Python script dumps Dyre malware configurations

happygeek 1 511 Views

It's been a year now since the Dyre malware family was first profiled, and there is no sign of infection rates slowing down. In fact, reports would seem to suggest just the opposite with infections up from 4,000 at the end of last year to 9,000 at the start of this. The lion's share being split pretty evenly between European and North American users.

So I was interested to spot this Tweet from Ronnie T @iHeartMalware who is actually Ronnie Tokazowski, a senior researcher at PhishMe, which declares: "I'm tired of dumping #Dyre configurations by hand. So I wrote a python script to do it. Enjoy folks!"

dyredumper.jpg

Ronnie explains "It’s been over a year since Dyre first appeared, and with a rise of infections in 2015, it doesn’t look like the attackers are stopping anytime soon. At PhishMe we’ve been hit with a number of Dyre attacks this week, so to make analysis a little easier, I tossed together a quick python script that folks can use for dumping the configurations for Dyre. To dump the memory, you can use Process Explorer to do a “full dump” on the process they inject into. (Typically the top-most svchost.exe, sometimes explorer.exe)."

Here's the script for all you Python fans to have a look at.

dyredumper2.jpg

Member Avatar for Slavi
Slavi 94 Master Poster

Would be sweet if there was volatility#2, that contains scripts per malware family

Edited by Slavi
Member Avatar for Gribouillis
Gribouillis 1,391 Programming Explorer

Interesting. It can be improved by using the standard modules argparse for command line parsing and subprocess to get output and error from called commands.

Member Avatar for RonnieT
RonnieT 0 Newbie Poster

Hello Davey,

Thanks for picking up the article, and I really appreciate it behing hosted! Hopefully I can answer a few of the questions as they come in.

Slavi,

On the side of Volatility, I do know that there is a plugin for Volitility which can be found here: http://cybermashup.com/2015/02/11/volatility-plugin-for-dyre/

I wanted to go this route as ProcExp is one of the things I typically use, and while Volatility is awesome, it takes a good bit of time to get the dump and process it. However I could see this working very well with a Cuckoo box that's automating Volatility!

Gribouillis,

I agree 100% on using argparse and subprocess, and these are two I normally use. I just wanted to get something quick and dirty out there for folks, so hopefully you forgive me on the hack job! (And lack of PEP8 and poor use of os.system()) ;)

--Ronnie
@iHeartMalware

Member Avatar for Tcll
Tcll 66 Posting Whiz in Training

this is why I moved off windows...

hearing about stuff like this P's me off knowing how easy it is to steal private data, and how far idiots will go to do it mainly just to get a quick buck.

is it possible to detect these attacks and redirect them back on the attacker??
(the bugs-bunny trick where he bends the shotgun around) :P

EDIT:
@Ronnie: I'm talking about the Dyre devs jsyk, not you, please don't take it as such ;)

Edited by Tcll
Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.

Edit Preview