2023-08-31-IOCs-for-IcedID-activity.txt

2023-08-31 (THURSDAY): ICEDID (BOKBOT) ACTIVITY

REFERENCES:

- https://www.linkedin.com/posts/unit42_threadhijacked-icedid-bokbot-activity-7103370928696299520-eUf2
- https://twitter.com/Unit42_Intel/status/1697605312205766960

INFECTION CHAIN:

- email --> attached PDF --> link from PDF --> fake Azure page --> URL for .js download --> .js file --> IcedID infection

FOUR EXAMPLES OF PDF ATTACHMENTS:

- c21f3e8a486b65a15b7826bf57d73932bf9c8891fcd155e2456543d4387b13ce - 25,828 bytes - Inv_UG_08-31_14219.pdf
- 7d18714db94ff02fe55fc71296ff32178d11b30b337ae9c110c10f385719e610 - 27,071 bytes - Inv_UG_08-31_61955.pdf
- a3b6e895230b4b01095c8776e46d62cf5453c9d25389d51a8e551960cfef4602 - 25,877 bytes - Inv_UG_08-31_69127.pdf
- efc9bd5c214109327b515ac8cc3fbe8296fb329af757fcf90f8e50660bcc1c3c - 27,305 bytes - Inv_UG_08-31_91443.pdf

LINKS FROM THE ABOVE PDF ATTACHMENTS HOSTING FAKE AZURE PAGES:

- hxxps://3dlifestyle.taskdoners[.]uk/novation
- hxxps://cursos.educa-tecno[.]com/arteries
- hxxps://johnotitoju[.]com/interpolator
- hxxps://mariogb[.]com/interpretation

AFTER COMPLETING CAPTCHA ON FAKE AZURE PAGE, FOUR EXAMPLES OF URLS THAT SENT .JS FILES:

- hxxps://admisiones.stpetersacademy[.]app/explain
- hxxps://api.statistics4u[.]net/abetting
- hxxps://clock.jjjbros[.]com[.]au/distribution
- hxxps://pcsp.solutionx3[.]com/adumbratively

FOUR EXAMPLES OF DOWNLOADED .JS FILES:

- 575adc02f7da80ad030f4b8d11a9485e0a88d0b58466d2e1736ef3c6bd582772 - 32,901 bytes - Document_Scan_239.js
- 3c62a76cd3627ac12b90902b4581a6fb4b091bb77588cf9cf7743090ebeae343 - 30,853 bytes - Document_Scan_356.js
- 241eb4745a5c843f75cbe92255d9509bbadba7d22858bb17bec61964c29a5cff - 33,006 bytes - Document_Scan_462.js
- 15c164e247b49af56ae86a9a7447b459fb829a4e25a04feccf34661a203e7989 - 29,800 bytes - Document_Scan_67.js

FOUR EXAMPLES OF BATCH FILES GENERATED BY THE ABOVE .JS FILES:

- C:\Users\[username]\AppData\Local\Temp\ab.e.bat
- C:\Users\[username]\AppData\Local\Temp\at.d.bat
- C:\Users\[username]\AppData\Local\Temp\illum.y.bat
- C:\Users\[username]\AppData\Local\Temp\ut.w.bat

- Note: The above file names are specific to a corresponding .js file, and they are deleted after loading the DLL.

URLS HOSTING ICEDID INSTALLER DLL:

- hxxps://avestainfratech[.]com/out/t.php
- hxxps://moashraya[.]com/out/t.php  <-- NOTE: This contacted the server but did not return an installer DLL

FOUR EXAMPLES OF INSTALLER DLL FILES FOR ICEDID IN C:\USERS\[USERNAME]\APPDATA\LOCAL\TEMP\:

- d2e653460c51aad5bac0d55babb8a6fac736d5ff3e779d97af1dd7dd816d1732 - 65,3841 bytes - ab.e
- 9af5c73e76a0664ba704ada42e51062cfa5bc256820a729571ff7c31d45e88e9 - 65,3834 bytes - at.d
- f85992c4ecba907f07f6043779c852adaec1ec76ccc06a837194f7d2a43a0f43 - 65,3835 bytes - illum.y
- 581b38e456720d2faeef13d56dc0bcbdc1b176273a78dd0d7466395c6abe001b - 65,3834 bytes - ut.w

RUN METHOD FOR THE ICEDID INSTALLER DLL FILES:

- rundll32 [filename], scab /k arabika752

INITIAL C2 GENERATED BY THE ICEDID INSTALLER DLL FILES:

- port 80 - oopscokir[.]com - GET /