A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #23411  by forty-six
 Fri Jul 18, 2014 9:27 pm
Packed and Unpacked attached:
Code: Select all
LdrGetProcedureAddress
NtMapViewOfSection
ZwQueueApcThread
I'm DYRE!
Slava Ukraini!
NtQuerySystemInformation
Code: Select all
Opera/9.80
publickey
vnc32
replace
backconn
%s/%s/0
RtlTimeToSecondsSince1970
Wget/1.9
vRQ>
8STs
LwH'
%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X
%s_W%d%d%d.%s
botid
config
http://icanhazip.com
No NAT
Full Cone NAT
UDP Firewall
Port restricted NAT
Address restricted NAT
Symmetric NAT
unknown NAT
%d.%d.%d.%d
canot get config
start success
start fail
ClientSetModule
VncStartServer
VncStopServer
222289DD-9234-C9CA-94E3-E60D08C77777
VNCModule
AUTOBACKCONN
TRUE
start failed
cannot get VNC
Attachments
(175.51 KiB) Downloaded 125 times
(89 KiB) Downloaded 136 times
 #23451  by EX!
 Sun Jul 27, 2014 12:38 am
https://www.virustotal.com/es/file/1074 ... /analysis/

00402385 PUSH dump1.00403298 ASCII "I'm DYRE!"
0040238C PUSH dump1.004032A4 ASCII "Shit happens :)"
004023C1 PUSH dump1.004031C0 UNICODE "Roaming"
004023D1 PUSH dump1.004031D0 UNICODE "Local"
004023FE PUSH dump1.004032B4 UNICODE "cmd.exe"
00402486 PUSH dump1.004031E4 UNICODE "Xider78"
0040250F PUSH dump1.00403220 UNICODE "Software\Microsoft\Windows\CurrentVersion\Run"
00402537 PUSH dump1.0040327C UNICODE "GoogleUpdate"
Attachments
pwd=infected
(280.25 KiB) Downloaded 112 times
 #25514  by R136a1
 Thu Mar 26, 2015 3:47 pm
Recent injector and payload from campaign targeting UK users attached.

List of C&C servers extracted from resource:
Code: Select all
oguws7cr5xvl5jlrhyxjktcdi2d7k5cqeulu4mdl75xxfwmhgnsq.b32.i2p:443
nhgyzrn2p2gejk57wveao5kxa7b3nhtc4saoonjpsy65mapycaua.b32.i2p:443
195.189.19.156:443
195.32.89.29:443
77.85.204.113:443
91.202.197.178:443
178.253.216.100:4443
194.28.191.217:443
194.28.191.218:443
46.160.125.167:443
46.151.48.114:443
46.151.50.58:443
185.31.53.23:443
89.22.207.223:443
91.225.228.195:443
91.210.148.1:443
92.240.99.70:443
46.29.0.247:4443
188.165.223.61:443
188.165.223.61:4443
188.165.232.226:4443
31.131.142.226:4443
46.151.48.199:443
176.36.160.107:443
91.242.55.58:4443
93.175.224.225:4443
93.99.229.60:443
85.248.157.88:443
188.231.149.4:4443
46.63.97.171:443
46.63.97.224:4443
46.151.49.53:443
109.87.231.180:4443
37.115.203.210:4443
46.63.97.77:4443
46.63.96.198:4443
188.165.213.146:4443
46.63.96.137:443
46.63.96.251:4443
188.165.213.146:443
178.212.244.19:4443
31.131.139.42:4443
62.80.181.148:4443
178.217.49.162:443
176.98.141.2:443
176.98.133.237:443
109.237.0.106:443
83.219.158.40:443
46.151.48.121:443
46.63.98.27:443
212.36.236.132:443
212.36.237.45:443
212.36.229.141:443
176.197.103.78:443
178.253.251.4:443
194.28.191.70:443
194.28.190.26:443
194.28.189.92:443
194.28.191.217:443
194.28.191.218:443
https://188.165.227.12/23.su3
Attachments
PW: infected
(395.79 KiB) Downloaded 94 times
 #25599  by sysopfb
 Thu Apr 09, 2015 12:51 pm
Here's the loader packed and unpacked

Version 1122, looks like the "logkeys" ability is operational now.
Attachments
pw: infected
(710.44 KiB) Downloaded 92 times
 #25765  by r3shl4k1sh
 Fri May 01, 2015 7:36 am
New Dyre Version- Yet Another Malware Evading Sandboxes
...
This version of the Dyre malware is able to evade analysis by sandboxing solutions by checking how many processor cores the machine has.
...
http://www.seculert.com/blog/2015/04/ne ... boxes.html

MD5s of the new Dyre version
999bc5e16312db6abff5f6c9e54c546f
b44634d90a9ff2ed8a9d0304c11bf612
dd207384b31d118745ebc83203a4b04a

attached!
Attachments
pass: infected
(1015.69 KiB) Downloaded 97 times
 #25920  by Xylitol
 Sat May 23, 2015 1:45 pm
Attachments
infected
(289.19 KiB) Downloaded 74 times
 #25968  by robemtnez
 Mon Jun 01, 2015 2:02 am
Upatre was the one checking for CPU numbers and not Dyre, and I understand it was a feature of the packer and not the malware itself.