Dyre Infection Analysis by Alexander Hanel

[Nytro]

Dyre Infection Analysis by Alexander Hanel

2014/11/24

Version 1.0

alexander.hanel@gmail.com

Executive SummaryIntroduction
Family Name
Propagation
Sample Analyzed
Installation
Stage 1
stage 2
Stage 3
Stage 4
Stage 5
Stage 6
Stage 7
General Details and Functionality
Persistence
Registry
Service
Run Key
Dropped Files
Service
Pipes
Mutex
Functionality Overview
Enumerating processes
Process Injection
Host IP Retrieval
VNC
Commands & Configurations
Commands & Configurations
Error Codes
Hooks
FireFox Hooks
Internet Explorer Hooks
Chrome Hooks
AntiDetection
functionality
Disabling RapportGP
Command and Control
Third Party Resources
URLs & IPs
Network Traffic Patterns
Appendix:
Strings
Stage 6 Dyre
Stage 7 Injected
Process
Third Party Analysis

Executive Summary

This document is an analysis of the Dyre banking malware. It is intended to aid in

understanding how Dyre executes and interact with the operating system. The targeted

audience is malware analyst, reverse engineers, system administrators, incident responders

and forensic investigators. Hopefully an individual investigating an incident could use this

document to determine if the infection is Dyre or not.

Introduction

Dyre is banking trojan that first was first seen in June of 2014. In terms of banking malware

the family is rather recent. Most organizations and email providers have been hit with a spam

campaigns that either links to an exploit kit that drops Drye or have been sent an email with a

zip attachment that contains a Dyre executable. This document cover features of the Dyre

that I found interesting. Due to the size of the code not all features are covered. The sample I

originally started with was an older sample. Newer samples that dropped a service crashed in

Download: https://bytebucket.org/Alexander_Hanel/papers/raw/1c41fd1ed30cdd060d18ceddb2d2e52db5134e45/Dyre-Analysis.pdf