API tools faq
paste
malware_traffic

2020-11-05 (Thursday) - TA551 (Shathak) Japanese-template Word docs pushing IcedID

malware_traffic
Nov 4th, 2020 (edited)
8,990
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 6.29 KB | None | 0 0
raw download clone embed print report
  1. 2020-11-05 (THURSDAY) - TA551 (SHATHAK) JAPANESE-TEMPLATE WORD DOCS WITH MACROS FOR ICEDID:
  2.  
  3. CHAIN OF EVENTS:
  4.  
  5. - malspam --> password-protected zip attachment --> extracted Word doc --> enable macros --> installer DLL --> IcedID DLL
  6.  
  7. 22 EXAMPLES OF TA551 WORD DOCS WITH MACROS:
  8.  
  9. - db53aff36be9a79d54c8c8f801bb47d065212bae7bc25ac5d1227de7bacb0d41 bid_11.20.doc
  10. - 2f166df5274595c77cb8089d1742a27ff12721178dde1412ddc8ab16d8415219 charge.11.20.doc
  11. - c9c1ae9c9684bdb70c0b1055cd8a6272e02040c28d4a2aabbbe0b092ba2c9a4a command_11.05.2020.doc
  12. - cae8523e235db27c555dc1a577b6dde1d6ab474f9186f8f7b0e8941380576d40 deed contract_11.05.2020.doc
  13. - 67b66a7164065cfee6f1a6b39dbcdf8382a3590d0caa9454084ec14a179aa209 document.11.05.2020.doc
  14. - f92dbcff05c07be3a18da38ec82c9a6668bedaad145dd5f35111f64f77802490 document 11.20.doc
  15. - ed7eea5064b2d4ed38ea2d1c4fd4182e0c5231718680d05863394882713d0eda documents_11.20.doc
  16. - 6138e4dc93c53e3a0e18ac907a6b711609a6dc2728e775c6d8dbc03ea690d27c enjoin-11.05.2020.doc
  17. - 04bbbccdf09e3e2c80be37a28a935381d5421bdb15199c450cda4897c0c14414 file.11.20.doc
  18. - 36a1e1600cda9affea95512dea5547bdd68ef372defc44e4beb241dc5cc3af3f instrument indenture 11.20.doc
  19. - 25a8e3742683580e5c50927094a7f452e27fe333f141f29d9e7d32be23c4d049 intelligence-11.05.2020.doc
  20. - fb41a2684b1d177b80fd3bf07e05b075e146038232e1dbd5f182e215c353ff5c intelligence 11.20.doc
  21. - be377a15a446075ddf3543228f8ae34057b165da417c26a4c161e0c8f5d7412a legal agreement 11.20.doc
  22. - 48d9e53e3b201e2658eba607b35571db95b67dd10e7294473e98a6b748895eac legal paper_11.20.doc
  23. - dcf515a3f72f65521925cbd6912fb830d6b816ba43d9b0f8a5a24d3667fe8673 official paper_11.20.doc
  24. - 4b0ebfffabca17c273712abe30c9d9b3754fae702d5bf405bff1ee6e28e5ac7e ordain-11.05.2020.doc
  25. - a706aec605efdc8e9ba5a04a5b9701432b11c6713e407704ea8cb65d42de5538 order,11.05.2020.doc
  26. - 77e9ac70a42be16db0e2eb121e201ac204e81fcb0f40296662ffe45ca306f150 particulars,11.20.doc
  27. - 825a32babe73447b580c8e4395062a476d565bab2a0f943b6e343010245f0cb4 prescribe ,11.20.doc
  28. - d170136f6b996d1baa08813ef9675f2f1e6a87c5de4102a80c02f092ec742ef0 question.11.20.doc
  29. - e63028f1b8e568cb784c178e65b0a48a7e80b79afeac46de1a4fa677f972f39b specifics 11.05.2020.doc
  30. - 5de2afdb561b6486edf370b7b1d4204ff34c37204205e317317078c0cf479150 specifics-11.05.2020.doc
  31.  
