TSPY_DYRE.YYYW

This spyware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It connects to certain websites to send and receive information. It deletes itself after execution.

Arrival Details

This spyware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This spyware drops the following copies of itself into the affected system and executes them:

• %Windows%\{random filename}.exe (for Windows XP and lower)
• %AppDataLocal%\{random filename}.exe (for Windows Vista and higher)

(Note: %Windows% is the Windows folder, where it usually is C:\Windows on all Windows operating system versions.. %AppDataLocal% is the Application Data folder found in Local Settings, where it is usually C:\Documents and Settings\{user name}\Local Settings\Application Data on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Local on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.)

It drops the following files:

• %System%\config\systemprofile\Application Data\f5e83w4ef.dat (for Windows XP and lower)
• %AppDataLocal%\f5e83w4ef.dat (Windows Vista and higher)

(Note: %System% is the Windows system folder, where it usually is C:\Windows\System32 on all Windows operating system versions.. %AppDataLocal% is the Application Data folder found in Local Settings, where it is usually C:\Documents and Settings\{user name}\Local Settings\Application Data on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Local on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.)

It adds the following mutexes to ensure that only one of its copies runs at any one time:

• Global\zx5fwtw4ep

It injects codes into the following process(es):

• svchost.exe
• explorer.exe

Autostart Technique

This spyware registers itself as a system service to ensure its automatic execution at every system startup by adding the following registry entries:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\googleupdate
ImagePath = "%Windows%\{random filename.exe}" (for Windows XP and lower)

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\googleupdate
Display = "Google Update Service" (for Windows XP and lower)

It adds the following registry entries to enable its automatic execution at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
GoogleUpdate = "%AppDataLocal%\{random filename}.exe" (for Windows Vista and higher)

It registers as a system service to ensure its automatic execution at every system startup by adding the following registry keys:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\googleupdate (for Windows XP and lower)

Information Theft

This spyware s configuration file contains the following information:

• List of strings related to banking/bitcoin (if connections to C&C servers are successful)
• Proxy address for Man-in-the-middle attack (if connections to C&C servers are successful)

It gathers the following data:

• Computer Name
• Host Name
• Public IP Address
• OS Version
• User Name
• OS platform
• Installed programs

Other Details

This spyware connects to the following URL(s) to check for an Internet connection:

• google.com
• microsoft.com

It connects to the following URL(s) to get the affected system's IP address:

• http://icanhazip.com

It connects to the following website to send and receive information:

• {BLOCKED}.{BLOCKED}.50.42:443
• {BLOCKED}.{BLOCKED}.223.61:443
• {BLOCKED}.{BLOCKED}.0.247:4443
• {BLOCKED}.{BLOCKED}.20.157:4443
• {BLOCKED}.{BLOCKED}.14.145:443
• {BLOCKED}.{BLOCKED}.123.76:443
• {BLOCKED}.{BLOCKED}.99.67:443
• {BLOCKED}.{BLOCKED}.69.150:443
• {BLOCKED}.{BLOCKED}.3.4:443
• {BLOCKED}.{BLOCKED}.19.156:443
• {BLOCKED}.{BLOCKED}.99.70:443
• {BLOCKED}.{BLOCKED}.74.36:4443
• {BLOCKED}.{BLOCKED}.20.157:4443
• {BLOCKED}.{BLOCKED}.62.169:443
• {BLOCKED}.{BLOCKED}.89.29:443
• {BLOCKED}.{BLOCKED}.109.60:443
• {BLOCKED}.{BLOCKED}.132.136:443
• {BLOCKED}.{BLOCKED}.253.52:443
• {BLOCKED}.{BLOCKED}.190.26:443
• {BLOCKED}.{BLOCKED}.190.178:443
• {BLOCKED}.{BLOCKED}.190.167:443
• {BLOCKED}.{BLOCKED}.0.247:4443
• {BLOCKED}.{BLOCKED}.253.52:4443
• {BLOCKED}.{BLOCKED}.213.146:443
• {BLOCKED}.{BLOCKED}.213.146:4443
• {BLOCKED}.{BLOCKED}.223.61:443
• {BLOCKED}.{BLOCKED}.223.61:4443
• {BLOCKED}.{BLOCKED}.204.113:443
• {BLOCKED}.{BLOCKED}.197.178:443
• {BLOCKED}.{BLOCKED}.232.226:4443
• {BLOCKED}.{BLOCKED}.191.200:443
• {BLOCKED}.{BLOCKED}.216.100:4443
• {BLOCKED}.{BLOCKED}.237.139:443
• {BLOCKED}.{BLOCKED}.189.92:443
• {BLOCKED}.{BLOCKED}.171.213:443
• {BLOCKED}.{BLOCKED}.40.17:443
• {BLOCKED}.{BLOCKED}.191.217:443
• {BLOCKED}.{BLOCKED}.191.218:443
• {BLOCKED}.{BLOCKED}.175.236:443
• {BLOCKED}.{BLOCKED}.139.97:443
• {BLOCKED}.{BLOCKED}.142.226:4443
• {BLOCKED}.{BLOCKED}.125.167:443
• {BLOCKED}.{BLOCKED}.49.21:443
• {BLOCKED}.{BLOCKED}.142.18:443
• {BLOCKED}.{BLOCKED}.119.17:443
• {BLOCKED}.{BLOCKED}.48.199:443
• {BLOCKED}.{BLOCKED}.48.114:443
• {BLOCKED}.{BLOCKED}.49.152:443

It does the following:

• Monitors the following browsers: chrome.exe, firefox.exe, iexplore.exe
• Connects to the following STUN (Session Traversal Utilities for NAT) server in order to determine the public IP address of the compromised computer: stun1.voiceeclipse.net, stun.callwithus.com, stun.sipgate.net, stun.ekiga.net, stun.ideasip.com, stun.internetcalls.com, stun.noc.ams-ix.net, stun.phonepower.com, stun.voip.aebc.com, stun.voipbuster.com, stun.voxgratia.org, stun.ipshka.com, stun.faktortel.com.au, stun.iptel.org, stun.voipstunt.com, stunserver.org, 203.183.172.196:3478, s1.taraba.net, s2.taraba.net, stun.l.google.com:19302, stun1.l.google.com:19302, stun2.l.google.com:19302, stun3.l.google.com:19302, stun4.l.google.com:19302, stun.schlund.de, stun.rixtelecom.se, stun.voiparound.com, numb.viagenie.ca, stun.stunprotocol.org, stun.2talk.co.nz
• Receive configuration(web injects)
• Receive New connections
• Download Module(VNC,TV)
• Browser Snapshot
• Shutdown/restart system

It deletes itself after execution.

NOTES:
It can send and receive information on the following I2P network for secure connection:

• {BLOCKED}cr5xvl5jlrhyxjktcdi2d7k5cqeulu4mdl75xxfwmhgnsq.b32.i2p:443

It sends the following GET request:

• /1102us1/{Computer name}_{OS platform}.{variable}/{number}/{variable request type}/{BLOCKED}.{BLOCKED}.43.38/

If the hardcoded C&C is inaccessible, it may connect to the following DGA URLs to send and receive information:

• {pseudo random alphanumeric characters}.so
• {pseudo random alphanumeric characters}.tk
• {pseudo random alphanumeric characters}.cn
• {pseudo random alphanumeric characters}.hk
• {pseudo random alphanumeric characters}.in
• {pseudo random alphanumeric characters}.to
• {pseudo random alphanumeric characters}.ws
• {pseudo random alphanumeric characters}.cc