Note, that Dyreza is a complex piece of malware and various samples come with various techniques – however, the main features remain common.
Analyzed samples
- ff3d706015b7b142ee0a8f0ad7ea2911 – Dyreza executable- a persistent botnet agent, carring DLLs with the core malicious activities[list]
- 5a0e393031eb2accc914c1c832993d0b – Dyreza DLL (32bit)
- 91b62d1380b73baea53a50d02c88a5c6 – Dyreza DLL (64 bit)
When Dyreza starts to infect the computer – it spreads like fire. Observing it in Process Explorer, we can see many new processes appearing and disappearing. As we can notice, it deploys explorer, svchost, taskeng, loads some DLL via dllhost… All this is done in order to obfuscate the flow of execution, in hopes of confusing analyst.
2 copies of the malicious file are dropped – in C:Windows and %APPDATA% – under pseudo-random names, matching the regex: [a-zA-Z]{15}.exe , i.e vfHNLkMCYaxBGFy.exe
That persistence is achieved by adding a new task in the task scheduler – it deploys the malicious sample after every minute, to ensure that it keeps running.
Full Article