Python script dumps Dyre malware configurations


It's been a year now since the Dyre malware family was first profiled, and there is no sign of infection rates slowing down. In fact, reports would seem to suggest just the opposite with infections up from 4,000 at the end of last year to 9,000 at the start of this. The lion's share being split pretty evenly between European and North American users.

So I was interested to spot this Tweet from Ronnie T @iHeartMalware who is actually Ronnie Tokazowski, a senior researcher at PhishMe, which declares: "I'm tired of dumping #Dyre configurations by hand. So I wrote a python script to do it. Enjoy folks!"


Ronnie explains "It’s been over a year since Dyre first appeared, and with a rise of infections in 2015, it doesn’t look like the attackers are stopping anytime soon. At PhishMe we’ve been hit with a number of Dyre attacks this week, so to make analysis a little easier, I tossed together a quick python script that folks can use for dumping the configurations for Dyre. To dump the memory, you can use Process Explorer to do a “full dump” on the process they inject into. (Typically the top-most svchost.exe, sometimes explorer.exe)."

Here's the script for all you Python fans to have a look at.


About the Author

A freelance technology journalist for 30 years, I have been a Contributing Editor at PC Pro (one of the best selling computer magazines in the UK) for most of them. As well as currently contributing to, The Times and Sunday Times via Raconteur Special Reports, SC Magazine UK, Digital Health, IT Pro and Infosecurity Magazine, I am also something of a prolific author. My last book, Being Virtual: Who You Really are Online, which was published in 2008 as part of the Science Museum TechKnow Series by John Wiley & Sons. I am also the only three times winner (2006, 2008, 2010) of the BT Information Security Journalist of the Year title, and was humbled to be presented with the ‘Enigma Award’ for a ‘lifetime contribution to information security journalism’ in 2011 despite my life being far from over...

Slavi 94 Master Poster Featured Poster

Would be sweet if there was volatility#2, that contains scripts per malware family

Gribouillis 1,391 Programming Explorer Team Colleague

Interesting. It can be improved by using the standard modules argparse for command line parsing and subprocess to get output and error from called commands.

RonnieT 0 Newbie Poster

Hello Davey,

Thanks for picking up the article, and I really appreciate it behing hosted! Hopefully I can answer a few of the questions as they come in.


On the side of Volatility, I do know that there is a plugin for Volitility which can be found here:

I wanted to go this route as ProcExp is one of the things I typically use, and while Volatility is awesome, it takes a good bit of time to get the dump and process it. However I could see this working very well with a Cuckoo box that's automating Volatility!


I agree 100% on using argparse and subprocess, and these are two I normally use. I just wanted to get something quick and dirty out there for folks, so hopefully you forgive me on the hack job! (And lack of PEP8 and poor use of os.system()) ;)


Tcll 66 Posting Whiz in Training Featured Poster

this is why I moved off windows...

hearing about stuff like this P's me off knowing how easy it is to steal private data, and how far idiots will go to do it mainly just to get a quick buck.

is it possible to detect these attacks and redirect them back on the attacker??
(the bugs-bunny trick where he bends the shotgun around) :P

@Ronnie: I'm talking about the Dyre devs jsyk, not you, please don't take it as such ;)

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts learning and sharing knowledge.