{"id":15854,"date":"2019-07-19T12:40:14","date_gmt":"2019-07-19T20:40:14","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2019\/07\/19\/news-9599\/"},"modified":"2019-07-19T12:40:14","modified_gmt":"2019-07-19T20:40:14","slug":"news-9599","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2019\/07\/19\/news-9599\/","title":{"rendered":"A Deep Dive Into IcedID Malware: Part II &#8211; Analysis of the Core IcedID Payload (Parent Process)"},"content":{"rendered":"<div class=\"aem-Grid aem-Grid--12 aem-Grid--default--12\">\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>In\u00a0<a href=\"https:\/\/www.fortinet.com\/blog\/threat-research\/icedid-malware-analysis-part-one.html\">part I<\/a> of the blog, I demonstrated how to unpack the IcedID malware, hooking and process injection techniques used by IcedID, as well as how to execute the IcedID payload. In this part, let\u2019s take a closer look at the core payload.<\/p>\n<h2>0x01 Overview Of The Payload<\/h2>\n<p>The following is the entry point of the payload. It first unhooks the function RtlExitUserProcess. The core function is implemented in the function sub_0x27FE(). Once the core module is executed successfully, the program is entering into an infinite loop that ensures the svchost.exe process does not exit.\u00a0<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--7 aem-GridColumn--offset--default--2\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/icedid-malware-analysis-part-two\/_jcr_content\/root\/responsivegrid\/image_1086110147.img.png\" alt=\"Figure 1. The entry point of the payload\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 1. The entry point of the payload<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>Next, let\u2019s look at the function sub_0x27FE().\u00a0<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--7 aem-GridColumn--offset--default--2\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/icedid-malware-analysis-part-two\/_jcr_content\/root\/responsivegrid\/image_1392962615.img.png\" alt=\"Figure 2. The function sub_0x27FE()\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 2. The function sub_0x27FE()<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>In the next sections, I will show you what the function does.<\/p>\n<h2>0x02 Two Injected Memory Regions<\/h2>\n<p>As you can see in Figure 15 of <a href=\"https:\/\/www.fortinet.com\/blog\/threat-research\/icedid-malware-analysis-part-one.html\">Part I<\/a>, there are two injected memory regions into svchost.exe process. The first one is a data segment whose size is 8KB. This segment stores several system API\u2019s addresses at the beginning, encrypted C2 server list as well as other useful info.<\/p>\n<p>The following is the system API\u2019s addresses. The program can invoke them indirectly by instructions like \u201ccall [base_addr + offset]\u201d.\u00a0 The way of indirectly calling system API is tricky to static analysis.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn--default--9 aem-GridColumn aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/icedid-malware-analysis-part-two\/_jcr_content\/root\/responsivegrid\/image_1944375857.img.png\" alt=\"Figure 3. The system API\u2019s addresses stored in the injected memory region\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 3. The system API\u2019s addresses stored in the injected memory region<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>The following is these corresponding API\u2019s names for the addresses above.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--7 aem-GridColumn--offset--default--2\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/icedid-malware-analysis-part-two\/_jcr_content\/root\/responsivegrid\/image_189167081.img.png\" alt=\"Figure 4. These system API\u2019s names\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 4. These system API\u2019s names<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>Additionally, it stores the encrypted C2 server list at offset <b>0x350<\/b>.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--7 aem-GridColumn--offset--default--2\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/icedid-malware-analysis-part-two\/_jcr_content\/root\/responsivegrid\/image_2511658.img.png\" alt=\"Figure 5. The encrypted C2 server list\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 5. The encrypted C2 server list<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>The second memory region has three segments (one code segment and two data segments). The core function of the payload is implemented in the code segment.<\/p>\n<h2>0x03 Communication With C2 Server<\/h2>\n<p>Let\u2019s first look at how to get the C2 server list. As shown in Figure 5, the encrypted data are 256 bytes. And the decrypted data is shown in Figure 6.