{
	"id": "9a546b16-4cab-4fd6-a686-2f7b08c64cb2",
	"created_at": "2026-04-10T03:20:40.836329Z",
	"updated_at": "2026-04-10T13:12:37.329278Z",
	"deleted_at": null,
	"sha1_hash": "62e13220cabf12b1d84b80b57cbdb051ea98f265",
	"title": "IcedID aka #Bokbot Analysis with Ghidra.",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 4983365,
	"plain_text": "IcedID aka #Bokbot Analysis with Ghidra.\r\nBy Dawid Golak\r\nPublished: 2019-06-25 · Archived: 2026-04-10 02:06:12 UTC\r\n5 min read\r\nJun 25, 2019\r\nA few days ago @brad published a post on the twitter about a resume-themed password-protected Word doc that\r\nwas dropping IcedID (also known as #BokBot). The sample is available for download on the any.run\r\nhttps://app.any.run/tasks/13d6d9f9-7033-4ce7-9ad4-76591f15274c/ service for further analysis.\r\nBTW. any.run is the awesome sandbox which can speed up the initial analysis of malicious files.\r\nThe IcedID sample was packed and contains an interesting startup mechanism\r\nFile analysis:\r\nMD5:b05ea5fd73d25140cdb31f36789d9003\r\nFilename:5.exe\r\nsha256:d350d150f658a32c32984d7f879c6f3b3ddb6ba7918bfe22e19471a79a0cd490\r\nAt the first glance you can see, that the file is packed.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@dawid.golak/icedid-aka-bokbot-analysis-with-ghidra-560e3eccb766\r\nPage 1 of 12\n\nAfter launching the sample in the debugger we can identify, that a standard packing mechanism is in use.\r\nThe first stage, or how to unpack IcedID?\r\nIf we want to unpack this file ourselves, then we can look at the OA Labs video tutorial, which is available there\r\nor follow the instruction below.\r\nBriefly to unpack this sample:\r\n1. Set breakpoint on VirtualAlloc method\r\nPress enter or click to view image in full size\r\n2. Launch sample and wait for the debugger to stop on this method, and then look at the allocated memory address\r\n(the address is returned by VirtualAlloc $EAX).\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@dawid.golak/icedid-aka-bokbot-analysis-with-ghidra-560e3eccb766\r\nPage 2 of 12\n\nOnce we have this address, set a breakpoint on the initial bytes of the address and wait until the program write\r\ndata to this address.\r\n3. As we can see at this point, the initial bytes of the allocated memory area begin with 4D 5A (MZ). It means that\r\nthere is the second stage of the sample.\r\nPress enter or click to view image in full size\r\n4. We save the memory to a file and and now we have a copy of the second stage to analyze.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@dawid.golak/icedid-aka-bokbot-analysis-with-ghidra-560e3eccb766\r\nPage 3 of 12\n\nThe second stage\r\nAfter unpacking the file and then previewing the generated pseudocode in #Ghidra, we can see the following flow.\r\nPress enter or click to view image in full size\r\nIn line №15, the argument from parameter “-q=” is retrieved.\r\nIf this parameter is not present, the code beginning on line 17 is started.Further parameters are checked.\r\nWhy does he do it ?\r\nhttps://medium.com/@dawid.golak/icedid-aka-bokbot-analysis-with-ghidra-560e3eccb766\r\nPage 4 of 12\n\nThe process under debugger, creates the a new process which is not debugged. It is one of the way to escape from\r\nthe debugger.\r\nPress enter or click to view image in full size\r\nWe have several options to debug the new process.\r\nPs. For instance I looked at what parameters it is run “CreateProcessA” and again execute the malware with the\r\nadditional option under the debugger.\r\n“C:\\Users\\admin\\AppData\\Local\\Temp\\5.exe” -q=[int]”\r\nfor example:\r\n“C:\\Users\\admin\\AppData\\Local\\Temp\\5.exe” -q=412588568”\r\nGet Dawid Golak’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\nOnce these argument checks have passed the next interested function to analyze is FUN_004011be().\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@dawid.golak/icedid-aka-bokbot-analysis-with-ghidra-560e3eccb766\r\nPage 5 of 12\n\nThis function contains a simple decryption algorithm, that begins at address 004011d5. Here there is a loop, which\r\ngets value from the address [00403000+ESI].