Disclaimer

Monday, August 10, 2020

Learning From ICEID loader - Including its Steganography Payload Parsing

This ICEID stager or loader show some interesting way in loading the the ICEID downloader to bypassed some API monitoring tools to unpack its code and to evade forensic tools in memory. I also learned how it tries to parse the png header to decrypt its encrypted payload (Steganography)

So Lets Start!

Loading Runas.exe:

One Interesting code of this IceID stager/loader is that it tries to load the "runas.exe" using LoadLibraryExA. Currrently I don't know what are the other purpose of this loading aside from evading or bypassing emulation tools or engine.

figure 1: loading runas.exe
figure 1: loadlibraryExA runas.exe


Decrypting Shellcode Loader and the IceID Downloader:

Next it will decrypt the encrypted shellcode and IceID downloader from its RSRC section. This is done by finding specific resource name, locate its address location and its resource entry size to the file as shown in the figure 2 below. 

figure 2: Finding ResourceEntry

After this It will allocate a Virtual Memory using alternative API of VirtualAlloc which is VirtualAllocExNumA that may evade some unpacking tool that hook common Virtual Allocation API.

figure 3: Allocation of Memory

Then it will decrypt the encrypted rsrc data using Microsoft CSP API show in figure below with  RC4 algorithm. Interestingly, The common way to decrypt an encrypted blob of data using CSP API is "CryptDecrpyt" butthis malware used "CryptEncrypt" API instead to decrypt the blob.

figure 4: the decryption function for encrypted resource section


figure 5: decrypted shellcode and ICEID downloader

 

Processing PNG Payload - Steganography:

This part of the ICEID downloader is really interesting where I learned how it parse the PNG header to look for IDAT PNG header and decrypt it, but first it will check if the commandline of the ICEID downloader process has a arguments "-id=" that contain an int value that would be the name of the downloaded steganography png file that should be place in %tmp% folder. 

figure 6: checking the process commandline and decrytion function

figure 7: the parsing of PNG payload

after having the IDAT header position it will parse the rc4 key below it and the encrypted data to decrypt it using RC4 decryption algorithm.

figure 8: parsing png header payload

ANTI-Memory Forensic:

Also I notice that upon loading the ICEID downloader to the memory to execute it, the loader removed the DOS header as a common anti-forensic technique.

figure 9: Anti Memory Forensic Technique

IOC:

Loader:

https://app.any.run/tasks/b4beb108-60c8-4ae5-8f7b-4f21ffa5da7a/

SHA1: 56be44a912e2677e98cbce0c42a8344a7de34ea1

MD5: bd57f946b9294c90772e57e20247d1eb

SHA256: 81801711abd4b24eb39be359ce18a54600f3a362c033a38c01881c941f8743b4

ICEID downloader:

Sha1: e8a1f8e06b332cece343718d80ad942b1466c07b

MD5: 5c2766313ce3ce8d3321c81f347d2813

Sha256: 295dc254c4d168ab935e84b229746586ce69028f39f0612f6a900b7a01bae9e5

Strings:

8476:GetNativeSystemInfo
8496:ZwQuerySystemInformation
8524:NTDLL.DLL
8544:0123456789ABCDEF
8576:RtlGetVersion
8688:GetAdaptersInfo
8704:IPHLPAPI.DLL
8776:url("
8788:src="
9146:LookupAccountNameW
9168:GetUserNameA
9182:ADVAPI32.dll
9198:StrStrIA
9210:StrToIntA
9222:StrChrA
9230:SHLWAPI.dll
9244:GetModuleFileNameA
9266:HeapFree
9278:WaitForSingleObject
9300:GetCommandLineA
9318:Sleep
9326:GetTempPathA
9342:LoadLibraryA
9358:GetProcAddress
9376:ExitProcess
9390:GetProcessHeap
9408:GetTickCount
9424:ReadFile
9436:WriteFile
9448:CreateFileA
9462:CloseHandle
9476:HeapAlloc
9488:GetFileSize
9502:lstrlenA
9514:HeapReAlloc
9528:GetComputerNameExW
9550:GetTickCount64
9568:GetLastError
9584:SwitchToThread
9602:GetComputerNameExA
9622:KERNEL32.dll
9638:wsprintfA
9650:wsprintfW
9660:USER32.dll
9674:WinHttpQueryDataAvailable
9702:WinHttpConnect
9720:WinHttpSetStatusCallback
9748:WinHttpSendRequest
9770:WinHttpCloseHandle
9792:WinHttpSetOption
9812:WinHttpOpenRequest
9834:WinHttpReadData
9852:WinHttpQueryHeaders
9874:WinHttpOpen
9888:WinHttpReceiveResponse
9914:WinHttpQueryOption
9936:WinHttpAddRequestHeaders
9962:WINHTTP.dll
9976:memset
9984:MSVCRT.dll
10752:dave

Closing:

In this blog post I learned new way to allocate Virtual memory, LoadLibraryExA for executable and last parsing png header. I hope I share something. :)

"Reg Restore" Odyssey: Journey to Persistence And Evasion

The Windows Registry, a fundamental component of the Windows Operating System, empowers users to fine-tune system policies and manipulate lo...