2020-05-27 - MALSPAM --> PASSWORD-PROTECTED ZIP --> WORD DOC --> VALAK --> ICEDID (BOKBOT)

ASSOCIATED FILES:

  • 2020-05-27-IOCs-from-Valak-infection-with-IcedID.txt   (4,263 bytes)
  • 2020-05-27-Valak-malspam-example-1-of-2.eml   (109,610 bytes)
  • 2020-05-27-Valak-malspam-example-2-of-2.eml   (165,444 bytes)
  • input-05.27.2020.doc   (75,428 bytes)
  • instrument indenture.05.27.2020.doc   (74,953 bytes)
  • prescribe .05.27.20.doc   (75,343 bytes)
  • require_05.27.2020.doc   (75,342 bytes)
  • statistics,05.20.doc   (75,114 bytes)
  • tell,05.27.2020.doc   (74,951 bytes)
  • 2020-05-27-traffic-from-Valak-infection-with-IcedID.pcap   (6,719,965 bytes)
  • 2020-05-27-registry-updates-for-Valak.txt   (175,180 bytes)
  • ProgramData/13560864.dat   (363,008 bytes)
  • Users/Public/ADS-info-for-prnjobs.data.txt   (976 bytes)
  • Users/Public/explorer.js   (4,855 bytes)
  • Users/Public/prnjobs.data   (1,026 bytes)
  • Users/Public/prnjobs.data_258b390d.bin   (396,850 bytes)
  • Users/Public/prnjobs.data_84dee9df.bin   (399,344 bytes)
  • Users/Public/xSsGKcUqL.vA_YV   (11,742 bytes)
  • Users/username/AppData/Local/Temp/8c3adeff31.bin   (18,944 bytes)
  • Users/username/AppData/Local/Temp/~4700343.tmp   (233,799 bytes)
  • Users/username/AppData/Local/Temp/~5058796.tmp   (233,799 bytes)
  • Users/username/AppData/Local/Temp/~5155078.exe   (229,376 bytes)
  • Users/username/AppData/Local/{B1B5AC6F-3E78-1E5A-0252-DA0653AF3E6B}/{85448282-01B8-C8D4-4900-1A4C2079DDA7}/buuzac.png   (667,077 bytes)
  • Users/username/AppData/Roaming/df.dll   (409,600 bytes)
  • Users/username/AppData/Roaming/ilat/username/Zisifu2.exe   (229,376 bytes)

NOTES:

 

IMAGES


Shown above:  Screenshot from a malspam messages, example 1 of 2.

 


Shown above:  Screenshot from a malspam messages, example 2 of 2.

 


Shown above:  Extacting a Word doc from one of the password-protected zip attachments.

 


Shown above:  Screenshot of the extracted Word doc.

 


Shown above:  Initial Valak DLL after enabling macros on the Word doc.

 


Shown above:  Files in the Public user directory created by Valak.

 


Shown above:  Files in the infected user's AppData\Local\Temp directory for Valak and IcedID.

 


Shown above:  IcedID persistent on the infected Windows host, and another DLL (don't know what that one's for).

 


Shown above:  Image file with embedded/encoded data related to the IcedID infection.

 


Shown above:  Registry updates to help keep the Valak infection persistent.

 


Shown above:  Scheduled task to keep IcedID persistent.

 


Shown above:  Scheduled task to keep Valak persistent.

 


Shown above:  Scheduled task to run follow-up malware, where we see Alternate Data Stream (ADS) used to hide an EXE installer for IcedID.

 


Shown above:  Scheduled task to run another follow-up malware item, where an Alternate Data Stream (ADS) is used to hide another EXE installer for IcedID.

 


Shown above:  Traffic from the start of the Valak infection filtered in Wireshark.

 


Shown above:  Later traffic showing where the infected host picks up IcedID, with arrows highlighting the IcedID domains.

 

Click here to return to the main page.