Reverse Engineering IcedID / Bokbot Malware Part 2
Update: 2018-11-09
Description
We reverse engineer the IcedID custom malware injection component using IDA Pro, x64dbg, and some Python (API Scout). Expand for details...
14:45 - Unpacking live with x64dbg
19:03 - Attaching to 2nd process to dump code
20:09 - OEP of injected code (and dynamic building of IAT)
22:16 - Find other injected code sections by reference
24:35 - Loading injected code sections into IDA Pro
27:34 - Using API Scout to label APIs in injected code
30:50 - Building structs in IDA Pro and re-labeling data
35:20 - Final overview of unpacking steps
See unpacking Bokbot part 1 here:
https://youtu.be/wObF9n2UIAM
Original sample:
0ca2971ffedf0704ac5a2b6584f462ce27bac60f17888557dc8cd414558b479e
https://cape.contextis.com/analysis/21237/
Stage1 (packed UPX):
7f463bd55aa360032fbd6489b4e34455178a35254ff66c1cd98d0775437074b4
https://cape.contextis.com/analysis/21240/
Stage2 (custom injector):
89a0325379e1e868b668955ed41ba0faa724845028bc961a0691f19e5213dedf
https://cape.contextis.com/analysis/21241/
Talos blog post on Bokbot injection method:
https://blog.talosintelligence.com/2018/04/icedid-banking-trojan.html
Vitali Kremez analysis of IcedID:
https://www.vkremez.com/2018/09/lets-learn-deeper-dive-into.html
TOOLS - API Scout
https://github.com/danielplohmann/apiscout
TUTORIAL - How to setup a FREE malware analysis VM
https://oalabs.openanalysis.net/2018/07/16/oalabs_malware_analysis_virtual_machine/
TUTORIAL - Understanding API calls in Windows (ntdll.dll, kernel32.dll)
https://youtu.be/CiZ5D6wlIrw
TUTORIAL - Fast unpacking by hooking RtlDecompressBuffer
https://youtu.be/2zYokTkzIC8
Feedback, questions, and suggestions are always welcome : )
Sergei https://twitter.com/herrcore
Sean https://twitter.com/seanmw
As always check out our tools, tutorials, and more content over at https://www.openanalysis.net
14:45 - Unpacking live with x64dbg
19:03 - Attaching to 2nd process to dump code
20:09 - OEP of injected code (and dynamic building of IAT)
22:16 - Find other injected code sections by reference
24:35 - Loading injected code sections into IDA Pro
27:34 - Using API Scout to label APIs in injected code
30:50 - Building structs in IDA Pro and re-labeling data
35:20 - Final overview of unpacking steps
See unpacking Bokbot part 1 here:
https://youtu.be/wObF9n2UIAM
Original sample:
0ca2971ffedf0704ac5a2b6584f462ce27bac60f17888557dc8cd414558b479e
https://cape.contextis.com/analysis/21237/
Stage1 (packed UPX):
7f463bd55aa360032fbd6489b4e34455178a35254ff66c1cd98d0775437074b4
https://cape.contextis.com/analysis/21240/
Stage2 (custom injector):
89a0325379e1e868b668955ed41ba0faa724845028bc961a0691f19e5213dedf
https://cape.contextis.com/analysis/21241/
Talos blog post on Bokbot injection method:
https://blog.talosintelligence.com/2018/04/icedid-banking-trojan.html
Vitali Kremez analysis of IcedID:
https://www.vkremez.com/2018/09/lets-learn-deeper-dive-into.html
TOOLS - API Scout
https://github.com/danielplohmann/apiscout
TUTORIAL - How to setup a FREE malware analysis VM
https://oalabs.openanalysis.net/2018/07/16/oalabs_malware_analysis_virtual_machine/
TUTORIAL - Understanding API calls in Windows (ntdll.dll, kernel32.dll)
https://youtu.be/CiZ5D6wlIrw
TUTORIAL - Fast unpacking by hooking RtlDecompressBuffer
https://youtu.be/2zYokTkzIC8
Feedback, questions, and suggestions are always welcome : )
Sergei https://twitter.com/herrcore
Sean https://twitter.com/seanmw
As always check out our tools, tutorials, and more content over at https://www.openanalysis.net
Comments
In Channel
Download from Google Play
Download from App Store
United States00:00
00:00
x
