Friday, July 18, 2014

Dyre banker aka Win32/Win64 Battdil - Inside a related web panel

What I have learned over the years as a hobby malware analyst is whenever you think you are the first who discovered a new malware family, you can be sure at least a dozen people are already working on the threat. And I am not speaking about what you can later see in public...

As in the case of the recently discovered banker named Dyre this is no exception. While cleaning up my malware collection yesterday, I stumbled upon a malware threat which Anton Cherepanov and I briefly analyzed 3 months ago. After a quick search on the Internet, I realized that this sample which was first discovered by ESET and named Win32/Battdil.A respectively Win64/Battdil.A is the recently publicated threat named Dyre or Dyreza banker. You can read about this malware here:

During our analysis, we found an active C&C server together with an early version of the webpanel (probably a test version). This article just gives you an overview of the webpanel in the form of various screenshots which we (fortunately) made. As the whole webpanel is made in Russian and I only know a handful of Russian words, the translation is left to the reader. You can find the downloaded HTML output (and the sample) at the end of this article.

I added the name CdIL to the caption, because the PDB string inside the payload said so:

But now, sit back, relax and enjoy the short slideshow before you start your weekend...

Figure 1: Login
Figure 2: couriers.php

Figure 3: couriers.php (cont'd)
Figure 4: couriers.php (cont'd)
Figure 5: stuff.php
Figure 6: stuff.php (cont'd)
Figure 7: material.php
Figure 8: tasks.php
Figure 9: shop_orders.php
Figure 10: domains.php
Figure 11: email.php
Figure 12: rules.php
Figure 13: conditions.php
Figure 14: conditions.php (cont'd)
Figure 15: conditions.php (cont'd)
Figure 16: conditions.php (cont'd)
Figure 17: conditions.php (cont'd)
Figure 18: conditions.php (cont'd)
Figure 19: conditions.php (cont'd)
Figure 20: conditions.php (cont'd)
Figure 21: conditions.php (cont'd)
Figure 22: orders.php

PW: "infected" (without "")

That's it

0 Kommentare:

Post a Comment