Users login

Create an account »

JOIN XATRIX

Users login

Home » Technical Papers» Dissecting the Dyre Loader » File Name Generation by Jason Reaves on December 31, 2015

Next the loader compares its own privilege level with the first svchost it finds in the process list, the check is performed by comparing the SIDs from the processes respective TOKEN USER structures. If the comparison is successful then the loader checks if it's running from C:\windows if it's not successful then the loader checks if it's running from %APPDATA%\local. In either case a random 15 character filename is generated using a custom Psuedo-Random function based on the Microsoft variation LCG algorithm(Figure ??).


import binascii
key = bytearray ( binascii.a2b_hex ('1622f36a8541ca84'))
encoded = bytearray ( binascii.a2b_hex ('7d478104e02df9b638469f06'))
def decrypt_string(data,key):
for i in range (len(data)):
if data[i] != key[i%len(key)]:
data[i] ^= key [i%len(key)]
print(data)
decrypt_string(encoded,key)
#>>> kernel32.dll


Breaking this routine down we can see that ultimately the routine is just generating a random number between 0 and 24 and depending on the outcome of the first loop being even or odd this will be an index into the ascii character set of either the lowercase or the uppercase alphabet. A proof of concept of this in python can be seen in Figure ??.
After copying itself the loader then excutes itself from the new location with its original location as the parameter.

Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.

Contact

Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »