VMRay vs. Dyre Malware – Evasion Failed

May 13th 2015

Dyre is an advanced banking trojan family that uses phishing to hijack bank accounts from infected machines. According to estimates by researchers, the authors behind have already stolen over a million USD using this malware. It has been around for more than a year and is steadily updated to incorporate new tricks – mostly to evade anti virus detection and malware analyzers.
It is known to employ several interesting anti-sandboxing techniques and recently adopted a new method to detect such environments by checking the amount of present CPU cores of the system the malware is running on. Real world machines almost always have more than one core, however malware analyzers typically only provide one core for performance and complexity reasons.
The following shows an analysis of VMRay in which you can see how our analyzer is resilient to Dyre’s anti-sandboxing tricks and is able to reveal Dyre’s malicious behavior in great detail.

Please note that for security reasons the linked example report lacks a lot of interactivity and functionality.