\u00a0<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn--default--9 aem-GridColumn aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/icedid-malware-analysis-part-two\/_jcr_content\/root\/responsivegrid\/image_1557762541.img.png\" alt=\"Figure 6. The C2 server list\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 6. The C2 server list<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>We can get the initial C2 server list.<\/p>\n<p style=\"margin-left: 40.0px;\"><i>albarthurst[.]pro<br \/>  mozambiquest[.]pw<br \/>  ransmittend[.]club<br \/>  summerch[.]xyz<\/i><\/p>\n<p>IcedID uses the WinHTTP APIs to communicate with C2 servers. It sends a request and receives the response over HTTPS. We can intercept the HTTPS traffic via Fiddler. But before using it, we have to set WinHTTP\u2019s Proxy.\u00a0 On Windows Vista and later, we need to use an elevated (admin) command prompt to call netsh like the following. The detailed instructions please refer to <a href=\"https:\/\/www.telerik.com\/blogs\/using-fiddler-with-winhttp\">https:\/\/www.telerik.com\/blogs\/using-fiddler-with-winhttp<\/a>.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--7 aem-GridColumn--offset--default--2\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/icedid-malware-analysis-part-two\/_jcr_content\/root\/responsivegrid\/image_1998008656.img.png\" alt=\"Figure 7. Set WinHTTP\u2019s Proxy\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 7. Set WinHTTP\u2019s Proxy<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>The following is the decrypted HTTPS traffic IcedID sent in Fiddler.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn--default--9 aem-GridColumn aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/icedid-malware-analysis-part-two\/_jcr_content\/root\/responsivegrid\/image_2132505203.img.png\" alt=\"Figure 8. The decrypted HTTPS traffic IcedID sent in the initial stage\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 8. The decrypted HTTPS traffic IcedID sent in the initial stage<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>In the initial stage, IcedID could send a HTTP request over SSL to the C2 server. Then it parses the response and continues to send 7 HTTP requests over SSL to download seven .DAT config files. Next, let\u2019s dive into the URL parameters of the HTTP POST request. I highlighted some key items.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn--default--9 aem-GridColumn aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/icedid-malware-analysis-part-two\/_jcr_content\/root\/responsivegrid\/image_200735925.img.png\" alt=\"Figure 9. The HTTP POST request\u2019s URL parameters\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 9. The HTTP POST request\u2019s URL parameters<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>The first one is the Bot ID which is also used as RC4 key to encrypt the original .DAT config files. The parameter \u2018r\u2019 indicates the version of IcedID. Its version number is 108 in this sample. Regarding the RC4 key generation algorithm, I will unveil its details in next section.<\/p>\n<h2>0x04 RC4 Key Generation Algorithm<\/h2>\n<p>The function sub_0x29E2 is used to generate the RC4 key whose size is 4 in bytes.\u00a0<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--7 aem-GridColumn--offset--default--2\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/icedid-malware-analysis-part-two\/_jcr_content\/root\/responsivegrid\/image_197477366.img.png\" alt=\"Figure 10. The RC4 key generation algorithm\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 10. The RC4 key generation algorithm<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>The RC4 key is stored at offset 0x74A8 from starting address of the second injected memory region. Then the RC4 key is also copied to the buffer at offset 0x74B8.<\/p>\n<h2>0x05 Multiple Threads For Cooperative Work<\/h2>\n<p>IcedID could create multiple threads to perform different tasks. Based on my analysis, there are five child threads created by invoking the function CreateThread. Some threads are always running, the others would exit after completing their tasks depending on the received C2 command. Here I list their thread functions below.<\/p>\n<h3>Thread 1 &#8211; Thread Function 0x2601<\/h3>\n<p>This thread function is mainly responsible for the initial communication with C2 server, handling the HTTP response, as well as downloading the .DAT config files or other types of files depending on the HTTP response and storing them into the corresponding folders. The following is the pseudo code of this thread function.