In this case we can see that the next string to be used is the following: Stepping through the code, setting breakpoints, restarting the debug session and repeating this for several times until we find what we are looking for. Then we can use the command line to get the hex values for the botnet ID and IP addresses and convert them using the printf command and the format string “%d.%d.%d.%d:%d”.Īfter this, the approach is the same. We know the file offset where the configuration settings are. Now that we know where this information resides, we can also get the C&C addresses outside of the debugger. Below is a print screen that shows the instructions that perform this operation.Īfter reading the values, the C&C addresses are converted to ASCII and the value is returned by the wvnsprintfA() API using the format string “%d.%d.%d.%d:%d”. Going over this function a couple of times and verifying what it does we can determine that the Botnet ID, number of C&C and the C&C addresses are retrieved from this chunk of data. Stepping through the execution of this function we can see in the stack our string being used and moments after, the first IP address of the C&C appears in the stack view. Essentially, at some point in time, after going back and forth in the debugger, setting breakpoints and restarting the debugging session, we can see that there is a function at virtual address 0x00404408 that is responsible to read a chunk of data stored in virtual address 0x004164e0 (file offset 0x000154E0).
OLLYDBG 2012 DOWNLOAD CODE
Provided with this information we start our analysis and step through the code and try to determine where is used. This string is interesting because it’s a format string that denotes the format of an IP address and port.
In the previous post, one of the strings that we obtained from decoding the chunk at virtual address 0x00411020 was “%d.%d.%d.%d:%d”. Please note that a bit of familiarity with OllyDbg is needed in order to follow the steps described.ĭridex is known to contain an initial configuration which contains the campaign ID and the addresses of the C&C. In this part we will continue the analysis and move into getting the Dridex configuration settings and XML messages that are generated and exchanged with the C&C. This gave us more visibility into its intent and functionality.
OLLYDBG 2012 DOWNLOAD HOW TO
On our last blog post, we performed malware analysis of Dridex and found out how to decode its strings.
0 kommentar(er)
