There are a couple of scripts and programs available on the Internet to extract the configuration of the Dyre banking malware from a memory dump. What I’m showing here is a method using a generic regular expression tool I developed (re-search).
Here is the Dyre configuration extracted from the strings found inside the memory dump:
I want to produce a list of the domains found as first item in an <litem> element. re-search is a bit like grep -o, it doesn’t select lines but it selects matches of the provided regular expression. Here I’m looking for tag <litem>:
By default, re-search will process text files line-by-line, like grep. But since the process memory dump is not a text file but a binary file, it’s best not to try to process it line-by-line, but process it in one go. This is done with option -f (fullread).
Next I’m extending my regular expression to include the newline characters following <litem>:
And now I extend it with the domain (remark that the Dyre configuration supports asterisks (*) in the domain names):
If you include a group () in your regular expression, re-search will only output the matched group, and not the complete regex match. So by surrounding the regex for the domain with parentheses, I extract the domains:
This gives me 1632 domains, but many domains appear more than once in the list. I use option -u (unique) to produce a list of unique domain names (683 domains):
Producing a sorted list of domain names is not simple when they have subdomains:
That’s why I have a tool to sort domains by tld first, then domain, then subdomain, …