  32. AT LEAST 10 DOMAINS HOSTING THE INSTALLER DLL:
  33.  
  34. - cradle5590[.]com - 81.29.143[.]161
  35. - erase1656[.]com - 185.219.43[.]190
  36. - essay9763[.]com - 194.40.243[.]77
  37. - flower5428[.]com - 188.120.253[.]217
  38. - follow1906[.]com - 185.62.103[.]89
  39. - oppose1345[.]com - 51.38.154[.]24
  40. - parent8700[.]com - 95.214.9[.]184
  41. - soda8729[.]com - 185.118.167[.]118
  42. - story6649[.]com - 194.116.162[.]177
  43. - what6233[.]com - 193.201.126[.]82
  44.  
  45. EXAMPLES OF URLS FOR INSTALLER DLL:
  46.  
  47. - GET /update/LMkbCkgyvjqWYHrUnRSORYglFSwZrsmoxaFPZIcaCsGRXxtzYNNTmLpdKXSpzjNqC/iuyala1
  48. - GET /update/lFtjCLtUzQAk/EEbR_bIviWPFKbNvDZemEbqswGYhQBSCyHaxB/iuyala2
  49. - GET /update/lmtlHSlRHjZR/zPPzokHAbq_ZBNwKTlYABdTzdgfvHpFnf/kRTqZXalJ/RWJHqHttdC/kimiCMQZvfsYEU/iuyala2
  50. - GET /update/blKMhhnEr/shRIACXpnjnSFmKqFFDilOnpWIYEgKDRSapd_ikaXCVIfYUzgoR/iuyala3
  51. - GET /update/jTbSYPxwSDbmjyCAdkBoQtBNXUnmhnLjd_TRS_vHVVDjTQkK_WNhYWfyPcLVcJVdC/iuyala3
  52. - GET /update/cj/cIEqNWQHFlDvkGcNvDeYIwQMdVrCpNwffztDBVkfXSlFStt/qnOJkDGbo/iuyala4
  53. - GET /update/M/dzDStFBPlEZXATkFrlWVNTBBmP/PpNkPImnSRSUNTIfkTwhu/LJDxuTWmFcxcfIhctzsh/kj/iuyala4
  54. - GET /update/HucYUHsTpuYOq_nKSBSHkrGSHHzkKQWHOzdhKgsWIwMqZbnp__wJAhvYzTLGRGG/iuyala5
  55. - GET /update/TFrIbaqvLrhafUZl_aClEOdlq/Md_kqJnbYamSKlQTMQpfQIF_bvXbwZOPOLp/iuyala6
  56. - GET /update/RrKqCYwfhgqRPKmmHhfkeUEnvbkPgK_cqhWnT/QLoRUqFVUCALxtElbM_/iuyala7
  57. - GET /update/hmZWSpGugwEDOSFHYMOnYeq/pFFxpyMEIpUGdUCmcuJsbhtoDOkLMcrt/l/C/xBwd/iuyala7
  58. - GET /update/dbdBPCprdQjHfHSIPvJwYsfccHhMqBpItbdUBFqkGKzQNUhUjHSQvebVzSILDaft_WDAAiDXmmbSBY_OIE/iuyala8
  59. - GET /update/hfYjtijzjwdTPOpa_CQBfoJqZUOMPjBffkBCZdPIQAEDzZSiL/qFdYOq/n/b_dSChZ/lDpktzH/iuyala9
  60. - GET /update/KWQezyTDDtO/DHYJHdOMYHcx_uUDJ/NkHqHugtrNBcCnm/PzTwlAholekoYd_HBsjjDTwQOThOrtC/iuyala9
  61. - GET /update/dcpzZShWWf_qnsUlNRz/tcGvT_bMbuZZhCUpYvJAKcWqtivucvvmqmUDPPKxbpgbnEV/iuyala10
  62. - GET /update/IxGWHEAOCUc_fkAVDcZScLTXIvbUjiFQdL_VPGAnHCLebkjuEdDMSpdFL/iuyala11
  63. - GET /update/VdlYZWmUkwXoKhIdRUkaZHUscJPjPFcbVOV_cJwtroxpqerBjrQHjkKwOyxuXaM_Kbfrb/iuyala11
  64. - GET /update/CAIiwHWvhjGAp_z/jTLHZhENzNpJnEZXUalFhr/iuyala12
  65. - GET /update/VzjuQJCHvhXDxVDcBvqQRgjksNbSKVFIpFZjkS/esWMCfFBGzhlSGjvIfXVmQrMcTdPQtcgsNMmMzhf/iuyala12
  66. - GET /update/TzjjNphW_iqhAegfQcItABSqdiNhdfprIBGPp/hnlNlyBhBigidYjnCRAogXjX/iuyala13
  67. - GET /update/jcja/yCGHnwRmyMVTeCqljgln/JTHBIgVESrNVdrgJMGGNdiqqGxCNACjXDBjkMJKFPKvJNYXFVbcxYvbS/iuyala13
  68.  
