malware_traffic

2020-09-11 (Friday) TA551 (Shathak) Word docs pushing IcedID

Sep 11th, 2020 (edited)
1,790
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. 2020-09-11 (FRIDAY) - TA551 (SHATHAK) WORD DOCS WITH MACROS FOR ICEDID:
  2.  
  3. CHAIN OF EVENTS:
  4.  
  5. - malspam --> password-protected zip attachment --> extracted Word doc --> enable macros --> installer DLL --> IcedID EXE
  6.  
  7. 24 EXAMPLES OF TA551 WORD DOCS WITH MACROS FOR ICEDID:
  8.  
  9. - 3faf7acb478370a170421a1b482eb03eac2e8299c4f5a3454e5f17c36c55022b bid 09.11.2020.doc
  10. - 8d0f4f0e727e92bb5397a44f04adac98badc4df6ad8b957f38352c95daf24c1c bid_09.11.2020.doc
  11. - 3243069cdcf0b33e18e64b27f04fdde74e5c74c0782c60d71ae33ef25eb86053 certificate.09.20.doc
  12. - bd1ddeb98394b36ca719c7805a6c0b50247f34c42d65c86bfb9514a1c3bb6469 command,09.20.doc
  13. - 1bed53e1bde6be3f82fe3dd44aa51fb893f1532cb21f6269ba15997272cc20ac decree,09.20.doc
  14. - b40446babccd8f11a37ddc9e76c328d0192ac2271d6fd8ec59ab73e258f2b4e1 docs 09.11.2020.doc
  15. - 5f3ff4e03546409fcff785d95c92c991bdde635198d412d52568796064dc7e6f docs_09.11.2020.doc
  16. - ffe9a89fd37cf7b93ffa509593d9a35274d6433f0f72eaa819d86a3a4deefef2 enjoin 09.20.doc
  17. - 6df823e7c074c216cd1a908b07037139823f7ebb0f5a87d7aac278e5eada241d enjoin-09.20.doc
  18. - e67d1fa25e2b18fdf298eb28a377a3b8d550b4e8e746c6829e934cf050f1e403 inquiry 09.20.doc
  19. - 7d5bfcb69c9e77593a9c034c6d1772beabbab437fd882f8825e244f64e64ff7f intelligence 09.11.2020.doc
  20. - 8e0de87f2a89746f66591f407cac810a141a16b0710ce71e94c0dd9492d968f5 intelligence 09.20.doc
  21. - aef85fab6ec98e3578af4dbf3e2d4455e41f2818d4d420a2e22839ccc94f173a legislate 09.11.2020.doc
  22. - 76eed2d0be80328857632eea35b65fa97e6600df9047f10d7231159ad7a99efd legislate,09.20.doc
  23. - 4e7a777cc596883f81a581fb6b12fbb42a4acddd3905ee00cace076cc3c24d56 legislate-09.20.doc
  24. - 14024cb901d499a7d23ec706ef0e813c6dccaa895041632844cddf6a8a9ead10 legislate_09.11.2020.doc
  25. - ba978c0f11958ebf0cf734ceb7f9a5a08b7a224ce19582389cc9544bb8823ec0 material,09.11.2020.doc
  26. - 05b2c20f81faed55c758de46f33f68b91021d233435a82d1749b8f79fdb31a3d ordain_09.20.doc
  27. - 84f56506eefbabb6ef4d09b1632f78fc2dba9ca62f3de53d67e2e181b416b5ae question 09.20.doc
  28. - 6eb29c273c0a5b5275cd81040d4a28dc91e15d01fce392da9de4064a3147a59a report,09.11.2020.doc
  29. - 6c2a461a9082f0b2ceef42588c4568620f0ab3ae934c6d20ae8b5f8908bc64ec rule 09.11.20.doc
  30. - ac68afe990cfea9ccc01fe3c15e305338fb32597fc79b2ba2e2949f5e8310578 specifics-09.11.2020.doc
  31. - 5cae21d65fc0fe0f1b394d61694f0ae5cfe6214aaebba22bd7661aad1704a45c statistics 09.20.doc
  32. - 588032bd2e8622ba06bcdb1e64886908a29880376152b38e9c5b32bac4d686a4 tell,09.20.doc
  33.  
  34. AT LEAST 8 DOMAINS HOSTING THE ICEDID DLL:
  35.  
  36. - a66i3j[.]com - 193.38.55[.]37
  37. - bkyigbm[.]com - 62.109.11[.]237
  38. - bz3izuh[.]com - 91.208.184[.]201
  39. - cf09oe[.]com - 185.92.202[.]112
  40. - cjlf16[.]com - 188.120.236[.]106
  41. - ozxa1jr[.]com - 45.157.140[.]13
  42. - sjfmz82[.]com - 45.157.140[.]9
  43. - ugnlgg[.]com - 185.118.164[.]236
  44.  
  45. URLS FOR ICEDID DLL:
  46.  
  47. - GET /fuho/zahel.php?l=xavab1.cab
  48. - GET /fuho/zahel.php?l=xavab2.cab
  49. - GET /fuho/zahel.php?l=xavab3.cab
  50. - GET /fuho/zahel.php?l=xavab4.cab
  51. - GET /fuho/zahel.php?l=xavab5.cab
  52. - GET /fuho/zahel.php?l=xavab6.cab
  53. - GET /fuho/zahel.php?l=xavab7.cab
  54. - GET /fuho/zahel.php?l=xavab8.cab
  55. - GET /fuho/zahel.php?l=xavab9.cab
  56. - GET /fuho/zahel.php?l=xavab10.cab
  57. - GET /fuho/zahel.php?l=xavab11.cab
  58. - GET /fuho/zahel.php?l=xavab12.cab
  59.  
