Dyre Configuration Dumper

It’s been over a year since Dyre first appeared, and with a rise of infections in 2015, it doesn’t look like the attackers are stopping anytime soon. At PhishMe we’ve been hit with a number of Dyre attacks this week, so to make analysis a little easier, I tossed together a quick python script that folks can use for dumping the configurations for Dyre.

To dump the memory, you can use Process Explorer to do a “full dump” on the process they inject into. (Typically the top-most svchost.exe, sometimes explorer.exe) Here’s what the output looks like:

Figure 1 Dyre Config Dump

Figure 1 — Dyre Configuration Dumper

By adding the “-c” flag to the end of it, we can get more information about the configs the attackers have in memory. Here’s a quick snapshot:

Figure 2 More Config Dumps

Figure 2 — More Dyre Config Dumps

You can download the script from here. Happy config dumping!

DNS Abuse by Cybercriminals - RATs, Phish, and ChickenKillers
Forget About IOCs... Start Thinking About IOPs!