<b><\/b><\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--10 aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/icedid-malware-analysis-part-two\/_jcr_content\/root\/responsivegrid\/image_937160592.img.png\" alt=\"Figure 11. The thread function 0x2601\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 11. The thread function 0x2601<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>In this infinite loop, it waits until the specified object is in the signaled state or the time-out interval (here it\u2019s 5 minutes) elapses. Then it generates the URL parameters and HTTP request body. Next, it could communicate with C2 server over HTTPS. Finally, it handles the HTTP response and continues to download the .DAT config files or other files depending on the parsing result of the HTTP response. This thread doesn\u2019t exit and is always running to communicate with the C2 server.<\/p>\n<p>When IcedID is executed at the first time, the initial communication traffic is shown below.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--7 aem-GridColumn--offset--default--2\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/icedid-malware-analysis-part-two\/_jcr_content\/root\/responsivegrid\/image_1160469104.img.png\" alt=\"Figure 12. The initial communication with C2 server\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 12. The initial communication with C2 server<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>As shown in Figure 12, the response is a multiple-line message. Each line is a C2 command consisting of three parts that are separated by a semicolon. The malware could call the corresponding handler function to complete specific task based on the C2 command number. The first part represents the event ID, the second part represents the index of handler function, the third part represents the parameter passed to the handler function.\u00a0 The following is the call to handler function.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn--default--9 aem-GridColumn aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/icedid-malware-analysis-part-two\/_jcr_content\/root\/responsivegrid\/image_1620570264.img.png\" alt=\"Figure 13. The call to handler function and all handler\u2019s addresses\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 13. The call to handler function and all handler\u2019s addresses<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>In this IcedID sample, it supports 18 different types of C2 commands.<\/p>\n<h3>Thread 2 &#8211; Thread Function 0x5599<\/h3>\n<p>This thread function is responsible for downloading .DAT config file and other types of files (such as executable file) from C2 server, and saving these data into the local files. For .DAT config files, the HTTP response body is encrypted twice by RC4 algorithm with two different keys. Let\u2019s take a closer look at the encryption process.\u00a0 The following is the HTTP response from C2 server.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn--default--9 aem-GridColumn aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/icedid-malware-analysis-part-two\/_jcr_content\/root\/responsivegrid\/image_1269348950.img.png\" alt=\"Figure 14. Two-layer RC4 encryption process on HTTP response body\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 14. Two-layer RC4 encryption process on HTTP response body<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>As shown in Figure 14, the first 8 bytes in the HTTP response body is the first layer\u2019s RC4 key. The length of second RC4 key is 4 in bytes. Its generation algorithm refers to the section \u201c<b><i>RC4 key generation algorithm<\/i><\/b>\u201d.<\/p>\n<h3>Thread 3 &#8211; Thread Function 0x2E59<\/h3>\n<p>This thread function is responsible for copying the IcedID PE file into &quot;C:ProgramData{0CD48D26-D226-4D28-9E39-3D2840658FD3}{8CD48D26-D226-4D28-9E3A-3D2844658FD3}qgbjaykqtsu.exe&quot; and scheduling a task at logon. The name of the sub-directory may differ on different compromised machines. The scheduled task is shown below.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn--default--9 aem-GridColumn aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/icedid-malware-analysis-part-two\/_jcr_content\/root\/responsivegrid\/image_1842586110.img.png\" alt=\"Figure 15. Schedule a task at logon\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 15. Schedule a task at logon<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<h3>Thread 4 &#8211; Thread Function 0x1F9B<\/h3>\n<p>This thread function is responsible for communicating with C2 server. This thread is created in the handler function which handles the C2 command 17 in Figure 13.<\/p>\n<h3>Thread 5 &#8211; Thread Function 0x52FC<\/h3>\n<p>This thread function is responsible for creating three new svchost.exe child processes and injecting code into these processes\u2019 space.