2019-03-14 - QUICK POST: PASSWORD-PROTECTED WORD DOCS PUSH ICEDID (BOKBOT)
ASSOCIATED FILES:
- Zip archive of 3 email examples: 22019-03-14-malspam-with-password-protected-Word-docs-3-examples.zip 93 kB (93,167 bytes)
- Zip archive of the infection traffic: 2019-03-14-password-protected-Word-doc-pushes-IcedID.pcap.zip 5.6 MB (5,570,849 bytes)
- Zip archive of the malware/artifacts: 2019-03-14-malware-from-infection-by-password-protected-Word-doc.zip 2.4 MB (2,388,566 bytes)
NOTES:
- Zip archives are password-protected with the standard password. If you don't know it, look at the "about" page of this website.
IMAGES
Shown above: Password-protected Word doc from malspam.
Shown above: Traffic from the infection filtered in Wireshark.
Shown above: Encoded traffic caused by the initial malware EXE over TCP port 2404.
Shown above: DNS queries noted when the initial malware EXE was executed on the infected Windows host during a later run.
Shown above: Initial malware persistent on the infected Windows host.
Shown above: IcedID (Bokbot) persistent on the infected Windows host.
Click here to return to the main page.