\r\nPress enter or click to view image in full size\r\nThen the bitwise shift operation is performed to the right. Then the lower bits of $EAX register is downloaded.\r\nThe value of the AL register indicates the element number from the second data set “0123456789ABCDEF”\r\nIn the next step, the value from the address [00403000 + ESI] is taken again and the “AND” operation is\r\nperformed.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@dawid.golak/icedid-aka-bokbot-analysis-with-ghidra-560e3eccb766\r\nPage 6 of 12\n\nAND EAX,0xf, the retrieved is lower bits of $EAX register\r\nThe AL register value indicates the element number from the second data set “0123456789ABCDEF”\r\nPress enter or click to view image in full size\r\nThis algorithm has been replicated in python below.\r\nkey=file(‘data3.txt’).read()\r\ntab=file(‘data2.txt’).read()\r\nind = 0\r\nres = []\r\np=””\r\nfor i in key:\r\nfirst_poz = ord(i)\u003e\u003e4\r\nsecond_poz = ord(i)\u00260xf\r\nres.append(tab[first_poz])\r\nres.append(tab[second_poz])\r\nind+=1\r\nif ind \u003e 1107: # while (uVar5 \u003c 0x454);\r\nbreak\r\nfor i in res:\r\np=p+i\r\nprint(p)\r\nAn example of the output is shown below.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@dawid.golak/icedid-aka-bokbot-analysis-with-ghidra-560e3eccb766\r\nPage 7 of 12\n\nhttps://medium.com/@dawid.golak/icedid-aka-bokbot-analysis-with-ghidra-560e3eccb766\r\nPage 8 of 12\n\nUsing the debugger we can verify the output from our script.\r\nPress enter or click to view image in full size\r\nAfterwards, the “q” parameter is generated.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@dawid.golak/icedid-aka-bokbot-analysis-with-ghidra-560e3eccb766\r\nPage 9 of 12\n\nThe next step is to run the process again with the parameters that were checked in the above conditions (-q=[int]).\r\nIn the second start of the process, after passing the conditions, we come to the function.\r\ncreate_self_process_with_additional_params() (org. FUN_0040124a()), which launches a new process of\r\nsvchost.exe\r\nPress enter or click to view image in full size\r\nAnti-debugging, or GetNativeSystemInfo.\r\nBefore the creation of the svchost process the malware uses an anti-debugging method. Malware uses a known\r\nmethod to this end called “GetNativeSystemInfo” (User32.dll).\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@dawid.golak/icedid-aka-bokbot-analysis-with-ghidra-560e3eccb766\r\nPage 10 of 12\n\nThe method is called in a function FUN_00401706(), which is called in FUN_004015a9()\r\nPress enter or click to view image in full size\r\nAccording to the documentation MSDN we can obtain SYSTEM_INFO structure\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@dawid.golak/icedid-aka-bokbot-analysis-with-ghidra-560e3eccb766\r\nPage 11 of 12\n\nThe code shows that the returned value is compared with 0x9 which means the comparison of the processor\r\narchitecture.\r\nPROCESSOR_ARCHITECTURE_AMD64x64 (AMD or Intel) = 9\r\nPress enter or click to view image in full size\r\nOnce the malware executes the svchost process it injects a final stage of itself into the process. I will cover this\r\ntechnique and continue out analysis in Part Two.\r\nSource: https://medium.com/@dawid.golak/icedid-aka-bokbot-analysis-with-ghidra-560e3eccb766\r\nhttps://medium.com/@dawid.golak/icedid-aka-bokbot-analysis-with-ghidra-560e3eccb766\r\nPage 12 of 12",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://medium.com/@dawid.golak/icedid-aka-bokbot-analysis-with-ghidra-560e3eccb766"
	],
	"report_names": [
		"icedid-aka-bokbot-analysis-with-ghidra-560e3eccb766"
	],
	"threat_actors": [],
	"ts_created_at": 1775791240,
	"ts_updated_at": 1775826757,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/62e13220cabf12b1d84b80b57cbdb051ea98f265.pdf",
		"text": "https://archive.orkl.eu/62e13220cabf12b1d84b80b57cbdb051ea98f265.txt",
		"img": "https://archive.orkl.eu/62e13220cabf12b1d84b80b57cbdb051ea98f265.jpg"
	}
}