API tools faq
paste
Advertisement
pandazheng

2021-04-26 (MONDAY) - ZIP-ED JS FILE --> ICEDID (BOKBOT) --> COBALT STRIKE

pandazheng
Apr 27th, 2021
126
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 4.11 KB | None | 0 0
raw download clone embed print report
  1. 2021-04-26 (MONDAY) - ZIP-ED JS FILE --> ICEDID (BOKBOT) --> COBALT STRIKE
  2.  
  3. NOTES:
  4.  
  5. - Reference: https://www.microsoft.com/security/blog/2021/04/09/investigating-a-unique-form-of-email-delivery-for-icedid-malware/
  6.  
  7. - Based on the above report, we found a zip archive from today (Monday 2021-04-26) containing a malicious .js file associated with this campaign.
  8.  
  9. - In the pcap, I was able to download StolenImages_Evidence.zip and run StolenImages_Evidence.js to get the installer DLL for IcedID, however I had to move the DLL to a different host and run it again to complete the IcedID infection.
  10.  
  11. MALWARE AND ARTIFACTS:
  12.  
  13. - https://github.com/pan-unit42/tweets/blob/master/2021-04-26-IcedID-with-Cobalt-Strike-malware-and-artifacts.zip
  14.  
  15. PCAP OF THE INFECTION TRAFFIC:
  16.  
  17. - https://github.com/pan-unit42/tweets/blob/master/2021-04-26-IcedID-with-Cobalt-Strike-traffic.pcap.zip
  18.  
  19. MALWARE:
  20.  
  21. - SHA256 hash: e53d3d4a90d9761b62da2b626060a5934319e3e81d1901a666b8cee7c2ab4e6a
  22. - File size: 6,693 bytes
  23. - File name: StolenImages_Evidence.zip
  24. - File description: ZIP archive retrieved from link in an email pushing IcedID
  25.  
  26. - SHA256 hash: 58544355fd1659814351b3931fa363b03115a2d1d0a8af72aeef8c48d4efa4f5
  27. - File size: 18,761 bytes
  28. - File name: StolenImages_Evidence.js
  29. - File description: JS file extracted from the above ZIP archive
  30.  
  31. - SHA256 hash: 393082006d9106926220a3e40d95ef15c05fdeb5b45b0da3012d9b5b60ee90f8
  32. - File size: 397,329 bytes
  33. - File location: hxxp://stereozek[.]top/034g100/main.php
  34. - File location: C:\Users\[username]\AppData\Local\Temp\dTJrU.dat
  35. - File description: Installer DLL for IcedID
  36. - Run method: rundll32.exe [filename],DllRegisterServer
  37.  
  38. - SHA256 hash: ae5ebe0388b228032f6fa0afe924910de13d824dca79b6b67d7dfdd651762cc4
  39. - File size: 711,499 bytes
  40. - File location: hxxp://quadrogorrila[.]casa/
  41. - File description: Fake gzip file called by installer DLL used to create IcedID DLL and license.dat files
  42.  
  43. - SHA256 hash: 29d2a8344bd725d7a8b43cc77a82b3db57a5226ce792ac4b37e7f73ec468510e
  44. - File size: 341,098 bytes
  45. - File location: C:\Users\[username]\AppData\Roaming\SimilarThree\license.dat
  46. - File description: binary data file used to run IcedID DLL files
  47.  
  48. - SHA256 hash: 260e2a92e0fccddb6f930ce93c90fb54e91ffc892c2c554aba0e2ae43cd3af15
  49. - File size: 370,176 bytes
  50. - File location: C:\Users\[username]\AppData\Local\Temp\sadness_64.dat
  51. - File description: Initial DLL for IcedID infection
  52. - Run method: rundll32.exe [filename],update /i:"SimilarThree\license.dat"
  53.  
  54. - SHA256 hash: 14fc5552d33dfe49aea4834c26d5f9aa85db2a065524aaa9c1e3b653c05aff0b
  55. - File size: 370,176 bytes
  56. - File location: C:\Users\[username]\AppData\Roaming\[username]\{2D7709C7-BCD4-92FE-99EC-2815EEDE7032}\Umkohoip32.dll
  57. - File description: Persistent DLL for IcedID infection
  58. - Run method: rundll32.exe [filename],update /i:"SimilarThree\license.dat"
  59.  
  60. - SHA256 hash: e54f38d06a4f11e1b92bb7454e70c949d3e1a4db83894db1ab76e9d64146ee06
  61. - File size: 800,768 bytes
  62. - File location: hxxp://192.99.178[.]145/download/195145.exe
  63. - File location: C:\Users\[username]\AppData\Local\Temp\Remo.exe
  64. - File description: EXE for Cobalt Strike retrieved by IcedID-infected host
  65.  
  66. TRAFFIC GENERATED BY .JS FILE TO RETRIEVE INSTALLER DLL:
  67.  
  68. - 172.67.169[.]66 port 80 - stereozek[.]top - GET /034g100/index.php
  69. - 172.67.169[.]66 port 80 - stereozek[.]top - GET /034g100/main.php
  70.  
  71. TRAFFIC GENERATED BY INSTALLER DLL TO RETRIVE FAKE GZIP FILE USED TO CREATE ICEDID FILES:
  72.  
  73. - port 443 - aws.amazon.com - HTTPS traffic
  74. - 104.236.44[.]35 port 80 - quadrogorrila[.]casa - GET /
  75.  
  76. C2 TRAFFIC GENERATED BY ICEDID:
  77.  
  78. - 167.99.163[.]235 port 443 - classicfucup[.]top - HTTPS traffic
  79. - 167.99.163[.]235 port 443 - rangstatepol[.]top - HTTPS traffic
  80. - 38.135.122[.]194 port 8080 - TCP traffic
  81.  
  82. ADDITIONAL ICEDID C2 DOMAINS ON 167.99.163[.]235:
  83.  
  84. - 167.99.163[.]235 port 443 - ultimarulle[.]top
  85. - 167.99.163[.]235 port 443 - hidethisfact[.]top
  86.  
  87. COBALT STRIKE ACTIVITY ON THE INFECTED HOST:
  88.  
  89. -�192.99.178[.]145 port 80 - 192.99.178[.]145 - GET /download/195145.exe
  90. - 192.99.178[.]145 port 80 - dimentos[.]com - GET /bg
  91. - 192.99.178[.]145 port 80 - dimentos[.]com - POST /btn_bg
  92.  
  93.  
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!