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn--default--9 aem-GridColumn aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/icedid-malware-analysis-part-two\/_jcr_content\/root\/responsivegrid\/image_122177311.img.png\" alt=\"Figure 16. The thread function 0x52fc\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 16. The thread function 0x52fc<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>As shown in Figure 16, IcedID creates the svchost.exe child process with parameter CREATE_SUSPENDED. The primary thread of the new process would be in a suspended state, and the newly created process does not run until the<b>\u00a0<b>ResumeThread<\/b><\/b> function is called. Before resuming the primary thread, IcedID performs the code injection into the new process space. After that, it calls the <b>ResumeThread<\/b> function. The pseudo code of the injected code is shown in Figure 17.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn--default--9 aem-GridColumn aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/icedid-malware-analysis-part-two\/_jcr_content\/root\/responsivegrid\/image_142601272.img.png\" alt=\"Figure 17. Inject code into svchost.ext child process\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 17. Inject code into svchost.ext child process<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>In the injection function, it first allocates three memory regions into the remote process space. Then it decrypts the injected code from DAT config file. Next, it performs the code injection into previous allocated three memory regions. Finally, it sets up a hook at RtlExitUserProcess API in the remote process space. Next, let\u2019s continue to analyze which DAT config file is injected into the corresponding child process.<\/p>\n<p style=\"margin-left: 40.0px;\"><b>1. yxuvgoshgc.dat<\/b>(748961aabd75b85ee602e5f6d70322b281930349fbc98ad5c638104a759eba0b)<\/p>\n<p style=\"margin-left: 40.0px;\">This DAT config file is injected into the child process 1 like the following. There are three memory regions to be injected into the child process 1. The first one is the injected code segment. The second one is a data segment including several system API\u2019s addresses and updated C2 server list. The third one is a PE file.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn--default--9 aem-GridColumn aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/icedid-malware-analysis-part-two\/_jcr_content\/root\/responsivegrid\/image_1542849270.img.png\" alt=\"Figure 18. Injected svchost.exe child process 1\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 18. Injected svchost.exe child process 1<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p style=\"margin-left: 40.0px;\">The hooked RtlExitUserProcess in child process 1 is shown below. When the RtlExitUserProcess function is called, it jumps to 0x210DF(offset:<b>0x10DF<\/b>) to execute the payload.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn--default--9 aem-GridColumn aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/icedid-malware-analysis-part-two\/_jcr_content\/root\/responsivegrid\/image_508444156.img.png\" alt=\"Figure 19. Hooked RtlExitUserProcess in svchost.exe child process 1\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 19. Hooked RtlExitUserProcess in svchost.exe child process 1<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p style=\"margin-left: 40.0px;\"><b>2.\u00a0uvgbwwwjcc.dat<\/b>(b1d9d9bb617463a1cef665322949b29ad23ebfee2892908385b30cd739c163ce)<\/p>\n<p style=\"margin-left: 40.0px;\">This DAT config file is injected into the child process 2 like the following. There are three memory regions to be injected into the child process 2. The first one is the injected code segment. The second one is a data segment including several system API\u2019s addresses and updated C2 server list. The third one is a data segment.<b><\/b><\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn--default--9 aem-GridColumn aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/icedid-malware-analysis-part-two\/_jcr_content\/root\/responsivegrid\/image_1281570493.img.png\" alt=\"Figure 20. Injected svchost.exe child process 2\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 20. Injected svchost.exe child process 2<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p style=\"margin-left: 40.0px;\">The hooked RtlExitUserProcess in child process 2 is shown below. When the RtlExitUserProcess function is called, it jumps to 0x21E0A(offset:<b>0x1E0A<\/b>) to execute the payload.<b><\/b><\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn--default--9 aem-GridColumn aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/icedid-malware-analysis-part-two\/_jcr_content\/root\/responsivegrid\/image_726151899.img.png\" alt=\"Figure 21. Hooked RtlExitUserProcess in svchost.exe child process 2\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 21. Hooked RtlExitUserProcess in svchost.exe child process 2<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p style=\"margin-left: 40.0px;\">3.