import logging from malduck import xor from malduck.extractor import Extractor from malduck.procmem import ProcessMemory from malduck.yara import YaraRuleMatch from ..utils import Config, get_rule_metadata log = logging.getLogger(__name__) class IcedID(Extractor): family: str = "IcedID" yara_rules = ("icedid",) @Extractor.rule def icedid(self, p: ProcessMemory, match: YaraRuleMatch) -> Config | bool: _info: Config = get_rule_metadata(match) return _info @Extractor.extractor("config_decryption") def icedid_config(self, p: ProcessMemory, addr: int): log.info( "[+] IcedID loader config decryption YARA signature matched @ %X", addr ) conf: Config = {} conf[self.family] = {} try: hit = p.uint32v(addr - 3) if not hit: return conf config_location = hit + addr + 1 config_blob = p.readv(config_location, 250) key = config_blob[:32] conf["key"] = key.hex() data = config_blob[64:96] decrypted_config = xor(key, data) campaign_id = decrypted_config[:4] campaign_id = int.from_bytes(campaign_id, "little") raw = decrypted_config[4:] domains = [x.decode("UTF-8") for x in raw.split(b"\x00")] conf[self.family] = {"domains": domains, "campaign_id": campaign_id} except Exception as err: log.error(err) return conf