  69. 8 EXAMPLES OF INSTALLER DLLS:
  70.  
  71. - 1fa50d8c5b34e135f17d1aee71e4759caeb99b4cbded8aaecf3610dc92421a98
  72. - 42e6e0689815d949577e3ae3fe6b3c23d0acb050d127dca10002caabb5649f63
  73. - 5fe831cc1f185f0c1f83661d8e4813ec7014c00cf22fe6de02036ca9f90dcd57
  74. - 83236cf44a4f97d773664ddebd6faaeb6c0fdf809d43632b49e6345217a4b85f
  75. - 990e453d4c711820a9036e8b3a2695cba1b51876279db9e5f5a83791bca91d4a
  76. - aa1d62222a4a2fd38aa7cb4bc0040493409a3e13561de59b740ad53ab4dba118
  77. - cc4400d249739c029f4ebbaece292fa9553d06ae6fc97c1567cc4ddfad2c10cd
  78. - f20a6c1783ae9ca8dd81e6c19702b6f81c73293ce8dc52ef4cc152f7de5ebb86
  79.  
  80. EXAMPLES OF LOCATION FOR THE INSTALLER DLL FILES:
  81.  
  82. - C:\Users\[username]\AppData\Local\Temp\temp.tmp
  83.  
  84. DLL RUN METHOD:
  85.  
  86. - regsvr32.exe [filename]
  87.  
  88. HTTPS TRAFFIC TO LEGITIMATE DOMAINS CAUSED BY INSTALLER DLL:
  89.  
  90. - port 443 - www.intel.com
  91. - port 443 - support.oracle.com
  92. - port 443 - www.oracle.com
  93. - port 443 - support.apple.com
  94. - port 443 - support.microsoft.com
  95. - port 443 - help.twitter.com
  96.  
  97. AT LEAST 2 DIFFERENT URLS FOR HTTPS TRAFFIC GENERATED BY INSTALLER DLLS:
  98.  
  99. - 167.99.248[.]130 port 443 - covercinemo[.]club - GET /background.png
  100. - 167.99.248[.]130 port 443 - detecvasquez[.]cyou - GET /background.png
  101.  
  102. 2 EXAMPLES OF SHA256 HASHES FOR ICEDID DLL CREATED BY INSTALLER:
  103.  
  104. - dec4d9a6c0253aa74bd2700f9e981c7724f136f6a68db54284bd1e3072e8254f (initial)
  105. - 1ad3f240686cb252388a38adbf9ffe2cad9b56c95e4f7fce4b8fc3555f24c426 (persistent)
  106.  
  107. HTTPS TRAFFIC TO MALICIOUS DOMAINS CAUSED BY THE ICEDID DLL FILES:
  108.  
  109. - 104.248.90[.]150 port 443 - blokaddio[.]top
  110. - 104.248.90[.]150 port 443 - defeodallio[.]cyou
  111. - 104.248.90[.]150 port 443 - grekilioliplane[.]best
  112. - 104.248.90[.]150 port 443 - nawserty8[.]club
  113. - 104.248.90[.]150 port 443 - quaddroporrte4[.]top
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!