-
Notifications
You must be signed in to change notification settings - Fork 11
/
2022-08-10-IOCs-for-IcedID-and-Cobalt-Strike.txt
107 lines (77 loc) · 4.33 KB
/
2022-08-10-IOCs-for-IcedID-and-Cobalt-Strike.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
2022-08-10 (WEDNESDAY) - THREE COBALT STRIKE BINARIES FROM ICEDID (BOKBOT) INFECTION
REFERENCE:
- https://twitter.com/Unit42_Intel/status/1557450489473662976
NOTE:
- The IcedID infection began on Tuesday 2022-08-09, and Cobalt Strike later appeared on Wednesday 2022-08-10.
INFECTION CHAIN:
- email --> password-protected zip archive --> extracted ISO image --> files to install IcedID --> IcedID C2 --> Cobalt Strike
ZIP ATTACHMENT AND EXTRACTED ISO IMAGE:
- SHA256 hash: da3758e495b18811cdc54f9a4379a7870d34990f232cc4dacc1366db28c1cbff
- File size: 182,218 bytes
- File name: Invoice#8289_August-09-2022pdf.zip
- File description: password-protected zip archive
- Password: august09
- SHA256 hash: 3118ae5d1126fe2fd3a1290cfd9fe7bba6bdf9fcc16985938e9836d57d30f617
- File size: 581,632 bytes
- File name: Inv#08_09_2022pdf.iso
- File description: ISO image extracted from the above zip archive
CONTENTS OF ISO IMAGE USED FOR THE INFECTION:
- SHA256 hash: 8719b929eb73091f6222d67db52154807714fd309425674a660f35153540e953
- File size: 1,340 bytes
- File name: Invoice-August-09-2022pdf.lnk
- File description: Windows shortcut that runs batch file
- SHA256 hash: bbd87df5a81659cfd946abff6fba3c37b609d140ac3318abeceadf11fbd06fae
- File size: 62 bytes
- File name: your/theThingWithInWay.bat
- File description: Batch file run by the above Windows shortcut
- SHA256 hash: fa29eb8864ca60b8483e75027ebe66a76305e0418033ba31d74a905549246338
- File size: 404 bytes
- File name: your/orInHowPeopleWe.js
- File description: script run by the above batch file
- SHA256 hash: 0ce6490ad077abddd822df8a947242b1ac6df7769f151bd822c7c3e5737f2912
- File size: 74,240 bytes
- File name: your/nowThoseUseBecauseAs.txt
- File description: 64-bit DLL installer for IcedID
- Run method: rundll32.exe [filename],#1
FILES FROM THE INFECTION:
- SHA256 hash: 770f77dfff239ac2fddcc603806062c968d9db9ef6819794bb2452d28856a537
- File size: 400,316 bytes
- File location: hxxp://qropalhouse[.]com/
- File description: gzip binary from qropalhouse.com used to creat license.dat and peristent IcedID DLL
- SHA256 hash: 1de8b101cf9f0fabc9f086bddb662c89d92c903c5db107910b3898537d4aa8e7
- File size: 342,218 bytes
- File location: C:\Users\[username]\AppData\Roaming\PalaceMyth\license.dat
- File description: data binary used to run persistent DLL for IcedID
- SHA256 hash: 1b92046cff47b821b3666c72dea660b5ec9ebfd9556bd0de33883ebe1de0f3fc
- File size: 57,344 bytes
- File location: C:\Users\[username]\AppData\Roaming\[username]\{8AFDF19C-FA6B-B120-6228-7BCCBDAD03A3}\Ilfievtk.dll
- File description: 64-bit persistent DLL for IcedID
- Run method: rundll32.exe [filename],#1 --ra="[path to license.dat]"
- SHA256 hash: 99be525b748064edaa30caa911b1122187139c463ad29068c3ee5cf69eed774e
- File size: 1,018,880 bytes
- File location: hxxp://lobazedeke[.]com/jjj.dll
- File location: C:\User\[username]\AppData\Local\Temp\wapehi.dll
- File description: 64-bit DLL stager for Cobalt Strike
- SHA256 hash: 5efe564a2c779adebab8e664d524a0cfd026c8ab3a57527bd1d821245ffc2a8c
- File size: 2,134,016 bytes
- File location: hxxp://172.93.98[.]170/download/a2.dll
- File location: C:\User\[username]\AppData\Local\Temp\Unfeag2.dll
- File description: 64-bit DLL stager for Cobalt Strike
- SHA256 hash: 33d17bbc69d8f9087dc9a774d314cdde24d2ac81c42bb3b7f839a206b77d9ea8
- File size: 2,134,016 bytes
- File location: hxxp://104.243.42[.]63/download/63a.exe
- File location: C:\User\[username]\AppData\Local\Temp\Pegaxu1.exe
- File description: 64-bit EXE stager for Cobalt Strike
TRAFFIC FROM THE INFECTION:
INSTALLER RETRIEVES GZIP BINARY:
- 64.227.108[.]27 port 80 - qropalhouse[.]com - GET / HTTP/1.1
ICEDID C2 TRAFFIC:
- 167.99.193[.]49 port 443 - wronigrabs[.]com - HTTPS traffic
- 167.99.193[.]49 port 443 - cleverchaosname[.]com - HTTPS traffic
COBALT STRIKE ACTIVITY:
- 64.44.135[.]36 port 80 - lobazedeke[.]com - GET /jjj.dll HTTP/1.1
- 213.227.154[.]169 port 443 - junudorij[.]com - HTTPS C2 traffic from the above DLL
- 172.93.98[.]170 port 80 - 172.93.98[.]170 - GET /download/a2.dll HTTP/1.1
- 23.106.215[.]64 port 443 - jahojahi[.]com - HTTPS C2 traffic from the above DLL
- 104.243.42[.]63 port 80 - 104.243.42[.]63 - GET /download/63a.exe HTTP/1.1
- 64.44.135[.]171 port 443 - bidevazomu[.]com - HTTPS C2 traffic from the above EXE