Upatre - Trojan Downloader5 minutes read
You can get the sample from theZoo
We can use behavior analysis from hybrid-analysis.
Seems like there is no known protection mechanism.
In the strings, there is nothing important other than this base64 encoded string:
…and imports is not eloquent but there is our friend
Let’s open in
sub_403760 is used to get necessary Win API functions:
sub_403760, malware decrytes strings and uses
GetProcAddress to get addresses of functions:
To decrypt strings before call
Upatre uses following decryption routine:
sub_402F30 malware uses this teqnique to get addresses for following Win API functions:
The decryption routine is used heavily by malware in different places to get plain text.
Upatre decodes base64 encoded string and saves at
004051B0(I renamed variable as
0040386D it creates a new thread:
Main work starts inside the thread at
00403900, Where it decryptes and gets addresses for several Win API functions:
Creates itself as a new process in suspended mode and saves
There is one interesting anti-debug trick, at the start, it saves
PEB and uses
[PEB+2] in XOR decryption routine, outside of a debugger this value is
0 and adding
0 don’t cause any error, but if we try to add
1 (which is the value of
[PEB+2] if the executable is inside a debugger) it may cause error. In this case
The reason of this error is that before calling
RtlDecompressBuffer, malware decrypts(with XOR) decoded strings using
0x4C+[PEB+2] which is
0x4D inside a debugger instead of
0x4C, because of this result is corrupted output.
[eax+2] is the value of
We can use
ScyllaHide plugin for
IDA to defeat this anti-debug method.
Decompresses decoded and decrypted base64 string using
…and writes into suspened process:
After decompress it calls
NtSetContextThread, value of
Resumes thread and exits:
NtResumeProcess call attach
x32dbg to child process and set
IDA and start analyzing of the child process.
Tries to read
uttE047.tmp file from
%TEMP% directory without success:
Creates one and writes location of the executable:
Copies executale to
%TEMP% directory as
…and creates as new process:
This process is exactly same as the first process, creates a new process and injects decoded and decompressed code.
Let’s reverse last part (injected code) a little bit higher level.
Now we are here: sample.exe -> sample.exe -> utilview.exe -> utilview.exe
The injected code is also same as before it checks
uttE047.tmp file, but this time there is
%TEMP% directory and malware goes a different direction, reads the content of
uttE047.tmp, which is the location of the executable and removes that executable:
After this it gets IP of the victim using
Also, there is a typo in user-agent string:
and parses IP from returned file:
It tries to download
http://yumproject.com/wp-content/uploads/2014/11/questd.pdf without success.
GET requests to
220.127.116.11 with client related information, last string derives from victim’s IP address,
B is instead of
Upatre’s main function is to download malicious files.
If you prefer you can use my script to extract payload instead of doing it manually:
I know, I overlook many things related to
Upatre, due to my limited knowledge, if you find something interesting please contact me.
I’m new to reversing malware and any kind of feedback is helpful for me.