This is a basic static malware analysis of a Banking Trojan named Dyre. This sample can be found at The Zoo. We are analyzing the Unpacked.DLL which contains two payloads for 32 and 64 bit architecture.
Phase 1: Static Analysis
PEStudio
Before interacting with the live sample, we first use PEStudio to gain some initial info. PEStudio does a nice job of breaking up the various sections we can explore. Some interesting things we can immediately take away is that:
- This is an 32-bit exe with a GUI (we can tell its an exe by either the first bytes being “4D 5A” or “M Z” or by pestudio letting us know
Theres a lot of indicators that can help us but we usually just deal with the level 1 ones. A couple of preliminary indicators give us a sense of what we will examine inside the sample. Some things to take away from this screen include:
- Theres file in this initial file
- There is a URL
- Blacklisted functions and strings
Moving on we continue inspecting the various sections of the file. We land on the view of sections. This file contains 5 sections with the interesting information highlighted in yellow
- we see that in .data the raw-size is 0 bytes but the virtual-size is 56 bytes, meaning that the bytes in this data are being virtualized when ran
- We also see that there is two files in .rsrc section
- Its always good to look at the differences between raw-size and virtual-size to see any discrepancies.
In the Libraries section, we can see what the file is calling, if you want to find out what each does you can search them up in the Microsoft docs.
- shlwapi.dll
- kernel32.dll
- user32.dll
- advapi32.dll
- shell32.dll
The functions section is already a little suspicious since we have such few functions (49). Looking through the list we can gain a sense of what its doing:
In the Resources section we can see the two files which were referenced in Sections beforehand:
We can utilize a tool called ResouceHacker to delve more into this but some basic info we can gather from here is that:
- 2 files with PAYLOAD32 and PAYLOAD 64 names which take up most of the file size
- Supposedly in English and somewhat high level of entropy
Moving on to possibly the most important part of static analysis is the strings section:
There are multiple strings that can provide use with info and also act as good IOC indicators such as:
- Send wininet.dll (a library not named before)
- We see a user agent with version in there: Opera/9.80
- A website: http://icanhazip.com
- googleupdaterr.exe
- Slava Ukraini! which translates to Glory to Ukraine
- calls to explorer.exe and a iexplore.exe (Used by Internet Explorer)
- a path: Software\Microsoft\Windows\CurrentVersion\Run
- Strange length of characters: 222289DD-9234-C9CA-94E3-E60D08C77777
- format strings in the format of an IP: %d.%d.%d.%d
- I’m DYRE!
- strange strings with placeholders: /%s/%s/63/checkfile/%s/%s/
- A few POSTs
- A multitude of functions from libraries which were not named before such as CreateToolhelp32Snapshot, OpenProcess, NtMapViewOfSection, WSASend, InternetReadFile, CryptHashData etc
ResourceHacker
Since we determined that the file contains two other files in resources we open up RH to help us extract those files:
PAYLOAD 32/64 opens up with first bytes “55 89” which we do not recognize, we can look through the file to see if its hiding an exe and we are able to find 4D 5A in both files which show they also have an exe in there. We can edit the hex to extract and analyze those files in pestudio. My guess is that intial code before the MZ is the code needed to allocate, load, and run the exe (Just a guess idk).
Back to PEStudio
Running through the same analysis we did for the initial file we find some interesting info for PAYLOAD32:
- This is a 32-bit DLL
- The same domain is found
- An IP with port is found
- 3 files located inside the current file in the .rsrc section
- 3 Blacklisted libraries: iphlpapi.dll, ws2_32.dll, and wininet.dll
- 59 blacklisted functions
Our resources section shows the 3 files that are currently hiding in the .rsrc section.
The Strings sections closely resembles the initial file but we also find some more interesting strings:
- 10+ strings with url starting with stun.*****.com/org/net
- References to NAT
PAYLOAD64 closely resembles PAYLOAD32 so we’re just gonna make the assumption they are identical and the only difference is their architecture. Only difference is that PAYLOAD64 contains PAYLOAD32 in its .rsrc section. A quick extraction of the PAYLOAD32 in PAYLOAD64 shows its the same just without the extra files in its resource. For simplicity, we’re going to just continue our analysis with PAYLOAD32.
ResourceHacker
Looking at the files in resoure hacker we see we have a RSA Public Key, a DEFCONFIG file and another PAYLOAD.
- Don’t know what DECONFIG for now, my guess its just a config file
- Public Key is RSA
- We perform the same hex edit on the PAYLOAD32 and open it in pestudio
PEStudio
Running through the same analysis process we’ve done before, we find that there is no virtualized data in this one and no hidden files.
Two blacklisted libraries: wininet.dll and ws2_32.dll
Very interesting usage of functions with threads and hashes
Strings are consistent with last two files.
Static analysis give us a good foundation to get an initial analysis of a malware. Steps skipped here include online researching on VirusTotal or Google. The nexts steps after this would be to start some more intense static anaylsis with disassmblers and debuggers and eventually start some dynamic anaylsis.
A good resource for more info on Dyre can be found here.
