYF=EgTKqek&_Wg=_gTxlNWoF&OYqth=qbRTqOqWqqJVPZpHC
  36. - GET /analytics/56cFxiBoDfQ0txm_dGZ_SY1h2Jgan21K95byCVcIzAWcGw/zzfp14?cmMw=IPnawGTX&FxAyf=xIccgp&EY=BQGKZPRzjCVSqA&LOBB=UYqJADq&lTni=bVCLSwAVpxVjS
  37. - GET GET /analytics/CnVBfJlSmMSyD5mymsI1WL6pCygIlWtl/R5YrqArn2Z30a35vNf09OpyTA/zzfp15?TI=ZFzIpeJMkY&Rewt=fflcvocG_Zrbr&PmLq=_FCmKXbRrWqv_c&meR=BLAqFWhtJZtrVm
  38.  
  39. 7 EXAMPLES OF INSTALLER DLLS:
  40.  
  41. - 02952f2ea12635c239d66a403c6ef4bef2e52d9f5c41b76343fc777e9aafea56
  42. - 07972c064aeed1bd984a22d0a21514bc15a57d775ad546c5f08a7b0962e6fb3d
  43. - 31cdf9cae93b228d186ac36bff4e60d292f61234f178128c70e24bb49d4ff615
  44. - 384eaa2aa32cdcb20a62051a875d96bf8c6bc52db34e156d0cdba29e2b3d923b
  45. - ac8f13231b09121ce180b011a716619804490a319f88563a40a8f23c1d159f43
  46. - b96a38f600aa2437c0e60869d0ad660408965005fb3657c71a1653404c38939c
  47. - d1ebffb2628905ed1fdaff0f099239f611b7a551743738053ac09914dd3b6810
  48.  
  49. EXAMPLES OF LOCATION FOR THE INSTALLER DLL FILES:
  50.  
  51. - C:\ProgramData\a6Uns.pdf
  52. - C:\ProgramData\aK2TUb.pdf
  53. - C:\ProgramData\aNkDL.pdf
  54. - C:\ProgramData\aP8CD.pdf
  55. - C:\ProgramData\aPJ75.pdf
  56. - C:\ProgramData\aT2QI.pdf
  57. - C:\ProgramData\aWFPjN.pdf
  58.  
  59. DLL RUN METHOD:
  60.  
  61. - rundll32.exe [filename],ShowDialogA -r
  62.  
  63. HTTPS TRAFFIC TO LEGITIMATE DOMAINS CAUSED BY INSTALLER DLL:
  64.  
  65. - port 443 - facebook.com
  66. - port 443 - www.facebook.com
  67. - port 443 - instagram.com
  68. - port 443 - www.instagram.com
  69. - port 443 - twitter.com
  70. - port 443 - www.tumblr.com
  71.  
  72. AT LEAST 4 DOMAINS FOR HTTPS TRAFFIC GENERATED BY INSTALLER DLLS:
  73.  
  74. - 167.71.138[.]137 port 443 - oldaquafrsh[.]cyou
  75. - 167.71.138[.]137 port 443 - rotapetek[.]cyou
  76. - 188.166.88[.]45 port 443 - milliship[.]top
  77. - 188.166.88[.]45 port 443 - portugalloindostan[.]top
  78.  
  79. 4 EXAMPLES OF SHA256 HASHES FOR ICEDID DLL CREATED BY INSTALLER:
  80.  
  81. - 39238c2728a4f6af81b57e38456aa1f9efc8c19ad0e8fbd2f3bad803dd1b75e1 (initial, 1st run)
  82. - d7a2b612bc7124c22cb058518ecf40a39b670042a7fbad01d4fa49d0ce20d344 (persistent, 1st run)
  83. - a221d6b02ae406bd0505a4f6fa8fe32503aa85a96c6715fade6dcf73a1eac2c1 (initial, 2nd run)
  84. - 13ad7de7f561825af82ab9ba920f82b72908ce9aacb944dc0c6a7b1875327e5d (persistent, 2nd run)
  85.  
  86. HTTPS TRAFFIC TO MALICIOUS DOMAINS CAUSED BY THE ICEDID DLL FILES (1ST RUN):
  87.  
  88. - 5.149.254[.]27 port 443 - reshailam[.]biz
  89. - 5.149.254[.]27 port 443 - ottepel[.]biz
  90. - 5.149.254[.]27 port 443 - t3476[.]top
  91. - 5.149.254[.]27 port 443 - vollhafer[.]top
  92. - 5.149.254[.]27 port 443 - fiscalclub[.]top
  93.  
