{"id":15852,"date":"2019-07-19T11:46:22","date_gmt":"2019-07-19T19:46:22","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2019\/07\/19\/news-9597\/"},"modified":"2019-07-19T11:46:22","modified_gmt":"2019-07-19T19:46:22","slug":"news-9597","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2019\/07\/19\/news-9597\/","title":{"rendered":"A Deep Dive Into IcedID Malware: Part I &#8211; Unpacking, Hooking and Process Injection"},"content":{"rendered":"<div class=\"aem-Grid aem-Grid--12 aem-Grid--default--12\">\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>IcedID is a banking trojan which performs web injection on browsers and acts as proxy to inspect and manipulate traffic.\u00a0It steals information, such as credentials, from victims. It then sends that stolen information to a remote server.<\/p>\n<p>Recently, the FortiGuard Labs team started to investigate some IcedID samples. In this series of blogs, I will provide a detailed analysis of a new IcedID malware sample. The entire detailed analysis is divided into three parts.<\/p>\n<ul>\n<li>Part I: Unpacking, Hooking, and Process Injection<\/li>\n<li>Part II: Analysis of the core IcedID Payload (Parent process)<\/li>\n<li>Part III: Analysis of the child processes<\/li>\n<\/ul>\n<p>This blog is Part I. Let\u2019s dive in.<\/p>\n<h2><b>0x01 Malicious PE Executable<\/b><\/h2>\n<p>The sample being analyzed is a PE executable, and is most commonly distributed by a compromised Office file. The following image is the process tree after executing the PE file. We can see that this sample of IcedID eventually creates a svchost.exe parent process and three svchost.exe child processes. In addition, it can deliver a Trickbot payload, highlighted in red. In this series of blogs, the analysis of the Trickbot payload won\u2019t be covered. We will only focus on how IcedID works internally.\u00a0<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn aem-GridColumn--default--12\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/icedid-malware-analysis-part-one\/_jcr_content\/root\/responsivegrid\/image_2068246851.img.png\" alt=\"Figure 1. The process tree after executing the IcedID sample\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 1. The process tree after executing the IcedID sample<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>As shown in Figure 1, the PE executable first launches itself with a command line parameter \u201c-q=xxxxxxxxxx\u201d. This new process then continues by launching a svchost.exe process. Once the first svchost.exe process is launched, the previous two processes exit. Finally, this svchost.exe parent process then launches three svchost.exe processes.<\/p>\n<h2><b>0x02 Unpacking PE Executable<\/b><\/h2>\n<p>We can now start to dynamically analyze the PE execution. After tracing a few steps from the entry point, the program goes into the function sub_00415CAE() as follows.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--7 aem-GridColumn--offset--default--2\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/icedid-malware-analysis-part-one\/_jcr_content\/root\/responsivegrid\/image_1478933864.img.png\" alt=\"Figure 2. Jump to the trampoline code\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 2. Jump to the trampoline code<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>In the trampoline code, it is used for decrypting the code segment. Eventually, it can jump to the real entry point of the program. At that point, the unpacking of the PE executable is complete.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn--default--9 aem-GridColumn aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/icedid-malware-analysis-part-one\/_jcr_content\/root\/responsivegrid\/image_1736363341.img.png\" alt=\"Figure 3. Jump back to the real entry point 0x401000\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 3. Jump back to the real entry point 0x401000<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>The following is the pseudo code of the real entry point of the program.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn--default--9 aem-GridColumn aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/icedid-malware-analysis-part-one\/_jcr_content\/root\/responsivegrid\/image_1644850818.img.png\" alt=\"Figure 4. The pseudo code of the real entry point\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 4. The pseudo code of the real entry point<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>Here is a list of the key functions:<\/p>\n<ol>\n<li>Check if the command line parameter starts with \u201c-q=\u201d. If yes, it jumps to step 2. Otherwise, it jumps to step 3.<\/li>\n<li>Create the svchost.exe process and perform process injection.<\/li>\n<li>Create a new process with a TSC parameter (\u201c-q=xxxxxxxxx\u201d).<\/li>\n<\/ol>\n<p>We ran this sample without any parameters so it could go into the third step (sub_4012E9).<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn--default--9 aem-GridColumn aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/icedid-malware-analysis-part-one\/_jcr_content\/root\/responsivegrid\/image_1195486322.img.png\" alt=\"Figure 5. The function sub_4012E9()\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 5. The function sub_4012E9()<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>After performing the <b><i>rdtsc<\/i><\/b> instruction, the return value is converted into a string as a parameter of the new process execution. Next, the program sets an environment variable in the process context. The name of the variable is the command line parameter without the prefix \u201c-q=\u201d.