IcedID aka #Bokbot Analysis with Ghidra.
By Dawid Golak
Published: 2019-06-25 · Archived: 2026-04-10 02:06:12 UTC
5 min read
Jun 25, 2019
A few days ago @brad published a post on the twitter about a resume-themed password-protected Word doc that
was dropping IcedID (also known as #BokBot). The sample is available for download on the any.run
https://app.any.run/tasks/13d6d9f9-7033-4ce7-9ad4-76591f15274c/ service for further analysis.
BTW. any.run is the awesome sandbox which can speed up the initial analysis of malicious files.
The IcedID sample was packed and contains an interesting startup mechanism
File analysis:
MD5:b05ea5fd73d25140cdb31f36789d9003
Filename:5.exe
sha256:d350d150f658a32c32984d7f879c6f3b3ddb6ba7918bfe22e19471a79a0cd490
At the first glance you can see, that the file is packed.
Press enter or click to view image in full size
https://medium.com/@dawid.golak/icedid-aka-bokbot-analysis-with-ghidra-560e3eccb766
Page 1 of 12

After launching the sample in the debugger we can identify, that a standard packing mechanism is in use.
The first stage, or how to unpack IcedID?
If we want to unpack this file ourselves, then we can look at the OA Labs video tutorial, which is available there
or follow the instruction below.
Briefly to unpack this sample:
1. Set breakpoint on VirtualAlloc method
Press enter or click to view image in full size
2. Launch sample and wait for the debugger to stop on this method, and then look at the allocated memory address
(the address is returned by VirtualAlloc $EAX).
Press enter or click to view image in full size
https://medium.com/@dawid.golak/icedid-aka-bokbot-analysis-with-ghidra-560e3eccb766
Page 2 of 12

Once we have this address, set a breakpoint on the initial bytes of the address and wait until the program write
data to this address.
3. As we can see at this point, the initial bytes of the allocated memory area begin with 4D 5A (MZ). It means that
there is the second stage of the sample.
Press enter or click to view image in full size
4. We save the memory to a file and and now we have a copy of the second stage to analyze.
Press enter or click to view image in full size
https://medium.com/@dawid.golak/icedid-aka-bokbot-analysis-with-ghidra-560e3eccb766
Page 3 of 12

The second stage
After unpacking the file and then previewing the generated pseudocode in #Ghidra, we can see the following flow.
Press enter or click to view image in full size
In line №15, the argument from parameter “-q=” is retrieved.
If this parameter is not present, the code beginning on line 17 is started.Further parameters are checked.
Why does he do it ?
https://medium.com/@dawid.golak/icedid-aka-bokbot-analysis-with-ghidra-560e3eccb766
Page 4 of 12

The process under debugger, creates the a new process which is not debugged. It is one of the way to escape from
the debugger.
Press enter or click to view image in full size
We have several options to debug the new process.
Ps. For instance I looked at what parameters it is run “CreateProcessA” and again execute the malware with the
additional option under the debugger.
“C:\Users\admin\AppData\Local\Temp\5.exe” -q=[int]”
for example:
“C:\Users\admin\AppData\Local\Temp\5.exe” -q=412588568”
Get Dawid Golak’s stories in your inbox
Join Medium for free to get updates from this writer.
Remember me for faster sign in
Once these argument checks have passed the next interested function to analyze is FUN_004011be().
Press enter or click to view image in full size
https://medium.com/@dawid.golak/icedid-aka-bokbot-analysis-with-ghidra-560e3eccb766
Page 5 of 12

This function contains a simple decryption algorithm, that begins at address 004011d5. Here there is a loop, which
gets value from the address [00403000+ESI].
Press enter or click to view image in full size
Then the bitwise shift operation is performed to the right. Then the lower bits of $EAX register is downloaded.
The value of the AL register indicates the element number from the second data set “0123456789ABCDEF”
In the next step, the value from the address [00403000 + ESI] is taken again and the “AND” operation is
performed.
Press enter or click to view image in full size
https://medium.com/@dawid.golak/icedid-aka-bokbot-analysis-with-ghidra-560e3eccb766
Page 6 of 12

AND EAX,0xf, the retrieved is lower bits of $EAX register
The AL register value indicates the element number from the second data set “0123456789ABCDEF”
Press enter or click to view image in full size
This algorithm has been replicated in python below.
key=file(‘data3.txt’).read()
tab=file(‘data2.txt’).read()
ind = 0
res = []
p=””
for i in key:
first_poz = ord(i)>>4
second_poz = ord(i)&0xf
res.append(tab[first_poz])
res.append(tab[second_poz])
ind+=1
if ind > 1107: # while (uVar5 < 0x454);
break
for i in res:
p=p+i
print(p)
An example of the output is shown below.
Press enter or click to view image in full size
https://medium.com/@dawid.golak/icedid-aka-bokbot-analysis-with-ghidra-560e3eccb766
Page 7 of 12

https://medium.com/@dawid.golak/icedid-aka-bokbot-analysis-with-ghidra-560e3eccb766
Page 8 of 12

Using the debugger we can verify the output from our script.
Press enter or click to view image in full size
Afterwards, the “q” parameter is generated.
Press enter or click to view image in full size
https://medium.com/@dawid.golak/icedid-aka-bokbot-analysis-with-ghidra-560e3eccb766
Page 9 of 12

The next step is to run the process again with the parameters that were checked in the above conditions (-q=[int]).
In the second start of the process, after passing the conditions, we come to the function.
create_self_process_with_additional_params() (org. FUN_0040124a()), which launches a new process of
svchost.exe
Press enter or click to view image in full size
Anti-debugging, or GetNativeSystemInfo.
Before the creation of the svchost process the malware uses an anti-debugging method. Malware uses a known
method to this end called “GetNativeSystemInfo” (User32.dll).
Press enter or click to view image in full size
https://medium.com/@dawid.golak/icedid-aka-bokbot-analysis-with-ghidra-560e3eccb766
Page 10 of 12

The method is called in a function FUN_00401706(), which is called in FUN_004015a9()
Press enter or click to view image in full size
According to the documentation MSDN we can obtain SYSTEM_INFO structure
Press enter or click to view image in full size
https://medium.com/@dawid.golak/icedid-aka-bokbot-analysis-with-ghidra-560e3eccb766
Page 11 of 12

The code shows that the returned value is compared with 0x9 which means the comparison of the processor
architecture.
PROCESSOR_ARCHITECTURE_AMD64x64 (AMD or Intel) = 9
Press enter or click to view image in full size
Once the malware executes the svchost process it injects a final stage of itself into the process. I will cover this
technique and continue out analysis in Part Two.
Source: https://medium.com/@dawid.golak/icedid-aka-bokbot-analysis-with-ghidra-560e3eccb766
https://medium.com/@dawid.golak/icedid-aka-bokbot-analysis-with-ghidra-560e3eccb766
Page 12 of 12