![]() ![]() Essentially, at some point in time, after going back and forth in the debugger, setting breakpoints and restarting the debugging session, we can see that there is a function at virtual address 0x00404408 that is responsible to read a chunk of data stored in virtual address 0x004164e0 (file offset 0x000154E0). Provided with this information we start our analysis and step through the code and try to determine where is used. ![]() ![]() This string is interesting because it’s a format string that denotes the format of an IP address and port. In the previous post, one of the strings that we obtained from decoding the chunk at virtual address 0x00411020 was “%d.%d.%d.%d:%d”. Please note that a bit of familiarity with OllyDbg is needed in order to follow the steps described.ĭridex is known to contain an initial configuration which contains the campaign ID and the addresses of the C&C. In this part we will continue the analysis and move into getting the Dridex configuration settings and XML messages that are generated and exchanged with the C&C. This gave us more visibility into its intent and functionality. On our last blog post, we performed malware analysis of Dridex and found out how to decode its strings. ![]()
0 Comments
Leave a Reply. |