Introduction Yesterday's diary provided a packet capture (pcap) of approximately 20 and 1/2 hours of traffic from an infected Windows host, which included the initial infection. It also provided malware and artifacts recovered from the infected computer. That was presented as a traffic analysis quiz, and today's diary provides analysis of the activity. This infection was from the recently updated version of IcedID (Bokbot) we started seeing in March 2021. These types of infection are usually caused by malicious macros dressed in a Microsoft Office document like an Excel or Word file, such as this example from Friday 2021-03-19.
Incident Report Executive Summary: On Tuesday 2021-03-16 at approximately 19:03 UTC, a Windows computer used by Maynard Constantino was infected With IcedID (Bokbot) malware. Victim Details:
Indicators of Compromise (IOCs): Infection traffic:
List of files recovered from the infected user's home directory:
Scheduled task recovered from infected Windows host: rundll32.exe "C:\Users\maynard.constantino\AppData\Local\{10D90F27-F2E2-6218-7102-7745CA868DA0}\Embiteci.dll",update /i:"CoverReplace\license.dat" Details on files extracted from the pcap: SHA256 hash: 4f667f4267b2a1e90029ec3e66de84f0131e573087d4a0f50e4c9b5b9e0a8173
SHA256 hash: 91cf231431ef2cc4defc4f1ad3d149c665acc317c4a89e0188f32df259b63cef
Details on files recovered from the infected Windows host: SHA256 hash: 523bbb839a8c0524c0f372680e6abad3b9158fafa68865381fbd1380b7b934b9
SHA256 hash: 47d084aab92ee591fe180613fda9ffd132b15db9b09be41ab046260cda311dc0
SHA256 hash: 45b6349ee9d53278f350b59d4a2a28890bbe9f9de6565453db4c085bb5875865
Analysis The image below shows traffic from the pcap filtered in Wireshark to focus on the initial infection and C2 traffic.
Of note, several hours after the infection, we started seeing different domains and IP addresses for the IcedID command and control (C2) traffic as shown below.
Using WIreshark's Export HTTP Objects function, you can export the initial malware DLL and the fake gzip file used for IcedID's new "gziploader" technique to infect the host. There are two copies of each file in the pcap. See the image below for details.
Perhaps the most easily identifiable characteristic of recent IcedID infections is the license.dat file referenced in the scheduled task. This binary data file is used by the initial and persistent IcedID DLL to infect and keep the infection persistent.
Final Words This "gziploader" technique used by IcedID is fairly new, so some people in the infosec community might not be fully aware of it yet. However, post-infection activity remains noticeably similar to what we've seen with IcedID malware in the past few months before the update. A zip archive with a pcap of the infection traffic is available in this Github repository, which also contains malware and artifacts from the infected computer. --- Brad Duncan |
Brad 436 Posts ISC Handler Mar 24th 2021 |
Thread locked Subscribe |
Mar 24th 2021 1 year ago |
Sign Up for Free or Log In to start participating in the conversation!