Cold as Ice: Unit 42 Wireshark Quiz for IcedID
Executive Summary
So far in 2023, IcedID has been a relatively constant presence in our threat landscape. Also known as BokBot, IcedID is Windows-based malware that can lead to ransomware. This Wireshark quiz presents a packet capture (pcap) from an IcedID infection that occurred in April 2023, and it provides experience analyzing traffic generated by this malware.
Anyone can participate in this quiz. However, participants should have some familiarity with Wireshark. Participants should also have a basic knowledge of IPv4 traffic. Palo Alto Networks has published a series of Wireshark tutorials to help people gain knowledge helpful for these quizzes.
Table of Contents
Scenario, Requirements and Quiz Material
Quiz Questions
Quiz Answers
Pcap Analysis: IcedID Chain of Events
Pcap Analysis: Infection Vector
Pcap Analysis: IcedID Traffic
Pcap Analysis: BackConnect Traffic
Pcap Analysis: Victim Details
Conclusion
Indicators of Compromise
Additional Resources
Scenario, Requirements and Quiz Material
Traffic for this quiz occurred in an Active Directory (AD) environment during April 2023. The infection is similar to previous IcedID activity tweeted by Unit 42 in March 2023. Details of the Local Area Network (LAN) environment for the pcap follow.
- LAN segment range: 10.4.19[.]0/24 (10.4.19[.]1 through 10.4.19[.]255)
- Domain: boogienights[.]live
- Domain controller IP address: 10.4.19[.]19
- Domain controller hostname: WIN-GP4JHCK2JMV
- LAN segment gateway: 10.4.19[.]1
- LAN segment broadcast address: 10.4.19[.]255
This quiz requires Wireshark, and we recommend using the latest version of Wireshark, since it has more features, capabilities and bug fixes over previous versions.
We also recommend readers customize their Wireshark display to better analyze web traffic. A list of tutorials and videos is available. As always, we recommend using Wireshark in a non-Windows environment like BSD, Linux or macOS when analyzing malicious Windows-based traffic.
To obtain the pcap, visit our GitHub repository, download the April 2023 ZIP archive and extract the pcap. Use infected as the password to unlock the ZIP archive.
Quiz Questions
For this IcedID infection, we ask participants to answer the following questions previously described in our standalone quiz post:
What is the date and time in UTC the infection started?
What is the IP address of the infected Windows client?
What is the MAC address of the infected Windows client?
What is the hostname of the infected Windows client?
What is the user account name from the infected Windows host?
Is there any follow-up activity from other malware?
Quiz Answers
The AD environment for this pcap contains three Windows clients, but only one was infected with IcedID.
Answers for this Wireshark quiz follow.
- Malicious traffic for this infection started on April 19, 2023, at 15:31 UTC.
- Infected Windows client IP address: 10.4.19[.]136
- Infected Windows client MAC address: 14:58:d0:2e:c5:ae
- Infected Windows client hostname: DESKTOP-SFF9LJF
- Infected Windows client user account name: csilva
- Follow-up activity: BackConnect traffic
Let’s hunt Following the the cyber Kill Chain Framework:
Hands on investigation:
Utilized filter:
Filter for HTTP request over port 80 and TLS secure handshake request over Port 443.
If you have a lead on port or ip address narrow it down to the second filter for a more specific search.
http.request or tls.handshake.type eq 1 and !(ssdp) http.request or tls.handshake.type eq 1 and !(ssdp) && tcp.port == 80 or ip.addr== 80.77.25.175Look for:
hxxp://80.77.25[.]175/main.php
Then follow the Follow the TCP stream for this HTTP GET request for more details on the response shown in screenshot 2.
Note: Two facts to look at are the 302 means a redirection has occurred. It’s obvious that it GET request it the .zip file.
The result is one single packet, after fallowing the stream.
![2 facts to look at 301 response and thehxxps://firebasestorage.googleapis[.]com](https://miro.medium.com/v2/resize:fit:1400/format:webp/1*QYzAp1mNH2oDwIAMkrdSUg.png)
The domain appeared flagged in Virus Total and URLhaus.
Note: The search in URLhous demontrated that is the response is associate with the IcedID malware.
More findings on VT, the activity is related to the IcedID. Confirming the installation phase.
The IP also show that is malicious.
Video:
Two options going from here. Follow up the traffic to the host address in this case the victim’s, so let’s have added to our basic. And from here look closely to suspicious finding like flows of traffic connected to IP addresses or domains.
NOTE: also once you can pinned the infection to an specific strain of malware maybe helpful to look at the helpful to look at the MITRE ATT&CK https://attack.mitre.org/software/S0483/
In this case it is IcedID is a modular banking malware designed to steal financial information that has been observed in the wild since at least 2017. IcedID has been downloaded by Emotet in multiple campaigns.
From here we can map the attact and find the type of traffic to look for.
http.request or tls.handshake.type eq 1 and !(ssdp) && ip.addr== 10.4.19.136
Next what I look for possible extracted files:
Menu-> File -> Export Objects-> HTTP
Moving forward I based my investigation on the files and the domains linked to the files below shown:
Domain: skigimeetroc[.]com
http/tpc 80
IPV4:192.153.57.233,
File: application/gzip.
