{"id":15866,"date":"2019-07-22T11:40:03","date_gmt":"2019-07-22T19:40:03","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2019\/07\/22\/news-9611\/"},"modified":"2019-07-22T11:40:03","modified_gmt":"2019-07-22T19:40:03","slug":"news-9611","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2019\/07\/22\/news-9611\/","title":{"rendered":"A Deep Dive Into IcedID Malware:  Part III &#8211; Analysis of Child Processes"},"content":{"rendered":"<div class=\"aem-Grid aem-Grid--12 aem-Grid--default--12\">\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p><b><i>FortiGuard Labs Threat Analysis Report Series<\/i><\/b><\/p>\n<p>\u00a0<\/p>\n<p>In <a href=\"https:\/\/www.fortinet.com\/blog\/threat-research\/icedid-malware-analysis-part-two.html\">Part II<\/a> of this blog series, we identified three child processes that were created by the IcedID malware. In Part III below, we\u2019ll provide a deep analysis of those child processes. <\/p>\n<p>Let\u2019s get started!<\/p>\n<p><b>0x01 Child process A (entry offset: 0x168E)<\/b><\/p>\n<p>This first child process is primarily responsible for performing web injection in browsers and acting as a proxy to inspect and manipulate traffic. It can also hook key functions in browsers. <\/p>\n<p>The following is the pseudo code of the entry point.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn aem-GridColumn--default--12\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/deep-dive-icedid-malware-analysis-of-child-processes\/_jcr_content\/root\/responsivegrid\/image.img.png\" alt=\"Fortinet FortiGuard Labs Threat Research\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 1. The pseudo code of the entry point in the trampoline code<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>In this function, the process first unhooks the RtlExitUserProcess API and then loads a number of dynamic libraries. The function sub_0x1A9F() is the core function.\u00a0<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn aem-GridColumn--default--12\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/deep-dive-icedid-malware-analysis-of-child-processes\/_jcr_content\/root\/responsivegrid\/image_105909831.img.png\" alt=\"Fortinet FortiGuard Labs Threat Research\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 2. The core function sub_0x1A9F()<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>Here\u2019s a list of the key functionalities of this function.\u00a0<\/p>\n<p>1.\u00a0 \u00a0 \u00a0Build a C2 server list\u00a0<\/p>\n<p>2.\u00a0 \u00a0 \u00a0Create a thread to set IPC with file mapping technique\u00a0<\/p>\n<p>3.\u00a0 \u00a0 \u00a0Create a thread and then call the QueueUserAPC function to add a user-mode asynchronous procedure call (APC) object to the APC queue of the specified thread. In APC, it can read the DAT config file, decrypt it with an RC4 key, and then decompress the data as follows.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn aem-GridColumn--default--12\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/deep-dive-icedid-malware-analysis-of-child-processes\/_jcr_content\/root\/responsivegrid\/image_871721892.img.png\" alt=\"Fortinet FortiGuard Labs Threat Research\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 3. The decrypted web injection DAT config file<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>This DAT config file is used for performing web injections. It uses a Magic number, \u201czeus\u201d. IcedID then uses a customized algorithm to decode the content. The following is the decompressed data.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn aem-GridColumn--default--12\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/deep-dive-icedid-malware-analysis-of-child-processes\/_jcr_content\/root\/responsivegrid\/image_235350913.img.png\" alt=\"Fortinet FortiGuard Labs Threat Research\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 4. The decompressed data of web injection<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>4. Add self-signed certificate into the certificate store and then create a proxy server which is bound to 127.0.0.1 on TCP port 61420. Next, it calls the RegisterWaitForSingleObject function to register a WSA (Windows Socket API) event handler, then uses the socket of the initialized proxy server to handle all connect, send, and receive network requests.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn aem-GridColumn--default--12\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/deep-dive-icedid-malware-analysis-of-child-processes\/_jcr_content\/root\/responsivegrid\/image_1435642615.img.png\" alt=\"Fortinet FortiGuard Labs Threat Research\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 5. Proxy server handles network requests<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>Additionally, in order to perform a MiTM attack on SSL connections, the proxy server has to generate a certificate and add it into the cert store. The following is that implementation.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn aem-GridColumn--default--12\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/deep-dive-icedid-malware-analysis-of-child-processes\/_jcr_content\/root\/responsivegrid\/image_1226841350.img.png\" alt=\"Fortinet FortiGuard Labs Threat Research\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 6. Adding a self-signed cert into the cert store<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>We can also see that this svchost.exe child process is listening on TCP port 61420.\u00a0 \u00a0\u00a0<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn aem-GridColumn--default--12\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/deep-dive-icedid-malware-analysis-of-child-processes\/_jcr_content\/root\/responsivegrid\/image_405637996.img.png\" alt=\"Fortinet FortiGuard Labs Threat Research\"\/>         <\/noscript>                   <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>5. Create a thread to perform code injection into the browser. The following is the thread function of the browser code injection.