\u00a0<b>encziczibc.dat<\/b>(672440151cd67a20bccc5c9f9f66f7d091098b0bd2a087eeac79af1f11bf3403)<\/p>\n<p style=\"margin-left: 40.0px;\">This DAT config file is injected into the child process 3 like the following. There are three memory regions to be injected into the child process 3. The first one is the injected code segment. The second one is a data segment including several system API\u2019s addresses and updated C2 server list. The third one is a data segment.<b><\/b><\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn--default--9 aem-GridColumn aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/icedid-malware-analysis-part-two\/_jcr_content\/root\/responsivegrid\/image_611858047.img.png\" alt=\"Figure 22. Injected svchost.exe child process 3\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 22. Injected svchost.exe child process 3<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>The hooked RtlExitUserProcess in child process 3 is shown below. When the RtlExitUserProcess function is called, it jumps to 0x11168E(offset:<b>0x168E<\/b>) to execute the payload.<b><\/b><\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn--default--9 aem-GridColumn aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/icedid-malware-analysis-part-two\/_jcr_content\/root\/responsivegrid\/image_1364054388.img.png\" alt=\"Figure 23. Hooked RtlExitUserProcess in svchost.exe child process 3\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 23. Hooked RtlExitUserProcess in svchost.exe child process 3<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>Regarding how these three child processes work internally, I will continue to analyze it in part III.<\/p>\n<h2>0x06 Persistent Payload And File Write Operations<\/h2>\n<p>We observed some file write operations like the following. It puts the persistent payload into a specific folder. And it also puts seven .DAT config files into the folder \u201cC:ProgramDatacmrreaykdkq\u201d. The sub-directory name might differ in different compromised systems.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn aem-GridColumn--default--12\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/icedid-malware-analysis-part-two\/_jcr_content\/root\/responsivegrid\/image_970306956.img.png\" alt=\"Figure 24. The file write operations of persistent payload and DAT config files\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 24. The file write operations of persistent payload and DAT config files<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>The following table lists the detailed description of these DAT config files.\u00a0<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn--default--9 aem-GridColumn aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/icedid-malware-analysis-part-two\/_jcr_content\/root\/responsivegrid\/image_1860598321.img.png\" alt=\"Table 1. The detailed description of DAT config files\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Table 1. The detailed description of DAT config files<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<h2>0x07 Signature Verification<\/h2>\n<p>IcedID can do signature verification of the payload. It first decrypts the C2 server config file(alofykqgeb.dat) with RC4 key (see \u201cRC4 key generation algorithm\u201d section). The decrypted data buffer is shown below. This buffer has three parts. The first 8 bytes is the original RC4 key. The subsequent 0x80 bytes of data is the signature data to be verified. The third part is the updated C2 server list.<b><\/b><\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn--default--9 aem-GridColumn aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/icedid-malware-analysis-part-two\/_jcr_content\/root\/responsivegrid\/image_941919399.img.png\" alt=\"Figure 25. Decrypt data in alofykqgeb.dat\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 25. Decrypt data in alofykqgeb.dat<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>Next, it decrypts the buffer of hard-coded RSA public key with XOR operation.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn--default--9 aem-GridColumn aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/icedid-malware-analysis-part-two\/_jcr_content\/root\/responsivegrid\/image_1321934896.img.png\" alt=\"Figure 26. The hard-coded RSA public key which is encrypted and RSA public key\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 26. The hard-coded RSA public key which is encrypted and RSA public key<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>Then, it calls CryptVerifySignatureW function to verify the signature.