Once the payload unfolds malware can deliver and exploit the system following to install communication with command and control servers (c2).
Then: Menu -> Go to packets
Type: 5741
This steps helped to confirm the payload was delivered as an HTTP response (200 ok) was sent to the victims address.
Domain: cotecsecuritygroup[.]com
File: 643d0491bcea1.zip
I examined the extracted files:
Opened up the Terminal -> cd Documents -> ls
file %2f\ gzip
Note: The process above, appears at the end of part 1 video.
11:04 / 17:30
Part2: QakBotFile 643d0491bcea1 zip
I then continued on the terminal this time I used the command below, the result is the file’s hash shown in the picture.
shasum -a 256 %2f\ 
Same command applied to file 643d0491bcea1.zip
shasum -a 256 643d0491bcea1.zip
Virus Total: Shows the found hash and domain appears to be link to a trojan.
IPV4: 66.29.147.117 is linked to domain cotecsecuritygroup[.]com
IcedID Traffic:
Then the next IP address I looked up (193[.]149[.]176[.]100) made connections with the victim’s IP via encrypted traffic thru port 443.
ip.addr==193.149.176.100 and tcp.flags eq 0x0002 
To confirm any suspicious. I look it up in VT showed up malicious findings.
Note: this IP did not link to anything major yet, but it lead to other findings.
Command and Control:
Finding the C2 Server:
Let’s look for high volumes of traffic generated by egress:
At the top bar menu look for Conversations.
Next the shown screen below should give us all the connections made in this pcap. Usually I’ll sort for heavy amounts of traffic on the go. Packets sizes and amounts are facts to include. Here I have started with ipv4: 104[.]168[.]53[.]18 /port:443.
The filter will look like the one shown in the image below by the green area.
IPV4 was found as Cobalt Strike well known for exfiltration via C2.
I then went back to the conversations to follow another suspicious IP showing in the image below 217[.]199[.]121[.]56.
The filter will look like the one shown in the image below by the green area.
This IP is linked to the domain: skansnekssky[.]com
Note: The image below showing the certificate’s information.
There’s also proof of the C2 activity linked to the IcedID infection.
C2: IcedID botnet C2 server.
Finding the Victim’s Credentials:
There are numbers of options we can use to filter traffic in a windows environment, SMB, SMB2, kerberos, LDAP, most cases the credentials can be identify by filtering any of this, i personally went with Kerberos.
Filter:
ip.addr== 136.4.19.36 && kerberos.CNameStringReults: csilva
VNC BackConnect Traffic:
Filter:
ip.addr eq 193.149.176.100 and tcp.flags eq 0x0002Here the process is to follow the stream. Click on one the packets on the results Follow the TCP stream for the first result, which is TCP stream 950. This stream reveals encoded or otherwise encrypted TCP traffic.
Note: I would like to introduce you to a helpful resource for threat analysts who are interested in hunting the IcedID malware. IcedID, also known as BokBot, is a Windows-based malware that has been consistently present in the threat landscape of 2023. This malware is particularly concerning as it can lead to ransomware attacks.
To aid in understanding and analyzing the traffic generated by IcedID, it could be helpful to use cyber threat intelligence (CTI) tools like mitre attacks, help visually maps the techniques in attacks by APTs.
Indicators of Compromise
Traffic from the pcap related to the IcedID infection:
- hxxp://80.77.24[.]175/main.php
- hxxps://firebasestorage.googleapis[.]com/v0/b/serene-cathode-377701.appspot.com/o/XSjwp6O0pq%2FScan_Inv.zip?alt=media&token=a716bdce-1373–44ed-ae89-fdabafa31c61
- 192.153.57[.]223:80 — hxxp://skigimeetroc[.]com/
- 104.168.53[.]18:443 — askamoshopsi[.]com — HTTPS traffic
- 217.199.121[.]56:443 — skansnekssky[.]com — HTTPS traffic
- 193.149.176[.]100:443 — BackConnect traffic
Files associated with traffic from this IcedID infection:
- SHA256 hash: fc96c893a462660e2342febab2ad125ce1ec9a90fdf7473040b3aeb814ba7901
- File size: 262,343 bytes
- Filename: Scan_Inv.zip
- File description: Password-protected ZIP archive hosted on Firebase Storage URL
- Password: 1235
- MalwareBazaar Database sample
- SHA256 hash: bd24b6344dcde0c84726e620818cb5795c472d9def04b259bf9bff1538e5a759
- File size: 333,408 bytes
- Filename: Scan_Inv.exe
- File description: Windows executable file for IcedID installer
- MalwareBazaar Database sample
Final Thoughts: In my quest as a blue teamer, I embarked on an epic adventure to defeat the relentless IcedID threat in 2023. Armed with Wireshark and guided by the cyber kill chain framework, I dove into the captivating world of a packet capture from an IcedID infection. Like a digital detective, I unraveled its devious plot, cracking codes and analyzing packets to expose its mischievous ways. With unwavering dedication, some caffeine. IcedID and proving that no sneaky malware can escape the clutches of a determined blue teamer. Stay vigilant, fellow defenders of the digital realm!
Thanks for tuned in.
