[forty-six]

aka Dyreza

http://phishme.com/project-dyre-new-rat ... asses-ssl/

[forty-six]

Packed and Unpacked attached:

Code: Select all

LdrGetProcedureAddress
NtMapViewOfSection
ZwQueueApcThread
I'm DYRE!
Slava Ukraini!
NtQuerySystemInformation

Code: Select all

Opera/9.80
publickey
vnc32
replace
backconn
%s/%s/0
RtlTimeToSecondsSince1970
Wget/1.9
vRQ>
8STs
LwH'
%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X
%s_W%d%d%d.%s
botid
config
http://icanhazip.com
No NAT
Full Cone NAT
UDP Firewall
Port restricted NAT
Address restricted NAT
Symmetric NAT
unknown NAT
%d.%d.%d.%d
canot get config
start success
start fail
ClientSetModule
VncStartServer
VncStopServer
222289DD-9234-C9CA-94E3-E60D08C77777
VNCModule
AUTOBACKCONN
TRUE
start failed
cannot get VNC

[EX!]

https://www.virustotal.com/es/file/1074 ... /analysis/

00402385 PUSH dump1.00403298 ASCII "I'm DYRE!"
0040238C PUSH dump1.004032A4 ASCII "Shit happens :)"
004023C1 PUSH dump1.004031C0 UNICODE "Roaming"
004023D1 PUSH dump1.004031D0 UNICODE "Local"
004023FE PUSH dump1.004032B4 UNICODE "cmd.exe"
00402486 PUSH dump1.004031E4 UNICODE "Xider78"
0040250F PUSH dump1.00403220 UNICODE "Software\Microsoft\Windows\CurrentVersion\Run"
00402537 PUSH dump1.0040327C UNICODE "GoogleUpdate"

[R136a1]

Recent injector and payload from campaign targeting UK users attached.

List of C&C servers extracted from resource:

Code: Select all

oguws7cr5xvl5jlrhyxjktcdi2d7k5cqeulu4mdl75xxfwmhgnsq.b32.i2p:443
nhgyzrn2p2gejk57wveao5kxa7b3nhtc4saoonjpsy65mapycaua.b32.i2p:443
195.189.19.156:443
195.32.89.29:443
77.85.204.113:443
91.202.197.178:443
178.253.216.100:4443
194.28.191.217:443
194.28.191.218:443
46.160.125.167:443
46.151.48.114:443
46.151.50.58:443
185.31.53.23:443
89.22.207.223:443
91.225.228.195:443
91.210.148.1:443
92.240.99.70:443
46.29.0.247:4443
188.165.223.61:443
188.165.223.61:4443
188.165.232.226:4443
31.131.142.226:4443
46.151.48.199:443
176.36.160.107:443
91.242.55.58:4443
93.175.224.225:4443
93.99.229.60:443
85.248.157.88:443
188.231.149.4:4443
46.63.97.171:443
46.63.97.224:4443
46.151.49.53:443
109.87.231.180:4443
37.115.203.210:4443
46.63.97.77:4443
46.63.96.198:4443
188.165.213.146:4443
46.63.96.137:443
46.63.96.251:4443
188.165.213.146:443
178.212.244.19:4443
31.131.139.42:4443
62.80.181.148:4443
178.217.49.162:443
176.98.141.2:443
176.98.133.237:443
109.237.0.106:443
83.219.158.40:443
46.151.48.121:443
46.63.98.27:443
212.36.236.132:443
212.36.237.45:443
212.36.229.141:443
176.197.103.78:443
178.253.251.4:443
194.28.191.70:443
194.28.190.26:443
194.28.189.92:443
194.28.191.217:443
194.28.191.218:443
https://188.165.227.12/23.su3

[sysopfb]

Here's the loader packed and unpacked

Version 1122, looks like the "logkeys" ability is operational now.

[r3shl4k1sh]

New Dyre Version- Yet Another Malware Evading Sandboxes
...
This version of the Dyre malware is able to evade analysis by sandboxing solutions by checking how many processor cores the machine has.
...

http://www.seculert.com/blog/2015/04/ne ... boxes.html

MD5s of the new Dyre version
999bc5e16312db6abff5f6c9e54c546f
b44634d90a9ff2ed8a9d0304c11bf612
dd207384b31d118745ebc83203a4b04a

attached!

[Xylitol]

unpack of b44634d90a9ff2ed8a9d0304c11bf612 in attachement.
https://www.virustotal.com/en/file/b02b ... 432388794/
https://www.youtube.com/watch?v=hKkmQ3tGJa0
Sandbox patched: http://www.threatexpert.com/report.aspx ... 650778fc99 - https://malwr.com/analysis/YTJhMzBkNmEx ... diNzAxNWM/

[patriq]

https://www.youtube.com/watch?v=hKkmQ3tGJa0

is GetSystemPowerStatus used to test for sandbox/vm?

[Xylitol]

no, check the post of Aviv Raff for infos about the weak/lame anti sandbox feature.

[robemtnez]

Upatre was the one checking for CPU numbers and not Dyre, and I understand it was a feature of the packer and not the malware itself.