2020-03-03 - ICEDID (BOKBOT) INFECTION

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• 2020-03-03-IcedID-IOCs.txt.zip   1.0 kB (970 bytes)

• 2020-03-03-IcedID-IOCs.txt   (1,461 bytes)

• 2020-03-03-IcedID-infection-traffic.pcap.zip   3.5 MB (3,536,840 bytes)

• 2020-03-03-IcedID-infection-traffic.pcap   (4,296,941 bytes)

• 2020-03-03-malware-and-artifacts-from-IcedID-infection.zip   1.6 MB (1,625,991 bytes)

• 2020-03-03-downloaded-Word-doc-with-macro-for-IcedID.doc   (645,451 bytes)
• 2020-03-03-scheduled-task-to-keep-IcedID-persistent.txt   (3,856 bytes)
• C-DiskDrive/1/Volume/errorfix.bat   (2,900 bytes)
• C-DiskDrive/1/Volume/BackFiles/pinumber.vbs   (0 bytes)
• C-DiskDrive/1/Volume/BackFiles/Ranlsojf.jse   (386 bytes)
• C-DiskDrive/1/Volume/BackFiles/ZXTRTU.exe   (733,244 bytes)
• C-Users-joeyjojo-AppData-Local-joeyjojo/{85E586B6-2102-4596-A37B-C8767A1C9761}/kb2048719295.exe   (733,244 bytes)
• C-Users-joeyjojo-AppData-Local-joeyjojo/photo.png   (624,500 bytes)

 

IMAGES

Shown above:  Downloading the Word doc from link (from what I assume was malspam).

 

Shown above:  Screenshot of the downloaded Word doc.

 

Shown above:  Traffic from the infection filtered in Wireshark.

 

Click here to return to the main page.