It’s been over a year since Dyre first appeared, and with a rise of infections in 2015, it doesn’t look like the attackers are stopping anytime soon. At PhishMe we’ve been hit with a number of Dyre attacks this week, so to make analysis a little easier, I tossed together a quick python script that folks can use for dumping the configurations for Dyre.
To dump the memory, you can use Process Explorer to do a “full dump” on the process they inject into. (Typically the top-most svchost.exe, sometimes explorer.exe) Here’s what the output looks like:
By adding the “-c” flag to the end of it, we can get more information about the configs the attackers have in memory. Here’s a quick snapshot:
You can download the script from here. Happy config dumping!