malware_traffic

2020-08-20 (Thursday) - TA551 (Shathak) word docs push IcedID

Aug 20th, 2020 (edited)
1,879
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. 2020-08-20 (THURSDAY) - TA551 (SHATHAK) WORD DOCUMENTS WITH MACROS PUSHING ICEDID MALWARE:
  2.  
  3. CHAIN OF EVENTS:
  4.  
  5. malspam --> password-protected zip attachment --> extracted Word doc --> enable macros --> installer DLL --> IcedID EXE
  6.  
  7. 22 EXAMPLES OF SHA256 HASHES FOR WORD DOCS WITH MACROS FOR ICEDID:
  8.  
  9. - e74344da011c0b40910c94bfe04b0cab9dca0727f4ff8a712b9e67090e888538 command 08.20.2020.doc
  10. - 97cf98ed3f769614f76708d74468f8dd97d721b77fdec71fe0ffbbd2059881a4 decree 08.20.20.doc
  11. - a9f1a2116654c86055f76b9414b007dffa7e481ecd4b4599d97fc7c5277e0406 decree.08.20.doc
  12. - f790841bb10f01d9b62d46599f74951ffc501625f7bc81887712866008594e91 decree.08.20.doc
  13. - f43bd677fc0f91605c528b974eb75c6cbbae6e793e43ac37e1e2c23f05cdd16e enjoin.08.20.doc
  14. - 3490e9b6d5075d72d7932f6615e0d57383267483f7233f8018e525c47247fb22 facts 08.20.doc
  15. - 47162876ed6ea646b1b3b52d3d27c5d740b6d29550fa92a582193145cbc1dc35 figures,08.20.doc
  16. - b9427384ef08b4b46d79b6f69da55f81f1bc1504645231f1a235989b0a7f80e6 file,08.20.20.doc
  17. - dec178d7b649b0f381a2b6d8816e68324c44b3a62b85f3671bc1866226dda472 input_08.20.doc
  18. - 9887706fec807a848caec12265e7f0a062d00394ec1b6b564765719c8aad618d inquiry_08.20.20.doc
  19. - c4f8453b7157f8ab0a33f452ef5238631dee8ea2cf06cb32b49f2fab0f1afce5 instruct,08.20.doc
  20. - edda2ccdedf90389a9980fcf05990cb264df8ed6c15ccc2cbdd8ba66e0ff0cfe instrument indenture-08.20.doc
  21. - e5d2751a8b5b5ced34eb583486e673e7ac0fdb6952cf31e7a4ba0324326359bd legal agreement,08.20.20.doc
  22. - 79a4373e8aef7d5db5faeb02ed059e7514ff4581cb40c128cdcccae88651c49c ordain-08.20.doc
  23. - 9f298534ebf0aa1da5bb369152a8e70576f45eae0ece3abbf7e8edfb32e57ea4 particulars-08.20.doc
  24. - f555a28e9d8d82d1f3682921800e8e04e99c00b7a319e6866b01f7a99cd74677 report 08.20.2020.doc
  25. - 1bbd4db893f0ae6c68368f5c0c2f768c1ae4b787b23cd681f3fdf49ed430f00a report 08.20.2020.doc
  26. - f6babfa9ec695cabf642941c0a80ecfede354553059cecc50fc4a2c8766edd43 report,08.20.2020.doc
  27. - f14e6107da54f9728252f7461313ef49f2708ab051c426c87d0618b6d93ad510 require 08.20.doc
  28. - 1e827bcaa3190b6f7ab092ce6b3160244d182507dd99a4adddc0e93f415ea79c rule_08.20.2020.doc
  29. - e1a647d2d801b1a19cc832113af60a4877d75c1f1156c33834722740397852c2 specifics_08.20.doc
  30. - 3be7c48f4970f078ef1c0fd8b4aba3424f3971da175f127768c1b4d63e72ff3f statistics 08.20.doc
  31.  
  32. AT LEAST 12 DOMAINS HOSTING THE INSTALLER DLL:
  33.  
  34. - fbz7fl.com - 81.29.134.87
  35. - fk1s50.com - 185.103.109.79
  36. - g7b26ut.com - 185.66.12.156
  37. - i47cml.com - 193.187.175.158
  38. - ip7g25w.com - 45.89.67.140
  39. - jve7kr.ciom - 185.254.190.68
  40. - kx8sp52.com - 185.118.164.101
  41. - pob8bvm.com - 194.31.236.119
  42. - sh1ywp.com - 83.220.172.64
  43. - twu5vut.com - 185.239.51.224
  44. - w4l8qww.com - 92.63.104.151
  45. - xb5k6j.com - 45.89.66.41
  46.  
  47. GET REQUESTS FOR THE INSTALLER DLL:
  48.  
