This is a custom program written by LIFARS Incident Reponse Team to remove Dridex infection.
To read more about this check these LIFARS blogs:
- The Emergence of Dridex
- From Dridex to BitPaymer Ransomware to DoppelPaymer……The Evolution
- Analysis of Dridex, BitPaymer and DoppelPaymer campaign
- Create list of hostnames to be cleaned and save as
hostnames.txt - Download PsExec and save it to the same directory
- Put Base64-encoded executables of Process Monitor and Process Hacker to the
dedri.ps1:
$prochack_base64str = "<PUT BASE64-ENCODED PROCESSHACKER.EXE HERE>"
$procmon_base64str = "<PUT BASE64-ENCODED PROCMON.EXE HERE>"
- Run
.\dedri-automatization.ps1from PowerShell console (or, in case of execution of scripts is blocked, you can select all lines in PowerShell ISE and click on "Run Selection")
- Find malicious injected thread in Explorer.exe via Process Monitor – if such thread exists, then DEDRI will suspend it
- Find directories with Dridex artifacts – these directories could be found in
%APPDATA%of any user and in%WinDir%\System32. They have random-looking name and contain one legitimate Windows executable (same as its original in%WinDir%\System32), also could contain one .DLL library with legitimate name (but not legitimate content) which will be hijacked, and these directories could contain encrypted file with random-looking filename and extension beginning with char ‘x’- Check every:
- scheduled tasks
- autoruns via HKLM (Local Machine) and HKCU (Current User) registry entry with path
“\SOFTWARE\Microsoft\Windows\CurrentVersion\Run”for any user, - Windows Start Menu
.lnkstartup file for any user
- Check every:
Find items pointing to some of the malicious directories with Dridex artifacts found in previous step.
- Remove all malicious artifacts found in previous steps
- Terminate malicious injected thread if this thread exists (1st step)
- (Optionally) – prevent future successful Dridex execution by creating read-only file
“C:\Windows “(including trailing space) – Dridex will not be able to use fake directory with same name for one of its stage - (Optionally) – prevent future successful BitPaymer ransomware infection by creating file
“C:\aaa_TouchMeNot_.txt”
- If PsExec is blocked in your environment, you can use
Invoke-Command -ComputerName ...or Group Policy - Three Base64-encoded blobs in
dedri.psare embedded binary files of:- Process Monitor executable for finding malicious thread
- Configuration for Process Monitor for findind malicious thread
- Process Hacker as a 2nd method for suspending and terminating malicious thread. It will be used only after the native method via Win32-API will fail
- The Base64 encoded blob of Process Monitor and Process Hacker could be obtained by command:
$base64string = [Convert]::ToBase64String([IO.File]::ReadAllBytes($FileName))
For more information about Dridex virus detection, reverse malware binary analysis in our forensics laboratory, virus eradication and containment, isolation of compromised hosts, blocking lateral movement infections, and providing custom Cyber Vaccine please contact us at:
- https://lifars.com/contact-us/
- https://lifars.com/ransomware-response-and-cyber-extortion-bitcoin-decryption/
@mwlac @LIFARS