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn--default--9 aem-GridColumn aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/icedid-malware-analysis-part-one\/_jcr_content\/root\/responsivegrid\/image_771146127.img.png\" alt=\"Figure 6. Set an environment variable in process context\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 6. Set an environment variable in process context<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>Finally, it invokes the CreateProcessA function to create itself with a parameter.<\/p>\n<p>Next, we will continue the analysis with the new running process.<\/p>\n<h2><b>0x03 Hooking Technique and Process Injection<\/b><\/h2>\n<p>After launching the new process, the program goes to the real entry point of the program, as shown in Figure 4. At this point, the check_parameter() function returns TRUE because the command line parameter starts with \u201c-q=\u201d. It then goes to the sub_40124A() function.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn--default--9 aem-GridColumn aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/icedid-malware-analysis-part-one\/_jcr_content\/root\/responsivegrid\/image_1980670818.img.png\" alt=\"Figure 7. The pseudo code of sub_40124A()\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 7. The pseudo code of sub_40124A()<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>In the function hook_NtCreateUserProcess(), it first invokes the function NtProtectVirtualMemory to change the protection of the first five bytes of the function NtCreateUserProcess to PAGE_EXECUTE_READWRITE. It then modifies those five bytes with a JMP instruction. Finally, it again invokes the function NtProtectVirtualMemory to restore protection to the first five bytes.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--7 aem-GridColumn--offset--default--2\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/icedid-malware-analysis-part-one\/_jcr_content\/root\/responsivegrid\/image_1801393153.img.png\" alt=\"Figure 8. Hooking the function NtCreateUserProcess\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 8. Hooking the function NtCreateUserProcess<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>The following is the assembly code of the function NtCreateUserProcess hooked.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn--default--9 aem-GridColumn aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/icedid-malware-analysis-part-one\/_jcr_content\/root\/responsivegrid\/image_1567949142.img.png\" alt=\"Figure 9. The assembly code of the function NtCreateUserProcess hooked\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 9. The assembly code of the function NtCreateUserProcess hooked<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>Inside the function CreateProcessA, the code invokes the low-level API NtCreateUserProcess. After the function CreateProcessA is invoked in Figure 7, the program goes to the trampoline code sub_4010B7(). The following is the pseudo code of the trampoline code.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--12 aem-GridColumn--offset--default--0\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/icedid-malware-analysis-part-one\/_jcr_content\/root\/responsivegrid\/image_1854665423.img.png\" alt=\"Figure 10. The trampoline pseudo code of NtCreateUserProcess hooked\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 10. The trampoline pseudo code of NtCreateUserProcess hooked<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>The following list is what the trampoline code actually does.<\/p>\n<ol>\n<li>Unhooks the function NtCreateUserProcess.<\/li>\n<li>Calls the function NtCreateUserProcess, which performs the main work of creating a new process.<\/li>\n<li>Decompresses the buffer using RtlDecompressBuffer.<\/li>\n<li>Performs process injection into the svchost.exe process and hooks RtlExitUserProcess in the process space of svchost.exe.<\/li>\n<\/ol>\n<p>Let\u2019s take a closer look at step four. The following is the pseudo code of the function sub_401745() in that step.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn--default--9 aem-GridColumn aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/icedid-malware-analysis-part-one\/_jcr_content\/root\/responsivegrid\/image_1147437385.img.png\" alt=\"Figure 11. Perform process injection into the svchost.exe process and hook its RtlExitUserProcess\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 11. Perform process injection into the svchost.exe process and hook its RtlExitUserProcess<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>It first uses NtAllocateVirtualMemory to allocate the memory region in the remote process space(svchost.exe). Next, it uses ZwWriteVirutalMemory to perform the code injection into the memory region in the svchost.exe process.\u00a0<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn--default--9 aem-GridColumn aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/icedid-malware-analysis-part-one\/_jcr_content\/root\/responsivegrid\/image_1589321657.img.png\" alt=\"Figure 12. Process injection into in svchost.exe process\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 12. Process injection into in svchost.exe process<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>It then sets up a hook for the RtlExitUserProcess API in the process space of svchost.exe. It should be noted that there is a little difference between hooking RtlExitUserProcess and hooking NtCreateUserProcess in Figure 8. The former is to hook the API of remote process space, while the latter is to hook the API in its current process space.