2020-05-27 - MALSPAM --> PASSWORD-PROTECTED ZIP --> WORD DOC --> VALAK --> ICEDID (BOKBOT)
ASSOCIATED FILES:
- 2020-05-27-IOCs-from-Valak-infection-with-IcedID.txt.zip 2.4 kB (2,406 bytes)
- 2020-05-27-IOCs-from-Valak-infection-with-IcedID.txt (4,263 bytes)
- 2020-05-27-Valak-malspam-2-examples.zip 177 kB (177,207 bytes)
- 2020-05-27-Valak-malspam-example-1-of-2.eml (109,610 bytes)
- 2020-05-27-Valak-malspam-example-2-of-2.eml (165,444 bytes)
- 2020-05-27-six-examples-of-Word-docs-with-macros-for-Valak.zip 382 kB (382,305 bytes)
- input-05.27.2020.doc (75,428 bytes)
- instrument indenture.05.27.2020.doc (74,953 bytes)
- prescribe .05.27.20.doc (75,343 bytes)
- require_05.27.2020.doc (75,342 bytes)
- statistics,05.20.doc (75,114 bytes)
- tell,05.27.2020.doc (74,951 bytes)
- 2020-05-27-traffic-from-Valak-infection-with-IcedID.pcap.zip 5.9 MB (5,912,083 bytes)
- 2020-05-27-traffic-from-Valak-infection-with-IcedID.pcap (6,719,965 bytes)
- 2020-05-27-malware-and-artifacts-from-Valak-infection-with-IcedID.zip 2.4 MB (2,442,909 bytes)
- 2020-05-27-registry-updates-for-Valak.txt   (175,180 bytes)
- ProgramData/13560864.dat   (363,008 bytes)
- Users/Public/ADS-info-for-prnjobs.data.txt   (976 bytes)
- Users/Public/explorer.js   (4,855 bytes)
- Users/Public/prnjobs.data   (1,026 bytes)
- Users/Public/prnjobs.data_258b390d.bin   (396,850 bytes)
- Users/Public/prnjobs.data_84dee9df.bin   (399,344 bytes)
- Users/Public/xSsGKcUqL.vA_YV   (11,742 bytes)
- Users/username/AppData/Local/Temp/8c3adeff31.bin   (18,944 bytes)
- Users/username/AppData/Local/Temp/~4700343.tmp   (233,799 bytes)
- Users/username/AppData/Local/Temp/~5058796.tmp   (233,799 bytes)
- Users/username/AppData/Local/Temp/~5155078.exe   (229,376 bytes)
- Users/username/AppData/Local/{B1B5AC6F-3E78-1E5A-0252-DA0653AF3E6B}/{85448282-01B8-C8D4-4900-1A4C2079DDA7}/buuzac.png   (667,077 bytes)
- Users/username/AppData/Roaming/df.dll   (409,600 bytes)
- Users/username/AppData/Roaming/ilat/username/Zisifu2.exe   (229,376 bytes)
NOTES:
- All zip archives on this site are password-protected with the standard password. If you don't know it, see the "about" page of this website.
IMAGES
Shown above: Screenshot from a malspam messages, example 1 of 2.
Shown above: Screenshot from a malspam messages, example 2 of 2.
Shown above: Extacting a Word doc from one of the password-protected zip attachments.
Shown above: Screenshot of the extracted Word doc.
Shown above: Initial Valak DLL after enabling macros on the Word doc.
Shown above: Files in the Public user directory created by Valak.
Shown above: Files in the infected user's AppData\Local\Temp directory for Valak and IcedID.
Shown above: IcedID persistent on the infected Windows host, and another DLL (don't know what that one's for).
Shown above: Image file with embedded/encoded data related to the IcedID infection.
Shown above: Registry updates to help keep the Valak infection persistent.
Shown above: Scheduled task to keep IcedID persistent.
Shown above: Scheduled task to keep Valak persistent.
Shown above: Scheduled task to run follow-up malware, where we see Alternate Data Stream (ADS) used to hide an EXE installer for IcedID.
Shown above: Scheduled task to run another follow-up malware item, where an Alternate Data Stream (ADS) is used to hide another EXE installer for IcedID.
Shown above: Traffic from the start of the Valak infection filtered in Wireshark.
Shown above: Later traffic showing where the infected host picks up IcedID, with arrows highlighting the IcedID domains.
Click here to return to the main page.