Cybersecurity Tutorials

Cold as Ice: Unit 42 Wireshark Quiz for IcedID

Clock Icon 4 min read

This post is also available in: 日本語 (Japanese)

Executive Summary

So far in 2023, IcedID has been a relatively constant presence in our threat landscape. Also known as BokBot, IcedID is Windows-based malware that can lead to ransomware. This Wireshark quiz presents a packet capture (pcap) from an IcedID infection that occurred in April 2023, and it provides experience analyzing traffic generated by this malware.

Anyone can participate in this quiz. However, participants should have some familiarity with Wireshark. Participants should also have a basic knowledge of IPv4 traffic. Palo Alto Networks has published a series of Wireshark tutorials to help people gain knowledge helpful for these quizzes.

Palo Alto Networks customers are protected from IcedID and other malware through Cortex XDR and our Next-Generation Firewall with Cloud-Delivered Security Services that include WildFire and Advanced Threat Prevention.

Related Unit 42 Topics pcap, Wireshark, Wireshark Tutorial, IcedID, BokBot

Scenario

Traffic for the IcedID infection occurred in an Active Directory (AD) environment during April 2023. This infection is similar to previous IcedID activity from March 24, 2023, which was tweeted by Unit 42.

Details of the network and questions for the quiz follow.

Local Area Network (LAN) Details

  • LAN segment range: 10.4.19[.]0/24 (10.4.19[.]1 through 10.4.19[.]255)
  • Domain: boogienights[.]live
  • Domain controller IP address: 10.4.19[.]19
  • Domain controller hostname: WIN-GP4JHCK2JMV
  • LAN segment gateway: 10.4.19[.]1
  • LAN segment broadcast address: 10.4.19[.]255

Quiz Questions

  • What is the date and time in UTC the infection started?
  • What is the IP address of the infected Windows client?
  • What is the MAC address of the infected Windows client?
  • What is the hostname of the infected Windows client?
  • What is the user account name from the infected Windows host?
  • Is there any follow-up activity from other malware?

Requirements

Since this is a Wireshark quiz, participants should use Wireshark to review the pcap. We encourage participants to customize Wireshark when reviewing malware traffic. Participants can customize Wireshark as demonstrated in the Unit 42 series of tutorials and videos.

We recommend using the latest version of Wireshark, since it has more features, capabilities and bug fixes over previous versions. Older Wireshark versions like 1.x and 2.x are not recommended for our Wireshark quizzes.

Infection traffic often contains malicious code targeting Microsoft Windows, so we recommend using a non-Windows environment to review the pcap for this quiz. Operating systems like BSD, Linux or macOS provide an ideal environment for Wireshark when reviewing traffic from Windows-based malware like IcedID.

Accessing the Pcap

To obtain the pcap, visit our GitHub repository as shown in Figure 1 and download the ZIP archive named 2023-04-Unit42-Wireshark-quiz.pcap.zip as shown in Figure 2. Use infected as the password to unlock the ZIP archive as shown in Figure 3.

Image 1 is a screenshot of Wireshark software showing where to click to download the ZIP archive from GitHub.
Figure 1. Selecting the pcap for this quiz from our GitHub repository.
Image 2 shows how to download the .zip archive.
Figure 2. Downloading the pcap.
Image 3 shows how to enter the password and how to extract the password-protected .zip archive from the download folder.
Figure 3. Extracting the pcap from the downloaded ZIP archive.

Conclusion

IcedID is a prominent part of our current threat landscape. This Wireshark quiz can help participants better understand network traffic associated with an IcedID infection.

The answers to the Unit 42 Wireshark quiz for IcedID are published in a separate blog post.

Palo Alto Networks customers are protected from IcedID and other malware through Cortex XDR and our Next-Generation Firewall with Cloud-Delivered Security Services that include WildFire and Advanced Threat Prevention.

If you think you might have been compromised or have an urgent matter, get in touch with the Unit 42 Incident Response team or call:

  • North America Toll-Free: 866.486.4842 (866.4.UNIT42)
  • EMEA: +31.20.299.3130
  • APAC: +65.6983.8730
  • Japan: +81.50.1790.0200

Palo Alto Networks has shared these findings, including file samples and indicators of compromise, with our fellow Cyber Threat Alliance (CTA) members. CTA members use this intelligence to rapidly deploy protections to their customers and to systematically disrupt malicious cyber actors. Learn more about the Cyber Threat Alliance.

Additional Resources

Updated May 30, 2023, at 6:40 a.m. PT.

Enlarged Image