Disclaimer

Friday, December 8, 2017

Dridex are using QUANT Loader


Dridex are one of the known malware now. It was one the malware delivered by some spam e-mail campaign to infect users.

The interesting stuff was some of its samples are now using QUANT loader to execute its code. A loader use by different malware to bypassed detection, Firewall and etc.

let us dig more... :)

At first look the file is really packed  and need to unpacked to see the actual code.

fig. 1 packed code of dridex

as the file is unpack using some debugger and reverse engineering we can see some interesting string that may give as some hint what it will try to do and how it was compiled.

base on the fig. 2 below, it looks like the unpack code is compiled using MINGW32.

fig. 2 MINGW32 string

and on fig. 3 we can see that there is a base64 encoded string, some hash value and some string that may related to URL link "index.php". so we can say initially that this file can connect to a url link.

fig. 3 some unique string

fig. 3.1 common internet download api


now lets go deeper with the code and we will see that Dridex use "QUANT" loader to execute its code.

the first interesting stuff is how it concatenate all its decrypted string using the hash value we saw in the string analysis and and execute it later.


fig. 4 decryption routine.

fig.5 decrypted string

it will create a copy of itself in %appdata%/randonnumber/svchost.exe.

fig.6 copy of itself


then you will see the common characteristics of QUANT loader where its assemble its netsh command to allow copy of itself be executed in firewall.
fig. 7 netsh command

it will also assemble some url link to connect on.

fig. 8 url link
it will also "CreateFile" to the copy of itself "svchost.exe" with alternate data stream "zone.identifier". This ADS are used to know that file origin and make a security flag if the file is untrusted.

fig. 8 Zone.identifier ADS

Next it will get the Username of the infected machine by calling GetUserName the create a commandline that will change the user permission to the copy of itself to readonly. then run the copy of itself in %appdata% the svchost.exe.

fig. 9 modifying the permission of the infected user


fig. 10 running the copy of itself

the malware has a checking if the copy of itself is the running by checking the filepath of svchost.exe to the modulefilename. if yes it will create autorun registry by using regini.exe and a file containing the regrun hives placed in %temp%/per

fig. 11 autorun registry creation


one of the notable behavior of  its upx file component place in its resource section is it parse some computer information and send to its C&C server that are RC4 encrypted with specific rc4 key.
Some sensitive information:
  • Computername
  • ProductVersion
  • SystemInfo (Processor) 
  • Memory Status


fig. 12 some information it tries to steal






"Reg Restore" Odyssey: Journey to Persistence And Evasion

The Windows Registry, a fundamental component of the Windows Operating System, empowers users to fine-tune system policies and manipulate lo...