Despite recent takedowns of multiple CnCs related to dridex, we still see a significant amount of Dridex samples.
To facilitate triage and extraction of IOCs, we developed a configuration extractor that is able to obtain the version and “server list” (CnC) of dridex version 120, 220 and 301.
This tool performs a static analysis by enumerating the sections, trying to deobfuscate and finally decompresses the results with aplib (thanks to @angealbertini for the python implementation of aplib).
To run the script, first you need to clone the github repository and copy the python aplib implementation (you can find the python file for aplib here: https://corkami.googlecode.com/svn-history/r522/trunk/misc/MakePE/examples/packer/aplib.py) in the same folder. Obviously, if the sample is packed you’ll need to unpack it (no need to reconstruct the imports).
See below the output on some samples:
Check out the script here: https://github.com/kudelskisecurity/Dridex-config-extraction
Feel free to contact us for any question.
Happy IOCs extraction!