  49. - GET /pudiv/tedy.php?l=gike1.cab
  50. - GET /pudiv/tedy.php?l=gike2.cab
  51. - GET /pudiv/tedy.php?l=gike3.cab
  52. - GET /pudiv/tedy.php?l=gike4.cab
  53. - GET /pudiv/tedy.php?l=gike5.cab
  54. - GET /pudiv/tedy.php?l=gike6.cab
  55. - GET /pudiv/tedy.php?l=gike7.cab
  56. - GET /pudiv/tedy.php?l=gike8.cab
  57. - GET /pudiv/tedy.php?l=gike9.cab
  58. - GET /pudiv/tedy.php?l=gike10.cab
  59. - GET /pudiv/tedy.php?l=gike11.cab
  60. - GET /pudiv/tedy.php?l=gike12.cab
  61. - GET /pudiv/tedy.php?l=gike13.cab
  62. - GET /pudiv/tedy.php?l=gike14.cab
  63. - GET /pudiv/tedy.php?l=gike15.cab
  64. - GET /pudiv/tedy.php?l=gike16.cab
  65. - GET /pudiv/tedy.php?l=gike17.cab
  66. - GET /pudiv/tedy.php?l=gike18.cab
  67.  
  68. 21 EXAMPLES OF SHA256 HASHES FOR DLL FILES USED TO INSTALL ICEDID:
  69.  
  70. - 17aa717873788437012009c059a2cb136f06130df588af7d033edb82868aceae
  71. - 19907027b3b936670924854feb2ce2112972b39df8120d4cb9ae904e057b6198
  72. - 35a71504ac2806d3ac17dfed1c580ab87b22eb09d0f33afd7400f77bae78b383
  73. - 374af7e0b9d04ea1845d7c6d1ae7b52d779ab5119762b5d47b3b47246fbb0f75
  74. - 3df3817c82c7e44d164c0ac43479a5a280ab9cc5cd3c2da0a2aca7a4f9ea95bf
  75. - 59dfbaef9937ff381434d144bff16203cbbe4cfcdfb79818379404c6d42f55ca
  76. - 80429d54c4ff5edd8ebb2bce803ca4a434fd4ef81aaf8fd2571d3d7cb9b83fc9
  77. - 81d0d0a1abda054dfc3335f21f7f2ff4555bd3a6038cf13a75654a6f8d7da2d2
  78. - 84a2d2173f8215e239bbdc06e12133f82d716c06d550f6f34d0e5f0458048890
  79. - 8a02a9b726dc1db8ee848997b3735127c5e96b460219e4b5f8aadcc86f37f5c6
  80. - 94a48ea009b39ec30571256ae4fafe84a83ebde2801d24207263f5e80b41ae1e
  81. - a7b4996bb263d8eb7afc9e6ca993173a13820896c9f567ca2b9527013d801b57
  82. - c3e582481a04368409765dd76e12358e5ef45fd0d837131059ef929f8635fc7e
  83. - cbe868b22594dd7f9905d12c00a8382fcd5431408f559f0f14e99a8be27f6349
  84. - d25debe1cf9e028b386615db4db0a3de21659fccf3cb72248376821d537a73b5
  85. - da0f6cc9136adf5a0dc1f646e953ac9f20adc59c782c5848e9a3f843c8dc3dda
  86. - dc9bdb08cf24f8bce76703c4e6ec576e12147d0555d149a96bef6cff67c4e58f
  87. - e5f569e7b0e5c5b1db07e5fc292a8889e5043b05d8dac636aeb378e3552d35a4
  88. - eb129e9a89c3f74eaaadf5b61d25aff57654a5bfc93e86dd3f1894129ee62bd4
  89. - fa1c0fee3032048bba15c2d1c34dde82815df631a900d8a88c3a2adbb67645fc
  90. - fd4c2da96e2c4968773ac916309a99eea142af824e5c12b1a801888b0aa24fb5
  91.  
  92. LOCATION OF THE INSTALLER DLL FILES:
  93.  
  94. - C:\Users\[username]\AppData\Local\Temp\temp.tmp
  95. - C:\[same directory the Word doc is located]\f1a30027.jpg
  96. - C:\[same directory the Word doc is located]\f8015423.jpg
  97. - C:\[same directory the Word doc is located]\b0635dfb.jpg
  98. - C:\[same directory the Word doc is located]\b72e0f4c.jpg
  99. - C:\[same directory the Word doc is located]\ce81b018.jpg
  100.  
  101. RUN METHOD FOR INSTALLER DLL:
  102.  
  103. - regsvr32.exe [filename]
  104.  
  105. AT LEAST 5 DIFFERENT URLS FOR HTTPS TRAFFIC GENERATED BY INSTALLER DLLS:
  106.  
  107. - 104.131.13.31 port 443 - ldrfewa.casa - GET /background.png
  108. - 104.131.13.31 port 443 - ldrnuri.casa - GET /background.png
  109. - 159.203.35.240 port 443 - gugafirst.top - GET /background.png
  110. - 159.203.35.240 port 443 - gugasecond.cyou - GET /background.png
  111. - 159.203.35.240 port 443 - ldrfohill.casa - GET /background.png
  112.  
  113. NOTE: I did not see the IcedID EXE today....
  114.  
  115. HTTPS TRAFFIC TO LEGITIMATE DOMAINS CAUSED BY INSTALLER DLL EXE:
  116.  
  117. - port 443 - support.apple.com
  118. - port 443 - support.microsoft.com
  119. - port 443 - support.oracle.com
  120. - port 443 - www.intel.com
RAW Paste Data