2019-03-14 - QUICK POST: PASSWORD-PROTECTED WORD DOCS PUSH ICEDID (BOKBOT)

ASSOCIATED FILES:

• Zip archive of 3 email examples:  22019-03-14-malspam-with-password-protected-Word-docs-3-examples.zip   93 kB (93,167 bytes)
• Zip archive of the infection traffic:  2019-03-14-password-protected-Word-doc-pushes-IcedID.pcap.zip   5.6 MB (5,570,849 bytes)
• Zip archive of the malware/artifacts:  2019-03-14-malware-from-infection-by-password-protected-Word-doc.zip   2.4 MB (2,388,566 bytes)

NOTES:

• Zip archives are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

 

IMAGES

Shown above:  Password-protected Word doc from malspam.

 

Shown above:  Traffic from the infection filtered in Wireshark.

 

Shown above:  Encoded traffic caused by the initial malware EXE over TCP port 2404.

 

Shown above:  DNS queries noted when the initial malware EXE was executed on the infected Windows host during a later run.

 

Shown above:  Initial malware persistent on the infected Windows host.

 

Shown above:  IcedID (Bokbot) persistent on the infected Windows host.

 

Click here to return to the main page.