IcedID malware analysis

Over the past week, whilst studying for my eCMAP exam (eLearnSecurity Certified Malware Analysis Professional), I have tried to complete some reversing challenges and also source some real world samples to try and analyse on my own.

This lead me to find one attributed to IcedID on MalwareBazaar. This caught my eye for a few reasons, but one was because it was attributed to a piece of malware I helped analyse a few months ago. You can find the blog I co-authored with SOSIntelligence here.

This sample used some of the same techniques I had seen before, using zip files, lnk files and techniques to self unpack itself to write further malicious files to disk.

Stage 1

Initial infection is delivered through a phishing email where the victim is presented with an HTML attachment.

Looking at the contents of this file, there are some obfuscated functions and some base64 encoded blobs. Looking at the functions, it will take the base64 encoded blob and will decode it and append the result to the document as an element ("embed") that is the last child of an element.

Below is a snippet of the reversed base64 encoded blob that will be reversed and then decoded by the above functions.

I also noticed, that in this file there is a password that could be used later. It is important that we remember this for later.

Stage 2

From stage 1 I identified that the html file would decode a base64 encoded blob and would append it to the DOM. The next step I took was to reverse the the string and then base64 decode it, I saved this as stage2.txt. The resulting file was filled with heavily obfuscated JavaScript and more base64 encoded data.

At this point, I could have base64 decoded the variable at the bottom to get the resulting data. However, I wanted to fully understand what was going on here, so I decided to deobfuscate the code as best as I could (not being a JavaScript professional). I will show how best I could deobfuscate it, but first I will walk though what I think each part of the code is doing.

I believe the below snippet is tasked with deobfuscating and decoding the base64 encoded blob.

The below snippet will take the decoded base64 data and will construct a .zip file.

The below function was used to create a zip file attachment named attachment.zip and will make it look like it has been downloaded from the internet by using the window.location.assign function. This will cause the window to load and display a document at a specified URL, in this case the document was the decoded zip file.

Having tried my best, please see below the deobfuscated stage 2 JavaScript code.

Having run the sample at this point, I can confirm that the hash is the same for the downloaded zip if I were to simply base64 decode the data and save it as a zip file manually.

When running the sample, I can see the password that was identified in stage 1. This leads me to believe that the zip file may be password protected. The theme of this malware is that someone has shared a password protected PDF that the victim must download and open with a password.

Opening the resulting zip file, I noticed that there was an iso file personal_data_6671.iso.

Stage 3

The iso file contains a file named personal_data.lnk, looking at this the target path is set to a command. The below command indicates that when the iso file is run, it will execute pigeons.cmd from within the cattle directory.

C:\Windows\System32\cmd.exe /c cattle\pigeons.cmd

Within this directory, there is an empty folder enriches, 2 cmd files, a dat file, a routings.txt file and a jpeg. The routings.txt is a file full of garbage text and is most likely used to evade signature detection but containing a benign data.

Taking a look at the pigeons.cmd as this would be the first file to be called, I noticed that there is some obfuscation of commands to hide what is going on. After editing some of the commands to echo the variables out, I noticed that it would call the next cmd file celcius.cmd and would pass system32 and rundll to it as arguments.

The second windows command script celcius.cmd will take both arguments by referring to them with %1 and %2. It will also copy rundll32 and create a new executable named mischiefWrecks.exe which is a technique known as masquerading.

I then noticed that the dat file backplate.dat was executed by mischiefWrecks.exe (rundll32.exe) with the ordinal #1, we will understand later what the ordinal is referring to.

So, what is backplate.dat?

It looks like this dat file is actually a DLL.

This is a 64-bit DLL and was compiled Tuesday November 1st 2022.

It's original filename was actually B.dll and I noticed references to this when analysing it in IDA.

The dll shows to be using no libraries or functions and as I explain below exports only one function.

Interestingly, there is an abnormal section header I had not seen in a PE or a DLL before (.vfs) which has a file ratio of about 50% meaning this section is big.

PEstudio displays this section has being black listed meaning that it has been seen as suspicious.

Looking at the export directory, there is only one exported function Njkhsud.

Looking at the .vfs section further in IDA, I could see that from the strings output this section contains what looks like more JavaScript.

Looking at this closer, this JavaScript could possibly be used for information gathering and discovery, although I am not certain.

Dynamic analysis

I observed that MischiefWrecks.exe is masquerading as rundll32.exe so I set a filter on this process in procmon. I noticed that this DLL (dat file) was loaded by MischiefWrecks.exe.

MischiefWrecks.exe was seen to create a new drive on the system (E:\) and re-created all of the files found in the personal_data_6671.iso.

Shortly after I observed the sample making TCP connection requests, either to download another piece of malware, cobalt strike or to connect back to a C&C server.

Looking in my Wireshark capture, I can see that the malware called out to a domain hxxps[://]hardenpasedaken[.]com which we now know to be the C&C server for this malware.

In addition to this and inline to what I saw in procmon, the sample at regular intervals tried to connect to an endpoint at port 443.

Conclusion

This sample was pretty simple and had a victim open an html attachment which then downloaded a password protected zip file. When this was opened using the password provided, a .lnk file would execute some windows command scripts which would then call a copied version of rundll32.exe to execute a .dat file (dll) which would then call out to a C&C server.

Some pretty cool stuff! I hope from here to analyse more malware and learn much much more! Please let me know if youy think I missed anything or explained anything incorrectly as im still learning. I eventually want to write about some malware I have developed in C and analyse that also, stay tuned!

IOC's

Hashes

Downloaded html attachment fileb4046a6848ea2380e32ddf5aa6de79e4c16d0e2e16ecf942ff97287e725f32c7

Personal_data_6671.iso

248fe41dd5b88240d59f08380d9b2cef16ee492f0f3e855b57814f001761b850

Personal_data.lnk

8b8b96f0eae35faff95622009e7c424d749e86129994ea61f437cc02264fa49b

Celsius.cmd

dd48f48938f8b207ee776895ade78323d31850204f68a72aa5a74c78e0119cf3

Pigeons.cmd

8dafc839fc563b0966e68f9530691d2ec38f808132fb28a1ff62ece2c1a17406

Backplate.dat

08f355f7dca50d30cd288735151a4e6d5dfb5bf2336be6e4f3b44ba881e4b721

MischiefWrecks.exe

b53f3c0cd32d7f20849850768da6431e5f876b7bfa61db0aa0700b02873393fa

Routings.txt

28e9781c9b4c129be6bd78870e97b7ed4bf96f15da10f6b750ec276909636c36

Wheel.jpg

561b6be50ee9c0223f87f202dc70d904a9dee45f50ae13d2ec66a5e650938fbd

Files created

C:\Users\%username%\AppData\Local\Temp\mischiefWrecks.exe

New drive created

E:\

C&C

hxxps[://]hardenpasedaken[.]com