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--7 aem-GridColumn--offset--default--2\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/icedid-malware-analysis-part-one\/_jcr_content\/root\/responsivegrid\/image_666357503.img.png\" alt=\"Figure 13. Hook RtlExitUserProcess\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 13. Hook RtlExitUserProcess<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>The assembly code of the hooked RtlExitUserProcess is shown in Figure 14.\u00a0<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn--default--9 aem-GridColumn aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/icedid-malware-analysis-part-one\/_jcr_content\/root\/responsivegrid\/image_1107675912.img.png\" alt=\"Figure 14. The hooked RtlExitUserProcess in svchost.exe process\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 14. The hooked RtlExitUserProcess in svchost.exe process<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>As shown in Figure 7, the process svchost.exe was created without a parameter. It could immediately exit if running svchost.exe without parameter, and after it exits, it could invoke the low-level API RtlExitUserProcess. Because IcedID hooks the RtlExitUserProcess, it could jump to the trampoline code to execute the IcedID payload.<\/p>\n<p>The injected memory regions in the remote process svchost.ext are shown in Figure 15. We can see that two memory regions have been injected. The code segment is stored in the memory region(0xa1000 ~ 0xa7000).<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn--default--9 aem-GridColumn aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/icedid-malware-analysis-part-one\/_jcr_content\/root\/responsivegrid\/image.img.png\" alt=\"Figure 15. The injected memory regions of svchost.exe process\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 15. The injected memory regions of svchost.exe process<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>As shown in Figure 14, it jumps to 0xA2B2D, which is in memory region(0xA0000 ~ 0xAC000). The offset of the trampoline code from this memory region is <b>0x2B2D<\/b>.<\/p>\n<h2><b>0x03 Conclusion<\/b><\/h2>\n<p>We have walked through how to unpack the IcedID malware, hooking, and process injection techniques used by IcedID, as well as how to execute the IcedID payload. In the next blog, I will provide a deep analysis of the IcedID payload (0xA2B2D). Please stay tuned!<\/p>\n<h2><b>0x04 Solution<\/b><\/h2>\n<p>This malicious PE file has been detected as \u201cW32\/Kryptik.GTSU!tr\u201d by the FortiGuard AntiVirus service.<\/p>\n<h2><b>0x05 Reference<\/b><\/h2>\n<p>SHA256 Hash:<\/p>\n<p>PE executable (b8113a604e6c190bbd8b687fd2ba7386d4d98234f5138a71bcf15f0a3c812e91)<\/p>\n<p><i>Learn more about\u00a0<a href=\"https:\/\/www.fortinet.com\/fortiguard\/threat-intelligence\/threat-research.html?utm_source=nreleaseblog&amp;utm_campaign=2018-q2-fortiguardlabs-cta\">FortiGuard Labs<\/a>\u00a0and the FortiGuard Security Services\u00a0<a href=\"https:\/\/www.fortinet.com\/support-and-training\/support-services\/fortiguard-security-subscriptions.html?utm_source=blog&amp;utm_campaign=2018-blog-security-services\">portfolio<\/a>.\u00a0<a href=\"https:\/\/www.fortinet.com\/fortiguard\/threat-intelligence\/threat-research.html?utm_source=nreleaseblog&amp;utm_campaign=2018-q2-fortiguardlabs-cta\">Sign up<\/a>\u00a0for our weekly FortiGuard Threat Brief.\u00a0<\/i><\/p>\n<p><i>Read about the FortiGuard\u00a0<a href=\"https:\/\/www.fortinet.com\/support-and-training\/support-services\/fortiguard-security-subscriptions\/security-rating.html?utm_source=blog&amp;utm_campaign=2018-blog-security-rating-service\">Security Rating Service<\/a>, which provides security audits and best practices.<\/i>\u00a0<\/p>\n<\/p><\/div>\n<div class=\"raw-import aem-GridColumn aem-GridColumn--default--12\">\n<div class=\"text-container\">\n<div id=\"om-qxx1b0gslklfu2kjckea-holder\"><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<p><a href=\"http:\/\/feedproxy.google.com\/~r\/fortinet\/blog\/threat-research\/~3\/tLbTDmXG92A\/icedid-malware-analysis-part-one.html\" target=\"bwo\" >http:\/\/feeds.feedburner.com\/fortinet\/blog\/threat-research<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/icedid-malware-analysis-part-one\/_jcr_content\/root\/responsivegrid\/image_2068246851.img.png\"\/><br \/>Learn more about IcedID, a banking trojan which performs web injection on browsers and acts as proxy to inspect and manipulate traffic. This is part one of a three part series.&lt;img src=&#8221;http:\/\/feeds.feedburner.com\/~r\/fortinet\/blog\/threat-research\/~4\/tLbTDmXG92A&#8221; height=&#8221;1&#8243; width=&#8221;1&#8243; alt=&#8221;&#8221;\/&gt;<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10424,10378],"tags":[],"class_list":["post-15852","post","type-post","status-publish","format-standard","hentry","category-fortinet","category-security"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/15852","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=15852"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/15852\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=15852"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=15852"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=15852"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}