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn--default--9 aem-GridColumn aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/icedid-malware-analysis-part-two\/_jcr_content\/root\/responsivegrid\/image.img.png\" alt=\"Figure 27. Call CryptVerifySignatureW function to verify the signature\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 27. Call CryptVerifySignatureW function to verify the signature<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<h2>0x08 Solution<\/h2>\n<p>This malicious PE file has been detected as \u201cW32\/Kryptik.GTSU!tr\u201d by the FortiGuard AntiVirus service.<\/p>\n<p>The C2 server list has been rated as \u201cMalicious Websites\u201d by the FortiGuard WebFilter service.<\/p>\n<h2>0x09 Conclusion<\/h2>\n<p>We have walked through what the svchost.exe parent process does internally. It includes how IcedID communicates with C2 server, RC4 key generation algorithm, the code injection process, what the multiple threads do in detail, signature verification, etc.<\/p>\n<p>In the next blog, I will provide a deep analysis of these three svchost.exe child processes. Please stay tuned!<\/p>\n<h2>Reference<\/h2>\n<h4><b>SHA256<\/b><\/h4>\n<p>alofykqgeb.dat(00040d021a4813f11ba580ad76c669144ae787b8b93c6a3559e6662301d3be72)<br \/> encziczibc.dat(672440151cd67a20bccc5c9f9f66f7d091098b0bd2a087eeac79af1f11bf3403)<br \/> kdkdkqtfdb.dat(9bfb66621cf27f086f8db9e8761841fd0aff3a0a6348988324b408319639b9b8)<br \/> uvgbwwwjcc.dat(b1d9d9bb617463a1cef665322949b29ad23ebfee2892908385b30cd739c163ce)<br \/> wjalosuiec.dat(29d47ddb05381dd591c77c5eee62236cfc7120b1719d6e40f29872e9c9b53a0c)<br \/> yxuvgoshcb.dat(24818652fd0031b3a1626da35068ec868d8d3b9635cb011677188cf73bc3eb5a)<br \/> yxuvgoshgc.dat(748961aabd75b85ee602e5f6d70322b281930349fbc98ad5c638104a759eba0b)<\/p>\n<h4><b>C2 Server<\/b><\/h4>\n<p>albarthurst[.]pro<br \/> mozambiquest[.]pw<br \/> ransmittend[.]club<br \/> summerch[.]xyz<br \/> ethracial[.]pw<br \/> saudienter[.]pw<br \/> goodinzone[.]at<br \/> forsynanchyv[.]com<br \/> hipponexunam[.]org<br \/> chardiop[.]club<br \/> parenessed[.]icu<br \/> mechangerous[.]space<br \/> exchangests[.]xyz<br \/> hydrylater[.]online<br \/> carlsbadenomise[.]top<br \/> wagenstead[.]xyz<\/p>\n<p><i>Learn more about\u00a0<a href=\"https:\/\/www.fortinet.com\/fortiguard\/threat-intelligence\/threat-research.html?utm_source=nreleaseblog&amp;utm_campaign=2018-q2-fortiguardlabs-cta\">FortiGuard Labs<\/a>\u00a0and the FortiGuard Security Services\u00a0<a href=\"https:\/\/www.fortinet.com\/support-and-training\/support-services\/fortiguard-security-subscriptions.html?utm_source=blog&amp;utm_campaign=2018-blog-security-services\">portfolio<\/a>.\u00a0<a href=\"https:\/\/www.fortinet.com\/fortiguard\/threat-intelligence\/threat-research.html?utm_source=nreleaseblog&amp;utm_campaign=2018-q2-fortiguardlabs-cta\">Sign up<\/a>\u00a0for our weekly FortiGuard Threat Brief.\u00a0<\/i><\/p>\n<p><i>Read about the FortiGuard\u00a0<a href=\"https:\/\/www.fortinet.com\/support-and-training\/support-services\/fortiguard-security-subscriptions\/security-rating.html?utm_source=blog&amp;utm_campaign=2018-blog-security-rating-service\">Security Rating Service<\/a>, which provides security audits and best practices.<\/i>\u00a0<\/p>\n<\/p><\/div>\n<div class=\"raw-import aem-GridColumn aem-GridColumn--default--12\">\n<div class=\"text-container\">\n<div id=\"om-qxx1b0gslklfu2kjckea-holder\"><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<p><a href=\"http:\/\/feedproxy.google.com\/~r\/fortinet\/blog\/threat-research\/~3\/UXFtcuRIqfE\/icedid-malware-analysis-part-two.html\" target=\"bwo\" >http:\/\/feeds.feedburner.com\/fortinet\/blog\/threat-research<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/icedid-malware-analysis-part-two\/_jcr_content\/root\/responsivegrid\/image_1086110147.img.png\"\/><br \/>Learn more about the core IcedID payload, a banking trojan which performs web injection on browsers and acts as proxy to inspect and manipulate traffic. This is part two of a three part series.&lt;img src=&#8221;http:\/\/feeds.feedburner.com\/~r\/fortinet\/blog\/threat-research\/~4\/UXFtcuRIqfE&#8221; height=&#8221;1&#8243; width=&#8221;1&#8243; alt=&#8221;&#8221;\/&gt;<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10424,10378],"tags":[],"class_list":["post-15854","post","type-post","status-publish","format-standard","hentry","category-fortinet","category-security"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/15854","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=15854"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/15854\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=15854"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=15854"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=15854"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}