  94. HTTPS TRAFFIC TO MALICIOUS DOMAINS CAUSED BY THE ICEDID DLL FILES (2ND RUN):
  95.  
  96. - 185.38.185[.]103 port 443 - chainoftheapril[.]cyou
  97. - 185.38.185[.]103 port 443 - unprofessional[.]club
  98. - 185.38.185[.]103 port 443 - lukapedrilla[.]cyou
  99. - 185.38.185[.]103 port 443 - xilophones[.]best
  100. - 185.38.185[.]103 port 443 - localallcases[.]xyz
  101.  
  102. MALWARE RETRIEVED FROM AN INFECTED WINDOWS HOST - 1ST RUN:
  103.  
  104. - SHA256 hash: 1b167f1532a1d9b1ffdef5ef4cb8dcab1da70f1bbb586a083b7b88e111b6da59
  105. - File size: 201,087 bytes
  106. - File location: C:\Users\[username]\AppData\Local\Temp\005c14a1.png
  107. - File type: PNG image data, 480 x 249, 8-bit/color RGB, non-interlaced
  108. - File description: PNG image with encoded data used to create initial IcedID DLL
  109.  
  110. - SHA256 hash: 39238c2728a4f6af81b57e38456aa1f9efc8c19ad0e8fbd2f3bad803dd1b75e1
  111. - File size: 196,608 bytes
  112. - File location: C:\Users\[username]\AppData\Local\Betweenwhere.dat
  113. - File description: Initial IcedID DLL created by installer DLL using data from above PNG image
  114. - Run method: regsvr32.exe /s [filename]
  115.  
  116. - SHA256 hash: f6ea81aaf9a07e24a82b07254a8ed4fcf63d5a8e6ea7b57062f4c5baf9ef8bf2
  117. - File size: 678,288 bytes
  118. - File location: C:\Users\[username]\AppData\Roaming\[username]\{6B397018-C748-AA01-4FF0-48B6F31AC4D7}\Ecaxxaac4.png
  119. - File type: PNG image data, 605 x 399, 8-bit/color RGB, non-interlaced
  120. - File description: PNG image with encoded data created during the infection process
  121.  
  122. - SHA256 hash: d7a2b612bc7124c22cb058518ecf40a39b670042a7fbad01d4fa49d0ce20d344
  123. - File size: 196,608 bytes
  124. - File location: C:\Users\[username]\AppData\Local\Jiexci2\saguoy\otgewd.dll
  125. - File description: IcedID DLL persistent on the infected host
  126.  
  127. MALWARE RETRIEVED FROM AN INFECTED WINDOWS HOST - 2ND RUN:
  128.  
  129. - SHA256 hash: 71613eceb54609f4ad0c14fe41b92914ddb94cc1f1f56dbb3a583992a362a608
  130. - File size: 182655 bytes
  131. - File location: C:\Users\[username]\AppData\Local\Temp\000ad4c4.png
  132. - File type: PNG image data, 386 x 486, 8-bit/color RGB, non-interlaced
  133. - File description: PNG image with encoded data used to create initial IcedID DLL
  134.  
  135. - SHA256 hash: a221d6b02ae406bd0505a4f6fa8fe32503aa85a96c6715fade6dcf73a1eac2c1
  136. - File size: 178,176 bytes
  137. - File location: C:\Users\[username]\AppData\Local\Coralindex.dat
  138. - File description: Initial IcedID DLL created by installer DLL using data from above PNG image
  139. - Run method: regsvr32.exe /s [filename]
  140.  
  141. - SHA256 hash: f6ea81aaf9a07e24a82b07254a8ed4fcf63d5a8e6ea7b57062f4c5baf9ef8bf2
  142. - File size: 678,288 bytes
  143. - File location: C:\Users\[username]\AppData\Local\[username]\taevac.png
  144. - File type: PNG image data, 605 x 399, 8-bit/color RGB, non-interlaced
  145. - File description: PNG image with encoded data created during the infection process
  146.  
  147. - SHA256 hash: 13ad7de7f561825af82ab9ba920f82b72908ce9aacb944dc0c6a7b1875327e5d
  148. - File size: 178,176 bytes
  149. - File location: C:\Users\[username]\AppData\Roaming\[username]\Zuobyi64\Oqefuw2.dll
  150. - File description: IcedID DLL persistent on the infected host
RAW Paste Data