Giter VIP home page Giter VIP logo

icedid-unpacked's Introduction

What is IcedID

IcedID is the malware that stealing information from Mail, Browser, etc...
In Japan, it spreading radically as a password-protected zip file sent from malicious e-mail nowadays and it contains .doc file which is using as MS Word macro.
Also, there are two versions of the executable file.
Fortunately, I could be able to dump the main process from one version by set a breakpoint to VirtualAlloc and VirtualProtect.
If we looking into the first 4 bytes "4D 38 5A 90" it seems PE header of a packed file by aPLib.
You can check it precisely in Exeinfo PE.
Therefore it able to decompress with that.

Analysis result

// Might be steganography something
StringEncrypter((uint *)&local_8,CONCAT31((int3)(uint)extraout_EDX_00 >> 8),1),".png",local_12c + iVar1);
// Strings used in simple encrypt algorithm
aeiuo
bcdfghjklmnpqrstvwxyz
abcedfikmnopsutw

005A0000 Password

infected

Sample

https://bazaar.abuse.ch/sample/a4f244ea588a4d55a542fe9c8fc6875d8b494acf7c2b970d420ff3a537f023cd/

References

https://blog.trendmicro.co.jp/archives/26656

https://github.com/herrcore/aplib-ripper

icedid-unpacked's People

Contributors

lutwidse avatar

Watchers

avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.