Analysis of the sample "Red October" - Part 2

Published on 2013-01-15 15:00:00.

We wrote an article about the dropper used by Red October available here.

At the end of this article we got a file called svchost.exe and the file . This file was first packed with a custom packer and secondly packed with UPX. Once we unpacked this file, we get a file with the md5: 5f38e180671fe1d86009d730687a0e3e.

This binary is used to decrypt the file

How to get the .dll stored in

To decrypt the .dll file from we must apply this algorithm:

Here the screenshot of the initialisation of the RC4 function KSA (function 0x403930):


For people who do not recognise RCA init, we can found 2 loops with 256 iterations… (comment for jvoisin)

Here the screenshot of the RC4 function PRGA (function 0x4039B0):


Here the usage of the zlib library (function 0x404500):


We can identify zlib with some specific strings available in the function.

We develop a script to get the .dll from the file, for information we need to skip the first 4 bytes, these bytes contain the size of the final binary:

import sys
    from Crypto.Cipher import ARC4
    import hashlib
    import zlib
    key = "dfdedkwe3322oeitodkdjeio3e9ekdjwasddcncmvjdasalwpeoryg7534hvn5wewse"
    data = open(sys.argv[1]).read()
    rc4 =
    decrypted = rc4.encrypt(data)
    decompressed = zlib.decompress(decrypted[4:])

The output:$ python wsdktr.ltp > final.dll$ file final.dll 
final.dll: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, UPX compressed

The .dll md5 is 9b049bcb675377af1ca08fcf3ddad89c.

The unpack .dll md5 is b587fb33613bfbdd2a95e98fc00391d5.

We have (finally) the malware of Red October !!!