Reverse Engineering Redosdru String Decryption By Andrew Petrus Published: 2024-06-17 · Archived: 2026-04-05 13:40:07 UTC Redosdru is malware primarily functioning as a downloader, commonly associated with APT27/Iron Tiger. Reported by Microsoft as early as July 2009 Surprisingly, for its age, I couldn’t find much information about it, which made dissecting it even more appealing. I wanted to share the decryption process of the C2 URL, which I found quite interesting. Press enter or click to view image in full size https://medium.com/@andrew.petrus/reverse-engineering-redosdru-string-decryption-595599087dbb Page 1 of 8 Low amount of submissions on Malware Bazaar considering age Finding the C2 URL The majority of strings in this binary are either encrypted or refer to APIs/libraries. Press enter or click to view image in full size https://medium.com/@andrew.petrus/reverse-engineering-redosdru-string-decryption-595599087dbb Page 2 of 8 Encrypted strings After loading the binary into IDA, I came across an intriguing string in Main that was passed to another function. Press enter or click to view image in full size Within sub_40287F, the encrypted string is passed to strlen and then to sub_401CBC, which serves as the main decryption function. https://medium.com/@andrew.petrus/reverse-engineering-redosdru-string-decryption-595599087dbb Page 3 of 8 Delving into sub_401CBC, I’ve labeled some variables for easier understanding. We have an XOR key of 0x59 and another subtraction key set to 0x86. A couple of other points worth mentioning: Firstly, there’s function sub_401917, which I’ve identified as a kind of preamble decryption function. It takes the encrypted string through the initial stage of decryption, returning it in a ready-to-XOR state for subsequent processing in the decryption loop. Press enter or click to view image in full size sub_401CBC (main decryption function) part 1 Since sub_401917 is quite complex, explaining it fully would require a dedicated blog post. Therefore, I’ll simplify it as much as possible. In the main decryption loop of sub_401917, the function handles the encrypted_string in 4-byte parts. It uses another function, sub_401B13, to decode each byte, using bitwise operations to rebuild the original data. Get Andrew Petrus’s stories in your inbox https://medium.com/@andrew.petrus/reverse-engineering-redosdru-string-decryption-595599087dbb Page 4 of 8 Join Medium for free to get updates from this writer. Remember me for faster sign in Here’s a link to the two main functions that make up sub_401917. Press enter or click to view image in full size Encrypted string before preamble decryption function (sub_401917) Encrypted string after preamble decryption function (sub_401917) Secondly, I’ve identified a loop as the main decryption loop, which decrypts the string byte by byte. To summarize this decryption process, it takes the first byte from the string returned by sub_401917, subtracts it by the subtraction key (0x86), and then performs an XOR operation using the XOR key (0x59). Press enter or click to view image in full size sub_401CBC (main decryption function) part 2 We can observe the subtraction instruction in our debugger. https://medium.com/@andrew.petrus/reverse-engineering-redosdru-string-decryption-595599087dbb Page 5 of 8 Subtracting 0x86 (subtracting_key) from 0xB7 (first byte) = 0x31 Here, for instance, 0x31 XOR’d with 0x59 decrypted the first byte to ‘h’ (as shown in the hex/ASCII dump below). https://medium.com/@andrew.petrus/reverse-engineering-redosdru-string-decryption-595599087dbb Page 6 of 8 XOR 0x31 (from last operation) with 0x59 (XOR key) = 0x68 (‘h’) The decryption function compares the current length of the decrypted string with 0x23 (0x401CF9), which is 35 in decimal. When the comparison succeeds, the loop ends, revealing our final C2 URL. Decrypted C2 URL which appears to download a malicious DLL file https://medium.com/@andrew.petrus/reverse-engineering-redosdru-string-decryption-595599087dbb Page 7 of 8 Oh yeah! Hash, dynamic analysis, and samples SHA256: 506c946ecc0877b13de8fb977de24a7b9e14054d44ca547e518084c914334a6b Dynamic Analysis: https://www.vmray.com/analyses/_vt/506c946ecc08/report/network.html Samples: https://bazaar.abuse.ch/browse.php?search=tag%3Aredosdru Thanks for tuning in So, that wraps up our dive into this decryption method used by Redosdru. Writing this post has been really fun, and I hope you learned something new. Until next time, stay safe out there! Source: https://medium.com/@andrew.petrus/reverse-engineering-redosdru-string-decryption-595599087dbb https://medium.com/@andrew.petrus/reverse-engineering-redosdru-string-decryption-595599087dbb Page 8 of 8