Win32/Dyzap (Dyre)

Forum for analysis and discussion about malware.

Win32/Dyzap (Dyre)

Postby forty-six » Wed Jul 16, 2014 3:10 am

You do not have the required permissions to view the files attached to this post.
Last edited by EP_X0FF on Mon Jul 21, 2014 2:22 pm, edited 1 time in total.
Reason: title edit
forty-six
 
Posts: 66
Joined: Tue Sep 03, 2013 3:23 pm
Reputation point: 30

Re: Win32/Dyzap.A

Postby forty-six » Fri Jul 18, 2014 9:27 pm

Packed and Unpacked attached:

Code: Select all
LdrGetProcedureAddress
NtMapViewOfSection
ZwQueueApcThread
I'm DYRE!
Slava Ukraini!
NtQuerySystemInformation


Code: Select all
Opera/9.80
publickey
vnc32
replace
backconn
%s/%s/0
RtlTimeToSecondsSince1970
Wget/1.9
vRQ>
8STs
LwH'
%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X
%s_W%d%d%d.%s
botid
config
http://icanhazip.com
No NAT
Full Cone NAT
UDP Firewall
Port restricted NAT
Address restricted NAT
Symmetric NAT
unknown NAT
%d.%d.%d.%d
canot get config
start success
start fail
ClientSetModule
VncStartServer
VncStopServer
222289DD-9234-C9CA-94E3-E60D08C77777
VNCModule
AUTOBACKCONN
TRUE
start failed
cannot get VNC
You do not have the required permissions to view the files attached to this post.
forty-six
 
Posts: 66
Joined: Tue Sep 03, 2013 3:23 pm
Reputation point: 30

Re: Win32/Dyzap (Dyre)

Postby EX! » Sun Jul 27, 2014 12:38 am

https://www.virustotal.com/es/file/1074 ... /analysis/

00402385 PUSH dump1.00403298 ASCII "I'm DYRE!"
0040238C PUSH dump1.004032A4 ASCII "Shit happens :)"
004023C1 PUSH dump1.004031C0 UNICODE "Roaming"
004023D1 PUSH dump1.004031D0 UNICODE "Local"
004023FE PUSH dump1.004032B4 UNICODE "cmd.exe"
00402486 PUSH dump1.004031E4 UNICODE "Xider78"
0040250F PUSH dump1.00403220 UNICODE "Software\Microsoft\Windows\CurrentVersion\Run"
00402537 PUSH dump1.0040327C UNICODE "GoogleUpdate"
You do not have the required permissions to view the files attached to this post.
User avatar
EX!
 
Posts: 35
Joined: Wed Jun 29, 2011 8:24 pm
Reputation point: 11

Re: Win32/Dyzap (Dyre)

Postby R136a1 » Thu Mar 26, 2015 3:47 pm

Recent injector and payload from campaign targeting UK users attached.

List of C&C servers extracted from resource:
Code: Select all
oguws7cr5xvl5jlrhyxjktcdi2d7k5cqeulu4mdl75xxfwmhgnsq.b32.i2p:443
nhgyzrn2p2gejk57wveao5kxa7b3nhtc4saoonjpsy65mapycaua.b32.i2p:443
195.189.19.156:443
195.32.89.29:443
77.85.204.113:443
91.202.197.178:443
178.253.216.100:4443
194.28.191.217:443
194.28.191.218:443
46.160.125.167:443
46.151.48.114:443
46.151.50.58:443
185.31.53.23:443
89.22.207.223:443
91.225.228.195:443
91.210.148.1:443
92.240.99.70:443
46.29.0.247:4443
188.165.223.61:443
188.165.223.61:4443
188.165.232.226:4443
31.131.142.226:4443
46.151.48.199:443
176.36.160.107:443
91.242.55.58:4443
93.175.224.225:4443
93.99.229.60:443
85.248.157.88:443
188.231.149.4:4443
46.63.97.171:443
46.63.97.224:4443
46.151.49.53:443
109.87.231.180:4443
37.115.203.210:4443
46.63.97.77:4443
46.63.96.198:4443
188.165.213.146:4443
46.63.96.137:443
46.63.96.251:4443
188.165.213.146:443
178.212.244.19:4443
31.131.139.42:4443
62.80.181.148:4443
178.217.49.162:443
176.98.141.2:443
176.98.133.237:443
109.237.0.106:443
83.219.158.40:443
46.151.48.121:443
46.63.98.27:443
212.36.236.132:443
212.36.237.45:443
212.36.229.141:443
176.197.103.78:443
178.253.251.4:443
194.28.191.70:443
194.28.190.26:443
194.28.189.92:443
194.28.191.217:443
194.28.191.218:443
https://188.165.227.12/23.su3
You do not have the required permissions to view the files attached to this post.
User avatar
R136a1
 
Posts: 215
Joined: Wed Jul 13, 2011 4:30 pm
Location: Germany
Reputation point: 136

Re: Win32/Dyzap (Dyre)

Postby sysopfb » Thu Apr 09, 2015 12:51 pm

Here's the loader packed and unpacked

Version 1122, looks like the "logkeys" ability is operational now.
You do not have the required permissions to view the files attached to this post.
sysopfb
 
Posts: 88
Joined: Thu Oct 23, 2014 1:22 am
Reputation point: 52

Re: Win32/Dyzap (Dyre)

Postby r3shl4k1sh » Fri May 01, 2015 7:36 am

New Dyre Version- Yet Another Malware Evading Sandboxes
...
This version of the Dyre malware is able to evade analysis by sandboxing solutions by checking how many processor cores the machine has.
...

http://www.seculert.com/blog/2015/04/ne ... boxes.html

MD5s of the new Dyre version
999bc5e16312db6abff5f6c9e54c546f
b44634d90a9ff2ed8a9d0304c11bf612
dd207384b31d118745ebc83203a4b04a

attached!
You do not have the required permissions to view the files attached to this post.
User avatar
r3shl4k1sh
 
Posts: 119
Joined: Tue Feb 05, 2013 10:26 pm
Location: Israel
Reputation point: 41

Re: Win32/Dyzap (Dyre)

Postby Xylitol » Sat May 23, 2015 1:45 pm

You do not have the required permissions to view the files attached to this post.
User avatar
Xylitol
Global Moderator
 
Posts: 1620
Joined: Sat Apr 10, 2010 5:54 pm
Location: Seireitei, Soul Society
Reputation point: 479

Re: Win32/Dyzap (Dyre)

Postby patriq » Sun May 31, 2015 5:12 pm



is GetSystemPowerStatus used to test for sandbox/vm?
patriq
 
Posts: 109
Joined: Fri Jun 28, 2013 8:11 pm
Reputation point: 22

Re: Win32/Dyzap (Dyre)

Postby Xylitol » Sun May 31, 2015 5:48 pm

no, check the post of Aviv Raff for infos about the weak/lame anti sandbox feature.
User avatar
Xylitol
Global Moderator
 
Posts: 1620
Joined: Sat Apr 10, 2010 5:54 pm
Location: Seireitei, Soul Society
Reputation point: 479

Re: Win32/Dyzap (Dyre)

Postby robemtnez » Mon Jun 01, 2015 2:02 am

Upatre was the one checking for CPU numbers and not Dyre, and I understand it was a feature of the packer and not the malware itself.
robemtnez
 
Posts: 15
Joined: Tue Feb 03, 2015 4:11 pm
Reputation point: 9

Next

Return to Malware

Who is online

Users browsing this forum: Google [Bot] and 8 guests