Well, to be honest, I didn’t make a lot progress on this malware and all those decoding process seems very complicated to me. But yeah, I will write down what I did and anyone who is looking this post should know that there is a better analysis here by MalwareAnalysisForHedgehogs. And they also provide a link to a good post to analysis this malware.

Basically, process hollowing create a new legitimate process and replace that process with malicious code. So the code may run as if it is legitimate. The key API should be “CreateProcesS”, “WriteProcessMemory”. What makes me confusing is here, the Dridex starts a child process and uses process hollowing to replace the content of that child process. I simply think this doesn’t make sense. Well, trevlix from this post here told me that in this malware it probably use this to unpack itself. Probably he is right.

MalwareAnalysisForHedgehogs used APImonitor to set the breakpoint but I used Olldbg and it turns out that the blog they provide used Ollybdg too.

At first in Ollydbg, you need to set a breakpoint on WriteProcessMemory with “bp WriteProcessMemory”. Then you run it.

You can check that buffer address here. You will see the start of a PE file. Then you have two choice. I used HxD tp attach to the process and go to the address 0x460000 then copied those thing into a new file. You can also just right click in the Ollydbg and save all those binary data. These will leads to the same file which is like this.

Use the compare button in HxD we can verify that the files we get from two methods are the same.

Ok, this is all I have. Probably I will try to analyze this malware in details when I learn more.

Any questions, contact me at xudong_shao@hotmail.