A Technical Look At Dyreza

  • 4 November 2015
  • 0 replies
  • 93 views

Userlevel 7
Badge +54
November 4, 2015 | BY hasherezade
 
Note, that Dyreza is a complex piece of malware and various samples come with various techniques – however, the main features remain common.
 

Analyzed samples

 
[/list]Behavioral analysis
 
When Dyreza starts to infect the computer – it spreads like fire. Observing it in Process Explorer, we can see many new processes appearing and disappearing. As we can notice, it deploys explorer, svchost, taskeng, loads some DLL via dllhost… All this is done in order to obfuscate the flow of execution, in hopes of confusing analyst.
 
2 copies of the malicious file are dropped – in C:Windows and %APPDATA% – under pseudo-random names, matching the regex: [a-zA-Z]{15}.exe , i.e vfHNLkMCYaxBGFy.exe
 
That persistence is achieved by adding a new task in the task scheduler – it deploys the malicious sample after every minute, to ensure that it keeps running.
 
Full Article
 
 

0 replies

Be the first to reply!

Reply