This post is also available in: 日本語 (Japanese)
So far in 2023, IcedID has been a relatively constant presence in our threat landscape. Also known as BokBot, IcedID is Windows-based malware that can lead to ransomware. This Wireshark quiz presents a packet capture (pcap) from an IcedID infection that occurred in April 2023, and it provides experience analyzing traffic generated by this malware.
Anyone can participate in this quiz. However, participants should have some familiarity with Wireshark. Participants should also have a basic knowledge of IPv4 traffic. Palo Alto Networks has published a series of Wireshark tutorials to help people gain knowledge helpful for these quizzes.
Palo Alto Networks customers are protected from IcedID and other malware through Cortex XDR and our Next-Generation Firewall with Cloud-Delivered Security Services that include WildFire and Advanced Threat Prevention.
Related Unit 42 Topics | pcap, Wireshark, Wireshark Tutorial, IcedID, BokBot |
Scenario
Local Area Network (LAN) Details
Quiz Questions
Requirements
Accessing the Pcap
Conclusion
Additional Resources
Traffic for the IcedID infection occurred in an Active Directory (AD) environment during April 2023. This infection is similar to previous IcedID activity from March 24, 2023, which was tweeted by Unit 42.
Details of the network and questions for the quiz follow.
Since this is a Wireshark quiz, participants should use Wireshark to review the pcap. We encourage participants to customize Wireshark when reviewing malware traffic. Participants can customize Wireshark as demonstrated in the Unit 42 series of tutorials and videos.
We recommend using the latest version of Wireshark, since it has more features, capabilities and bug fixes over previous versions. Older Wireshark versions like 1.x and 2.x are not recommended for our Wireshark quizzes.
Infection traffic often contains malicious code targeting Microsoft Windows, so we recommend using a non-Windows environment to review the pcap for this quiz. Operating systems like BSD, Linux or macOS provide an ideal environment for Wireshark when reviewing traffic from Windows-based malware like IcedID.
To obtain the pcap, visit our GitHub repository as shown in Figure 1 and download the ZIP archive named 2023-04-Unit42-Wireshark-quiz.pcap.zip as shown in Figure 2. Use infected as the password to unlock the ZIP archive as shown in Figure 3.
IcedID is a prominent part of our current threat landscape. This Wireshark quiz can help participants better understand network traffic associated with an IcedID infection.
The answers to the Unit 42 Wireshark quiz for IcedID will be published in a separate blog post.
Palo Alto Networks customers are protected from IcedID and other malware through Cortex XDR and our Next-Generation Firewall with Cloud-Delivered Security Services that include WildFire and Advanced Threat Prevention.
If you think you might have been compromised or have an urgent matter, get in touch with the Unit 42 Incident Response team or call:
Palo Alto Networks has shared these findings, including file samples and indicators of compromise, with our fellow Cyber Threat Alliance (CTA) members. CTA members use this intelligence to rapidly deploy protections to their customers and to systematically disrupt malicious cyber actors. Learn more about the Cyber Threat Alliance.
Sign up to receive the latest news, cyber threat intelligence and research from us