2019-03-14 - QUICK POST: PASSWORD-PROTECTED WORD DOCS PUSH ICEDID (BOKBOT)

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• Zip archive of 3 email examples:  22019-03-14-malspam-with-password-protected-Word-docs-3-examples.zip   93.8 kB (93,807 bytes)
• Zip archive of the infection traffic:  2019-03-14-password-protected-Word-doc-pushes-IcedID.pcap.zip   5.6 MB (5,570,849 bytes)
• Zip archive of the malware/artifacts:  2019-03-14-malware-from-infection-by-password-protected-Word-doc.zip   2.4 MB (2,389,994 bytes)

 

IMAGES

Shown above:  Password-protected Word doc from malspam.

 

Shown above:  Traffic from the infection filtered in Wireshark.

 

Shown above:  Encoded traffic caused by the initial malware EXE over TCP port 2404.

 

Shown above:  DNS queries noted when the initial malware EXE was executed on the infected Windows host during a later run.

 

Shown above:  Initial malware persistent on the infected Windows host.

 

Shown above:  IcedID (Bokbot) persistent on the infected Windows host.

 

Click here to return to the main page.