Python script to extract the payload from ICEDID samples.
Download icedid-configuration-extractor.tar.gz
For information on the ICEDID malware and network infrastructure, check out the following resources:
Getting started
Docker
The recommended and easiest way to get going is to use Docker. From the directory this README is in, you can build a local container.
docker build . -t icedid_loader_config_extractor
Then we run the container with the -v flag to map a host directory to the docker container directory.
docker run -ti --rm -v $(pwd)/data:/data icedid_loader_config_extractor:latest --help
Running it locally
As mentioned above, Docker is the recommended approach to running this project, however you can also run this locally. This project uses Poetry to manage dependencies, testing, and metadata. If you have Poetry installed already, from this directory, you can simply run the following commands to run the tool. This will setup a virtual environment, install the dependencies, activate the virtual environment, and run the console script.
poetry lock
poetry install
poetry shell
poetry lock
poetry install
poetry shell
icedid_loader_config_extractor --help
Usage
All samples need to be unpacked prior to execution extraction attempts.
We can either specify a single sample with -f option or a directory of samples with -d.
docker run -ti --rm -v $(pwd)/data:/data icedid_loader_config_extractor:latest -d "C:\tmp\samples"
You can collect the extracted configurations from the directory you set when running the extractor.