Dridex are one of the known malware now. It was one the malware delivered by some spam e-mail campaign to infect users.
The interesting stuff was some of its samples are now using QUANT loader to execute its code. A loader use by different malware to bypassed detection, Firewall and etc.
let us dig more... :)
At first look the file is really packed and need to unpacked to see the actual code.
 |
| fig. 1 packed code of dridex |
as the file is unpack using some debugger and reverse engineering we can see some interesting string that may give as some hint what it will try to do and how it was compiled.
base on the fig. 2 below, it looks like the unpack code is compiled using MINGW32.
 |
| fig. 2 MINGW32 string |
and on fig. 3 we can see that there is a base64 encoded string, some hash value and some string that may related to URL link "index.php". so we can say initially that this file can connect to a url link.
 |
| fig. 3 some unique string |
 |
| fig. 3.1 common internet download api |
now lets go deeper with the code and we will see that Dridex use "QUANT" loader to execute its code.
the first interesting stuff is how it concatenate all its decrypted string using the hash value we saw in the string analysis and and execute it later.
 |
| fig. 4 decryption routine. |
 | |
| fig.5 decrypted string |
it will create a copy of itself in %appdata%/randonnumber/svchost.exe.
 |
| fig.6 copy of itself |
then you will see the common characteristics of QUANT loader where its assemble its netsh command to allow copy of itself be executed in firewall.
 |
| fig. 7 netsh command |
it will also assemble some url link to connect on.
 |
| fig. 8 url link |
 |
| fig. 8 Zone.identifier ADS |
Next it will get the Username of the infected machine by calling GetUserName the create a commandline that will change the user permission to the copy of itself to readonly. then run the copy of itself in %appdata% the svchost.exe.
 | ||
| fig. 9 modifying the permission of the infected user |
 |
| fig. 10 running the copy of itself |
the malware has a checking if the copy of itself is the running by checking the filepath of svchost.exe to the modulefilename. if yes it will create autorun registry by using regini.exe and a file containing the regrun hives placed in %temp%/per
 |
| fig. 11 autorun registry creation |
one of the notable behavior of its upx file component place in its resource section is it parse some computer information and send to its C&C server that are RC4 encrypted with specific rc4 key.
Some sensitive information:
- Computername
- ProductVersion
- SystemInfo (Processor)
- Memory Status
 |
| fig. 12 some information it tries to steal |