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn aem-GridColumn--default--12\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/deep-dive-icedid-malware-analysis-of-child-processes\/_jcr_content\/root\/responsivegrid\/image_1681222969.img.png\" alt=\"Fortinet FortiGuard Labs Threat Research\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 7. The browser injection function<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>It uses the ZwQuerySystemInformation function to gather a list of all current running processes. If a browser process is found, it performs code injection into the browser process and sets up a hook on the ZwWaitForSingleObject function. The following is the function that checks to see if a running process is a browser process. It first generates a hash with the process name using a specified algorithm. Then, it compares the hash with the given hash of four browsers: Firefox, Edge, IE, and Chrome.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn aem-GridColumn--default--12\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/deep-dive-icedid-malware-analysis-of-child-processes\/_jcr_content\/root\/responsivegrid\/image_547012751.img.png\" alt=\"Fortinet FortiGuard Labs Threat Research\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 8. Checking the hash of the process name<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>Before performing its code injection, it first checks to see if this process is running on 64 bits by calling the IsWow64Process function. It then performs a code injection into the browser process, and depending on the process bits version, it calls the corresponding hook function to set up a hook on the ZwWaitForSingleObject function.\u00a0<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn aem-GridColumn--default--12\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/deep-dive-icedid-malware-analysis-of-child-processes\/_jcr_content\/root\/responsivegrid\/image_844752512.img.png\" alt=\"Fortinet FortiGuard Labs Threat Research\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 9. Process injection and setting up a hook in a browser<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>Here we will use Firefox to demonstrate how it performs its process injection and sets up a hook.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn aem-GridColumn--default--12\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/deep-dive-icedid-malware-analysis-of-child-processes\/_jcr_content\/root\/responsivegrid\/image_53770544.img.png\" alt=\"Fortinet FortiGuard Labs Threat Research\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 10. Process injection into Firefox<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>It sets up a hook on the ZwWaitForSingleObject API in the Firefox process as follows.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn aem-GridColumn--default--12\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/deep-dive-icedid-malware-analysis-of-child-processes\/_jcr_content\/root\/responsivegrid\/image_1553359012.img.png\" alt=\"Fortinet FortiGuard Labs Threat Research\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 11. Hooked ZwWaitForSingleObject function<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>When Firefox calls the ZwWaitForSingleObject function, it jumps to the trampoline code. The entry point of trampoline code is at offset 0x1856 from the injected memory region.<\/p>\n<p>Let\u2019s take a closer look at the trampoline code (offset:0x1856).<\/p>\n<p>In this trampoline code, it first unhooks the ZwWaitForSingleObject API. Then it sets up a hook on the SSL_AuthCertificateHook API (in nss3.dll for Firefox.) The nss3.SSL_AuthCertificateHook function specifies a certificate authentication callback function that is called to authenticate an incoming certificate.<\/p>\n<p>The following is the hooked nss3.SSL_AuthCertificateHook function.\u00a0 \u00a0\u00a0<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn aem-GridColumn--default--12\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/deep-dive-icedid-malware-analysis-of-child-processes\/_jcr_content\/root\/responsivegrid\/image_1895282654.img.png\" alt=\"Fortinet FortiGuard Labs Threat Research\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 12. The hooked nss3.SSL_AuthCertificateHook function<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>It configures the nss3.SSL_AuthCertificateHook function to always return SECSuccess.\u00a0 <\/p>\n<p><i>Note that it can set up a hook for browser-specific functions depending on the type of browser. However, we won\u2019t be providing details for any other browsers in this blog.<\/i> <\/p>\n<p>Next, it continues to set up a hook on the connect API in ws2_32.dll. The following is the hooked connect API.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn aem-GridColumn--default--12\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/deep-dive-icedid-malware-analysis-of-child-processes\/_jcr_content\/root\/responsivegrid\/image_1975337091.img.png\" alt=\"Fortinet FortiGuard Labs Threat Research\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 13. The hooked connect API in ws2_32.dll<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>The following is the pseudo code of the trampoline code for the hooked <b><i>connect<\/i><\/b> API.\u00a0 \u00a0\u00a0<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn aem-GridColumn--default--12\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/deep-dive-icedid-malware-analysis-of-child-processes\/_jcr_content\/root\/responsivegrid\/image_99759908.img.png\" alt=\"Fortinet FortiGuard Labs Threat Research\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 14. The pseudo code of the trampoline code for the hooked connect API<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>Once the <b><i>connect<\/i><\/b> function returns 0 (the connection has succeeded), it sends 12 bytes of data to proxy server <b>127.0.0.1:61420<\/b>, which was created in this svchost.exe child process. The captured traffic is shown in Figure 15.