Manual Unpacking IcedID Write-up

Posted: August 16, 2020 in Manual Unpacking IcedID Write-up, My Tutorials
Tags: , ,

Sample hash:

SHA256: 76cd290b236b11bd18d81e75e41682208e4c0a5701ce7834a9e289ea9e06eb7e

Tools:

1. Static Analysis

Thow the sample to PortEx Analyzer, tool will analyse file with a special focus on malformation. We get the results:

The section .text has high entropy, so may be the sample is packed:

This sample is PE32 with ASLR enabled (can quickly disable this feature by using setdllcharacteristics):

This sample reveals information about the pdb path:

Some anomalies were identified by PortEx:

2. Dynamic Analysis

Load specimen to x64dbg, for unpacking process, we set breakpoints at some common APIs:

  • VirtualAlloc
  • VirtualProtect
  • CreateProcessInternalW
  • WriteProcessMemory

After placing the breakpoints like above picture, press F9 to execute. First hit at VirtualAlloc:

Execute till Return (Ctrl+F9) and Follow in dump the allocated memory (return in EAX register):

Continue run with F9, hit the second call to VirtualAlloc and observe changes in the allocated memory. We see new bytes value was written to this location and it is likely a shellcode:

Once again, Ctrl+F9 and Follow in dump the new allocated memory:

Let’s continue execute and hit the third call to VirtualAlloc, some bytes were written to the new allocated memory. They do not look like shellcode but could be some data that malicious code uses:

Continuing to execute the call to the VirtuallAlloc function, we have a newly allocated memory:

Press F9, we break at VirtualProtect. The newly allocated device has been filled with bytes. I spotted a PE file that has been compressed using aPlib because the PE magic bytes MZ become M8Z.

Follow this section in the Memory Map and dump it to file:

3. Decompress dumped file

From the command line, simply need to pass dumped file to aprip.py. The tool will do its job and each extracted file will be written to a file “dump0.bin”, “dump1.bin”, …

Check dump0.bin (21dd005162c62af26f3f59e2ebcb345c) with PE-bear: AddressOfEntryPoint = 0x0000163D

Valid IATs:

End!

m4n0w4r

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.