Cold as Ice: Unit 42 Wireshark Quiz for IcedID

This post is also available in: 日本語 (Japanese)

Executive Summary

So far in 2023, IcedID has been a relatively constant presence in our threat landscape. Also known as BokBot, IcedID is Windows-based malware that can lead to ransomware. This Wireshark quiz presents a packet capture (pcap) from an IcedID infection that occurred in April 2023, and it provides experience analyzing traffic generated by this malware.

Anyone can participate in this quiz. However, participants should have some familiarity with Wireshark. Participants should also have a basic knowledge of IPv4 traffic. Palo Alto Networks has published a series of Wireshark tutorials to help people gain knowledge helpful for these quizzes.

Palo Alto Networks customers are protected from IcedID and other malware through Cortex XDR and our Next-Generation Firewall with Cloud-Delivered Security Services that include WildFire and Advanced Threat Prevention.

Scenario

Traffic for the IcedID infection occurred in an Active Directory (AD) environment during April 2023. This infection is similar to previous IcedID activity from March 24, 2023, which was tweeted by Unit 42.

Details of the network and questions for the quiz follow.

Local Area Network (LAN) Details

• LAN segment range: 10.4.19[.]0/24 (10.4.19[.]1 through 10.4.19[.]255)
• Domain: boogienights[.]live
• Domain controller IP address: 10.4.19[.]19
• Domain controller hostname: WIN-GP4JHCK2JMV
• LAN segment gateway: 10.4.19[.]1
• LAN segment broadcast address: 10.4.19[.]255

Quiz Questions

• What is the date and time in UTC the infection started?
• What is the IP address of the infected Windows client?
• What is the MAC address of the infected Windows client?
• What is the hostname of the infected Windows client?
• What is the user account name from the infected Windows host?
• Is there any follow-up activity from other malware?

Requirements

Since this is a Wireshark quiz, participants should use Wireshark to review the pcap. We encourage participants to customize Wireshark when reviewing malware traffic. Participants can customize Wireshark as demonstrated in the Unit 42 series of tutorials and videos.

We recommend using the latest version of Wireshark, since it has more features, capabilities and bug fixes over previous versions. Older Wireshark versions like 1.x and 2.x are not recommended for our Wireshark quizzes.

Infection traffic often contains malicious code targeting Microsoft Windows, so we recommend using a non-Windows environment to review the pcap for this quiz. Operating systems like BSD, Linux or macOS provide an ideal environment for Wireshark when reviewing traffic from Windows-based malware like IcedID.

Accessing the Pcap

To obtain the pcap, visit our GitHub repository as shown in Figure 1 and download the ZIP archive named 2023-04-Unit42-Wireshark-quiz.pcap.zip as shown in Figure 2. Use infected as the password to unlock the ZIP archive as shown in Figure 3.

Conclusion

IcedID is a prominent part of our current threat landscape. This Wireshark quiz can help participants better understand network traffic associated with an IcedID infection.

The answers to the Unit 42 Wireshark quiz for IcedID are published in a separate blog post.

Palo Alto Networks customers are protected from IcedID and other malware through Cortex XDR and our Next-Generation Firewall with Cloud-Delivered Security Services that include WildFire and Advanced Threat Prevention.

If you think you might have been compromised or have an urgent matter, get in touch with the Unit 42 Incident Response team or call:

• North America Toll-Free: 866.486.4842 (866.4.UNIT42)
• EMEA: +31.20.299.3130
• APAC: +65.6983.8730
• Japan: +81.50.1790.0200

Palo Alto Networks has shared these findings, including file samples and indicators of compromise, with our fellow Cyber Threat Alliance (CTA) members. CTA members use this intelligence to rapidly deploy protections to their customers and to systematically disrupt malicious cyber actors. Learn more about the Cyber Threat Alliance.

Additional Resources

• Wireshark Tutorial: Wireshark Workshop Videos Now Available – Unit 42, Palo Alto Networks
• Unit 42 Wireshark Quiz, January 2023 – Unit 42, Palo Alto Networks
• Answers to January 2023 Unit 42 Wireshark Quiz – Unit 42, Palo Alto Networks
• Unit 42 Wireshark Quiz, February 2023 – Unit 42, Palo Alto Networks
• Answers to February 2023 Unit 42 Wireshark Quiz – Unit 42, Palo Alto Networks
• Finding Gozi: Unit 42 Wireshark Quiz, March 2023 – Unit 42, Palo Alto Networks
• Finding Gozi: Answers to Unit 42 Wireshark Quiz, March 2023 – Unit 42, Palo Alto Networks
• Unit 42 tweet, Jan. 1, 2023 – IcedID infection leads to Cobalt Strike
• Unit 42 tweet, Feb. 8, 2023 – Cobalt Strike from an IcedID infection
• Unit 42 tweet, Feb. 13, 2023 – Fake software page leads to IcedID
• Unit 42 tweet, Feb. 24, 2023 – IcedID to BackConnect traffic to Cobalt Strike
• Unit 42 tweet, March 24, 2023 – IcedID to BackConnect traffic to Cobalt Strike
• Unit 42 tweet, April 11, 2023 – IcedID to BackConnect traffic changes TCP port
• Malicious ISO File Leads to Domain Wide Ransomware - The DFIR Report

Updated May 30, 2023, at 6:40 a.m. PT.