Users login

Create an account »

JOIN XATRIX

Users login

Home » Technical Papers» Dissecting the Dyre Loader » Mutex Generation by Jason Reaves on December 31, 2015

After starting from either %APPDATA%\local or C:\Windows the loader goes through the same checks and then checks if it temp is in it's path. If not it starts building out it's mutex value. The mutex is based on the following
information

1. GetCompuerNameW
2. RtlGetVersion - Build Number

Passes the computer name, 0x31 and the machines build number to a wsprintfW call producing the following unicode string: < computername > 49 < buildnumber >.

A SHA1 hash is then performed on the unicode string but it only takes the first 16 bytes of the output and then passes it to wsprintfW with the format string "%08x%08x%08x%08x". This string is appended to Global\ and checked using OpenMutexW.

Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.

Contact

Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »