2020-03-03 - ICEDID (BOKBOT) INFECTION

ASSOCIATED FILES:

  • 2020-03-03-IcedID-IOCs.txt   (1,461 bytes)
  • 2020-03-03-IcedID-infection-traffic.pcap   (4,296,941 bytes)
  • 2020-03-03-downloaded-Word-doc-with-macro-for-IcedID.doc   (645,451 bytes)
  • 2020-03-03-scheduled-task-to-keep-IcedID-persistent.txt   (3,856 bytes)
  • C-DiskDrive/1/Volume/errorfix.bat   (2,900 bytes)
  • C-DiskDrive/1/Volume/BackFiles/pinumber.vbs   (0 bytes)
  • C-DiskDrive/1/Volume/BackFiles/Ranlsojf.jse   (386 bytes)
  • C-DiskDrive/1/Volume/BackFiles/ZXTRTU.exe   (733,244 bytes)
  • C-Users-joeyjojo-AppData-Local-joeyjojo/{85E586B6-2102-4596-A37B-C8767A1C9761}/kb2048719295.exe   (733,244 bytes)
  • C-Users-joeyjojo-AppData-Local-joeyjojo/photo.png   (624,500 bytes)

NOTES:

 

IMAGES


Shown above:  Downloading the Word doc from link (from what I assume was malspam).

 


Shown above:  Screenshot of the downloaded Word doc.

 


Shown above:  Traffic from the infection filtered in Wireshark.

 

Click here to return to the main page.