-
Notifications
You must be signed in to change notification settings - Fork 16
/
Copy path2023-08-29-IOCs-for-IcedID-activity.txt
70 lines (47 loc) · 3.04 KB
/
2023-08-29-IOCs-for-IcedID-activity.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
2023-08-29 (TUESDAY): ICEDID (BOKBOT) ACTIVITY
REFERENCES:
- https://www.linkedin.com/posts/unit42_threadhijacked-icedid-bokbot-activity-7103370928696299520-eUf2
- https://twitter.com/Unit42_Intel/status/1697605312205766960
INFECTION CHAIN:
- thread-hijacked email --> link to fake Azure page --> URL for .js download --> .js file --> IcedID infection
LINKS FROM TWO THREAD-HIJACKED EMAILS:
- hxxps://admisiones.stpetersacademy[.]app/sanitaria
- hxxps://castillohairstudio[.]com/loco
REDIRECTED TO FAKE AZURE PAGE AT:
- hxxps://markelytiks[.]com/out/index.php
EXAMPLES OF URLS FOR .JS DOWNLOAD AFTER COMPLETING CAPTCHA:
- hxxps://adv2gosrl[.]it/piecework/
- hxxps://adv2gosrl[.]it/porousness/
- hxxps://amazonasrenaultpromais.ange360[.]com[.]br/paternity/
- hxxps://nuovosito.emmebi[.]tv[.]it/pronationalist/
- hxxps://reigning-through-training.demo13lec[.]co[.]za/fun/
- hxxps://tcs.itlgroup[.]cl/unconcernedly/
SIX EXAMPLES OF DOWNLOADED .JS FILES:
- 79223058a8264ca988b692ac035d7e2e06267e923658a258b6b4ca789db315df - 33,903 bytes - Document_Scan_128.js
- ef589c2964f8dea434f209640f922e7042cc656a4f093b455f410243f95b8cd6 - 31,095 bytes - Document_Scan_211.js
- 63bb62aa5b87cdd55468d9020c97ac700fd5f0f22c130155881484eb98859edf - 32,315 bytes - Document_Scan_289.js
- b4fd70bdeaec2cb109b3f317d132b034b27d9dd0ffa5a78a2006e3ae176e4665 - 34,091 bytes - Document_Scan_31.js
- 301a9b0633759c4271c9d7e6c7b5ae3e5c311b8e14d16db40cedb35b4df1bbe9 - 32,022 bytes - Document_Scan_371.js
- 7003ba528870e4046ee05ba3768c945f1dd1819af443167ed71d6f3913681be7 - 35,881 bytes - Document_Scan_387.js
SIX EXAMPLES OF SANITIZED BATCH FILES GENERATED BY THE ABOVE .JS FILES, USED TO RETREIVE ICEDID INSTALLER DLL:
- C:\Users\[username]\AppData\Local\Temp\adipisci.z.bat
- C:\Users\[username]\AppData\Local\Temp\enim.v.bat
- C:\Users\[username]\AppData\Local\Temp\harum.k.bat
- C:\Users\[username]\AppData\Local\Temp\quibusdam.f.bat
- C:\Users\[username]\AppData\Local\Temp\voluptas.u.bat
- C:\Users\[username]\AppData\Local\Temp\voluptates.v.bat
- Note: The above file names are specific to a corresponding .js file, and they are deleted after loading the DLL.
URLS HOSTING ICEDID INSTALLER DLL:
- hxxps://avestainfratech[.]com/out/t.php
- hxxps://moashraya[.]com/out/t.php
SIX EXAMPLES OF INSTALLER DLL FILES FOR ICEDID IN C:\USERS\[USERNAME]\APPDATA\LOCAL\TEMP\:
- b6ac6653d60624db854192952807e59101c5c59ee2f1eb4bfe817b0cd3557fc7 - 653,833 bytes - adipisci.z
- a8e6d40456b0fb719b18d1743f3fe85a41d06febdb13e4f283515d7d935a40b8 - 653,831 bytes - enim.v
- f0b262b43c130a7970916c7c8c47a399e64dd65989cde0cbb6a71cff3af7dc0d - 653,829 bytes - harum.k
- 774f7501f1c1879914db48f7446a5c296667e976d75df870b6b0f2a02ed8c7b5 - 653,830 bytes - quibusdam.f
- 674f9a6c3e5326811435e86656508a1b6dd61affd0f373b8acdc4ba187486585 - 653,840 bytes - voluptas.u
- e2f18fcdee52724060d1d0eba6ede7e7aac4ee8a9d5bdeb76d95eb2bc42c64b6 - 653,835 bytes - voluptates.v
RUN METHOD FOR THE ICEDID INSTALLER DLL FILES:
- rundll32 [filename], scab /k arabika752
INITIAL C2 GENERATED BY THE ICEDID INSTALLER DLL FILES:
- port 80 - oopscokir.com - GET /