  60. 14 EXAMPLES OF ICEDID INSTALLER DLLS:
  61.  
  62. - 1b17fc75a68fe091ae05f11e691996f4ecf647c9fb67fec38ebf51d4d7a62b40
  63. - 3ef3619c3a30eb03404764d7267199efdda86e88b6f4f5ba20e641ffd253eecf
  64. - 43dc5609f777298976914cf417b149f909faf6084a36e83b71cf94dd73e9cb1e
  65. - 485e15d8c1b907a2daaade0ef3817411621f192effcfcd4e158684d6032b82e8
  66. - 6d405d85091429bfef38e34aab90e5fa509eab2e4eec28ba93b5a2ce0d9b1748
  67. - 75a7cb73ca0e01413462b0ec15317c855bc24bec0850324b97eb72c4fd429313
  68. - 839aee5f9b2423c3be1f78f949ae3cfcee9094434297a35ff0318791ef87bf3e
  69. - a48f59d33ac08e950742939e171916ada09359132110009ccb0fc14d45dcd876
  70. - c2a2b61003dba1e5d6da5b397439e2f7f79615ef10a3f8cb57ac90fe9a0b5fb7
  71. - d40581eae03d0d9e188296e6c15fbfb4fae8d4272d6803f9f0be349e6f237adc
  72. - df63a9a56f4a68d159e7aaa9067e3c8be8cb3c2af583d087835b7d147f0903b1
  73. - e39108f06a9bdc616ab8f3e768662c5c5db946e9511d8949ec4da3e9ff0b4633
  74. - efe2e772af8c69f1eadde7e5e75d5f7b39ab8c14a2c8685bbc39f52290839b57
  75. - f626c9dfd4f8e8c2aea66ff011aa1a1dd06106133bf5a80cdcbb48a608a9f03f
  76.  
  77. EXAMPLES OF LOCATIONS FOR THE INSTALLER DLL FILES:
  78.  
  79. - C:\Users\[username]\AppData\Local\Temp\temp.tmp
  80. - C:\ProgramData\bcbfa.hello
  81. - C:\ProgramData\cb54e.hello
  82. - C:\ProgramData\cd23e.hello
  83. - C:\ProgramData\ebf45.hello
  84. - C:\ProgramData\f8a36.hello
  85.  
  86. DLL RUN METHOD:
  87.  
  88. - regsvr32.exe [filename]
  89.  
  90. AT LEAST 3 DIFFERENT URLS FOR HTTPS TRAFFIC GENERATED BY INSTALLER DLLS:
  91.  
  92. - 194.113.34[.]92 port 443 - loadperventin[.]casa - GET /background.png
  93. - 159.65.137[.]90 port 443 - ldrplastic[.]casa - GET /background.png
  94. - 159.65.137[.]90 port 443 - loadspanny[.]casa - GET /background.png
  95.  
  96. SHA256 HASHES FOR ICEDID EXE CREATED BY ICEDID INSTALLER (EXAMPLE 1):
  97.  
  98. - 3b95da4a63198b1250b585db653af3b21bb20cc1689bf768f042d62d815c6ee4 (initial)
  99. - 0f77b1fb5f4848703da462f84d0de845268f7a1bfb6f08d59726a3e224a4567a (persistent)
  100.  
  101. HTTPS TRAFFIC TO MALICIOUS DOMAINS CAUSED BY THE ABOVE ICEDID EXE FILES:
  102.  
  103. - 68.183.47[.]194 port 443 - budagent[.]cyou
  104. - 68.183.47[.]194 port 443 - castrovillage[.]cyou
  105. - 68.183.47[.]194 port 443 - delegatoz[.]xyz
  106. - 68.183.47[.]194 port 443 - patriwifecis[.]cyou
  107.  
  108. SHA256 HASHES FOR ICEDID EXE CREATED BY ICEDID INSTALLER (EXAMPLE 2):
  109.  
  110. - 49a6d713a8ffe3a194498f25450bc11a1e85657530798318378cbfae479a28dd (initial)
  111. - 691484e4df83d6f592a0ddebd8bd1afffc4568205a3b7f51c11c549124a1150c (persistent)
  112.  
  113. HTTPS TRAFFIC TO MALICIOUS DOMAINS CAUSED BY THE ABOVE ICEDID EXE FILES:
  114.  
  115. - 164.90.153[.]241 port 443 - jheckler[.]top
  116. - 164.90.153[.]241 port 443 - tizersincluded[.]best
  117. - 164.90.153[.]241 port 443 - saqerisation[.]best
  118. - 164.90.153[.]241 port 443 - matrossinio[.]xyz
  119. - 164.90.153[.]241 port 443 - povoliporillio[.]xyz
  120.  
  121. HTTPS TRAFFIC TO LEGITIMATE DOMAINS FROM THE INFECTION:
  122.  
  123. - port 443 - www.intel.com
  124. - port 443 - support.oracle.com
  125. - port 443 - www.oracle.com
  126. - port 443 - support.apple.com
  127. - port 443 - support.microsoft.com
  128. - port 443 - help.twitter.com
RAW Paste Data