Skip to content

S0024 Dyre

Dyre is a banking Trojan that has been used for financial gain. 12

Item Value
ID S0024
Associated Names Dyzap, Dyreza
Type MALWARE
Version 1.2
Created 31 May 2017
Last Modified 22 June 2020
Navigation Layer View In ATT&CK® Navigator

Associated Software Descriptions

Name Description
Dyzap 3
Dyreza 3

Techniques Used

Domain ID Name Use
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols Dyre uses HTTPS for C2 communications.12
enterprise T1543 Create or Modify System Process -
enterprise T1543.003 Windows Service Dyre registers itself as a service by adding several Registry keys.1
enterprise T1074 Data Staged -
enterprise T1074.001 Local Data Staging Dyre has the ability to create files in a TEMP folder to act as a database to store information.2
enterprise T1140 Deobfuscate/Decode Files or Information Dyre decrypts resources needed for targeting the victim.12
enterprise T1041 Exfiltration Over C2 Channel Dyre has the ability to send information staged on a compromised host externally to C2.2
enterprise T1105 Ingress Tool Transfer Dyre has a command to download and executes additional files.1
enterprise T1027 Obfuscated Files or Information -
enterprise T1027.002 Software Packing Dyre has been delivered with encrypted resources and must be unpacked for execution.2
enterprise T1055 Process Injection Dyre has the ability to directly inject its code into the web browser process.2
enterprise T1055.001 Dynamic-link Library Injection Dyre injects into other processes to load modules.1
enterprise T1053 Scheduled Task/Job -
enterprise T1053.005 Scheduled Task Dyre has the ability to achieve persistence by adding a new task in the task scheduler to run every minute.2
enterprise T1518 Software Discovery Dyre has the ability to identify installed programs on a compromised host.2
enterprise T1082 System Information Discovery Dyre has the ability to identify the computer name, OS version, and hardware configuration on a compromised host.2
enterprise T1016 System Network Configuration Discovery Dyre has the ability to identify network settings on a compromised host.2
enterprise T1033 System Owner/User Discovery Dyre has the ability to identify the users on a compromised host.2
enterprise T1007 System Service Discovery Dyre has the ability to identify running services on a compromised host.2
enterprise T1497 Virtualization/Sandbox Evasion -
enterprise T1497.001 System Checks Dyre can detect sandbox analysis environments by inspecting the process list and Registry.12

Groups That Use This Software

ID Name References
G0102 Wizard Spider 456

References