Dyre banker aka Win32/Win64 Battdil - Inside a related web panel ~ Malware Reversing

Friday, July 18, 2014

Dyre banker aka Win32/Win64 Battdil - Inside a related web panel

R136a1 July 18, 2014 No comments

What I have learned over the years as a hobby malware analyst is whenever you think you are the first who discovered a new malware family, you can be sure at least a dozen people are already working on the threat. And I am not speaking about what you can later see in public...

As in the case of the recently discovered banker named Dyre this is no exception. While cleaning up my malware collection yesterday, I stumbled upon a malware threat which Anton Cherepanov and I briefly analyzed 3 months ago. After a quick search on the Internet, I realized that this sample which was first discovered by ESET and named Win32/Battdil.A respectively Win64/Battdil.A is the recently publicated threat named Dyre or Dyreza banker. You can read about this malware here:

http://phishme.com/project-dyre-new-rat-slurps-bank-credentials-bypasses-ssl/
https://www.csis.dk/en/csis/news/4262/
https://www.csis.dk/en/csis/blog/4318/
http://stopmalvertising.com/malware-reports/introduction-to-dyreza-the-banker-that-bypasses-ssl.html
http://stopmalvertising.com/malware-reports/analysis-of-dyreza-changes-network-traffic.html

During our analysis, we found an active C&C server together with an early version of the webpanel (probably a test version). This article just gives you an overview of the webpanel in the form of various screenshots which we (fortunately) made. As the whole webpanel is made in Russian and I only know a handful of Russian words, the translation is left to the reader. You can find the downloaded HTML output (and the sample) at the end of this article.

I added the name CdIL to the caption, because the PDB string inside the payload said so:
C:\CPP_PROJECTS_GIT\CdIL\Release\iebattle.pdb

But now, sit back, relax and enjoy the short slideshow before you start your weekend...