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn aem-GridColumn--default--12\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/deep-dive-icedid-malware-analysis-of-child-processes\/_jcr_content\/root\/responsivegrid\/image_868828584.img.png\" alt=\"Fortinet FortiGuard Labs Threat Research\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 15. Brower sends 12 bytes of data to proxy server<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>The structure of these 12 bytes consists of four parts, as follows:<\/p>\n<p><i>0x00: Unknown<\/i><\/p>\n<p><i>0x04: Target website\u2019s IP address<\/i><\/p>\n<p><i>0x08: Port<\/i><\/p>\n<p><i>0x0A: Browser type<\/i><\/p>\n<p><b>0x02 Child Process B (entry offset: 0x1E0A)<\/b><\/p>\n<p><b>\u00a0<\/b><\/p>\n<p>This second child process is used to communicate with the C2 server. It will attempt to send an HTTP request to the C2 server via WebSocket, as follows.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn aem-GridColumn--default--12\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/deep-dive-icedid-malware-analysis-of-child-processes\/_jcr_content\/root\/responsivegrid\/image_337204614.img.png\" alt=\"Fortinet FortiGuard Labs Threat Research\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 16. Requesting data from the C2 via WebSocket<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>It also communicates with the parent svchost.exe process using a mapping file technique. And, depending on the shared info, it may attempt to make network requests to a C2 server over SSL, and then create a new process, perform code injections, and set up a hook on the RtlExitUserProcess function.<\/p>\n<p><b>0x03 Child Process C (entry offset: 0x10DF)<\/b><\/p>\n<p>This process communicates with the parent svchost.exe process by using a mapping file technique. It is also able to perform some registry operations.<\/p>\n<p><b>0x04 Solution<\/b><\/p>\n<p>This malicious PE file has been detected as \u201cW32\/Kryptik.GTSU!tr\u201d by the FortiGuard AntiVirus service.<\/p>\n<p>The C2 server list has been rated as \u201cMalicious Websites\u201d by the FortiGuard WebFilter service.<\/p>\n<p><b>\u00a0<\/b><\/p>\n<p><b>0x05 Conclusion<\/b><\/p>\n<p>In this series of posts, I have provided a detailed analysis of a new IcedID malware sample. The entire detailed analysis is divided into three parts. The first two part are available here: <a href=\"https:\/\/www.fortinet.com\/blog\/threat-research\/icedid-malware-analysis-part-one.html\">Part I: Unpacking, Hooking, and Process Injection<\/a> and <a href=\"https:\/\/www.fortinet.com\/blog\/threat-research\/icedid-malware-analysis-part-two.html\">Part II: Analysis of the Core IcedID Payload (Parent Process)<\/a>.<\/p>\n<p>IcedID is a sophisticated and complicated banking trojan that performs web injection in browsers and acts as proxy to inspect and manipulate traffic. It is designed to steal information \u2013 such as credentials \u2013 from victims and then send that stolen information to attacker-controlled servers. To accomplish this, IcedID uses a large number of hooking and process injection techniques, and it also disguises itself as several svchost.exe processes, which we examined in this deep dive analysis series.<\/p>\n<p>\u00a0<\/p>\n<p><i>Learn more about\u00a0<a href=\"https:\/\/www.fortinet.com\/fortiguard\/threat-intelligence\/threat-research.html?utm_source=nreleaseblog&amp;utm_campaign=2018-q2-fortiguardlabs-cta\">FortiGuard Labs<\/a>\u00a0and the FortiGuard Security Services\u00a0<a href=\"https:\/\/www.fortinet.com\/support-and-training\/support-services\/fortiguard-security-subscriptions.html?utm_source=blog&amp;utm_campaign=2018-blog-security-services\">portfolio<\/a>.\u00a0<a href=\"https:\/\/www.fortinet.com\/fortiguard\/threat-intelligence\/threat-research.html?utm_source=nreleaseblog&amp;utm_campaign=2018-q2-fortiguardlabs-cta\">Sign up<\/a>\u00a0for our weekly FortiGuard Threat Brief.\u00a0<\/i><\/p>\n<p><i>Read about the FortiGuard\u00a0<a href=\"https:\/\/www.fortinet.com\/support-and-training\/support-services\/fortiguard-security-subscriptions\/security-rating.html?utm_source=blog&amp;utm_campaign=2018-blog-security-rating-service\">Security Rating Service<\/a>, which provides security audits and best practices.<\/i><\/p>\n<\/p><\/div>\n<div class=\"raw-import aem-GridColumn aem-GridColumn--default--12\">\n<div class=\"text-container\">\n<div id=\"om-qxx1b0gslklfu2kjckea-holder\"><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<p><a href=\"http:\/\/feedproxy.google.com\/~r\/fortinet\/blog\/threat-research\/~3\/0EEDkjvcpuo\/deep-dive-icedid-malware-analysis-of-child-processes.html\" target=\"bwo\" >http:\/\/feeds.feedburner.com\/fortinet\/blog\/threat-research<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/deep-dive-icedid-malware-analysis-of-child-processes\/_jcr_content\/root\/responsivegrid\/image.img.png\"\/><br \/>In Part II of this blog series, we identified three child processes that were created by the IcedID malware. In Part III, we provide a deep analysis of those child processes.&lt;img src=&#8221;http:\/\/feeds.feedburner.com\/~r\/fortinet\/blog\/threat-research\/~4\/0EEDkjvcpuo&#8221; height=&#8221;1&#8243; width=&#8221;1&#8243; alt=&#8221;&#8221;\/&gt;<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10424,10378],"tags":[],"class_list":["post-15866","post","type-post","status-publish","format-standard","hentry","category-fortinet","category-security"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/15866","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=15866"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/15866\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=15866"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=15866"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=15866"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}