A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #24949  by r3shl4k1sh
 Wed Jan 14, 2015 8:21 pm
sysopfb wrote:md5 4bdc0b2c44041dd16e40eebc447d1fe8
Packed loader for dridex
This downloader uses the Shim (Gootkit) method in order to bypass UAC.

Here's the steps it takes:
1. Creates two files on the %LOCALAPPDATA%Low\ and name them $$$.bat and $$$.sdb (the sdb file is a RedirectEXE shim for the c:\windows\system32\iscsicli.exe file (which has autoElevated manifest)).
2. Register the sdb file using the sdbinst.exe
3. Run the iscsicli.exe
4. The target of the RedirectEXE shim will run the $$$.bat file. This file has the following content:
Code: Select all
start C:\Users\XXXX\AppData\Local\edgE6D5.exe C:\Users\XXXX\Desktop\DRIDEX~1.EX_ 
sdbinst.exe /q /u "C:\Users\XXXX\AppData\LocalLow\$$$.sdb"
reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\iscsicli.exe" /f
reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB\{f48a0c57-7c48-461c-9957-ab255ddc986e}" /f
del C:\Windows\AppPatch\Custom\{f48a0c57-7c48-461c-9957-ab255ddc986e}.sdb
del %LOCALAPPDATA%Low\$$$.sdb
del %LOCALAPPDATA%Low\$$$.bat
so the bat file is just running again the downloader and delete any traces of the shim from the system.
5. The newly created process will delete the original file and download the Dridex Dll.
6. Run the Dridex dll with:
Code: Select all
rundll32.exe %FILEPATH% NotifierInit
The downloaded Dridex DLL has very low VT detection of 1/57:
https://www.virustotal.com/en/file/bd01 ... /analysis/

In attach unpaked donwloader + the dropped files (sdb, bat) + the downloaded Dridex.
Attachments
pass: infected
(257.3 KiB) Downloaded 103 times
 #25597  by EP_X0FF
 Thu Apr 09, 2015 6:39 am
Attachments
pass: infected
(474.02 KiB) Downloaded 84 times
 #26095  by Xylitol
 Wed Jun 17, 2015 11:55 am
Email vector: https://www.virustotal.com/en/file/a9cb ... 434380522/
http://vxvault.net/ViriList.php?MD5=28B ... 5FE0C229EE
Code: Select all
<config botnet="220">
   <server_list>
71.14.1.139:8443
173.230.130.172:2443
94.23.53.23:2443
176.99.6.10:8443
   </server_list>
</config>
---
Code: Select all
Export Table
   TimeDateStamp:          0x557EF5C6  (GMT: Mon Jun 15 15:56:54 2015)
   Name:                   0x0004D25C  ("worker_x32.dll")
   Base:                   0x00000001
   NumberOfFunctions:      0x00000002
   NumberOfNames:          0x00000002
   AddressOfFunctions:     0x0004D248
   AddressOfNames:         0x0004D250
   AddressOfNameOrdinals:  0x0004D258

   Ordinal RVA        Symbol Name
   ------- ---------- ----------------------------------
   0x0001  0x0001B97A "DllRegisterServer"
   0x0002  0x00018996 "DllUnregisterServer"
Attachments
infected
(21.54 KiB) Downloaded 67 times
infected
(292.99 KiB) Downloaded 66 times
infected
(38.8 KiB) Downloaded 68 times
 #26104  by unixfreaxjp
 Wed Jun 17, 2015 9:38 pm
During checked Dridex incident report, figuring the list of alive CNC below:
176.9.143.115 : 2443 < UP
193.13.142.11 : 8443 < Down
185.12.94.48 : 7443 < Up??
VT: https://www.virustotal.com/en/file/1ea2 ... /analysis/
Incident report: https://isc.sans.edu/diary/Botnet-based ... week/19807
Some analysis report (below)..the life analysis record are in here:

The "opening" trap is interesting..I use this to recognize.
Image
Strings..
Image
Traffic..
Image
Memory trace reversing mrthod is used..this is snip at usage of wininet.dll , as good as depack.
Image
Binary indicators..PeStudio < may help to build sigs
Image

Sample is attached. #MalwareMustDie
Attachments
7z/pwd:infected
(83.98 KiB) Downloaded 67 times
  • 1
  • 8
  • 9
  • 10
  • 11
  • 12
  • 15