cd ../../Reversing Malware

Upatre - Trojan Downloader

5 minutes read

You can get the sample from theZoo

SHA-256: 1b893ca3b782679b1e5d1afecb75be7bcc145b5da21a30f6c18dbddc9c6de4e7

We can use behavior analysis from hybrid-analysis.

image Seems like there is no known protection mechanism.

In the strings, there is nothing important other than this base64 encoded string:

image

…and imports is not eloquent but there is our friend GetProcAddress:

image

Let’s open in IDA:

sub_403760 is used to get necessary Win API functions:

image

Inside sub_403760, malware decrytes strings and uses GetProcAddress to get addresses of functions:

image

To decrypt strings before call GetProcAddress, Upatre uses following decryption routine:

image

Inside sub_402F30 malware uses this teqnique to get addresses for following Win API functions:

NtAllocateVirtualMemory, NtUnmapViewOfSection, CreateThread, WaitForSingleObject, LoadLibraryA, HeapAlloc, RtlAllocateHeap, RtlDecompressBuffer, FlushInstructionCache, NtGetContextThread.

The decryption routine is used heavily by malware in different places to get plain text.

image

At 00403572, Upatre decodes base64 encoded string and saves at 004051B0(I renamed variable as decrypted_bin):

image

At 0040386D it creates a new thread:

image

Main work starts inside the thread at 00403900, Where it decryptes and gets addresses for several Win API functions: CreateProcessW, ExitProcess, NtWriteVirtualMemory, NtSetContextThread, etc.

image

Creates itself as a new process in suspended mode and saves Context:

image

Anti-Debug:

There is one interesting anti-debug trick, at the start, it saves PEB and uses BeingDebug value [PEB+2] in XOR decryption routine, outside of a debugger this value is 0 and adding 0 don’t cause any error, but if we try to add 1 (which is the value of [PEB+2] if the executable is inside a debugger) it may cause error. In this case RtlDecompressBuffer returns 0xC0000242(STATUS_BAD_COMPRESSION_BUFFER) error.

The reason of this error is that before calling RtlDecompressBuffer, malware decrypts(with XOR) decoded strings using 0x4C+[PEB+2] which is 0x4D inside a debugger instead of 0x4C, because of this result is corrupted output.

image

[eax+2] is the value of BeingDebug:

image

image

We can use ScyllaHide plugin for IDA to defeat this anti-debug method.

Decompresses decoded and decrypted base64 string using RtlDecompressBuffer (format COMPRESSION_FORMAT_LZNT1):

image

…and writes into suspened process:

image

After decompress it calls NtSetContextThread, value of EIP is 401265:

image

Resumes thread and exits:

image

Before NtResumeProcess call attach x32dbg to child process and set EIP to 401265:

image

Close IDA and start analyzing of the child process.

Tries to read uttE047.tmp file from %TEMP% directory without success:

image

Creates one and writes location of the executable:

image

Inside of uttE047.tmp file:

image

Copies executale to %TEMP% directory as utilview.exe:

image

…and creates as new process:

image

This process is exactly same as the first process, creates a new process and injects decoded and decompressed code.

Let’s reverse last part (injected code) a little bit higher level.

Now we are here: sample.exe -> sample.exe -> utilview.exe -> utilview.exe

The injected code is also same as before it checks uttE047.tmp file, but this time there is uttE047.tmp in %TEMP% directory and malware goes a different direction, reads the content of uttE047.tmp, which is the location of the executable and removes that executable:

image

After this it gets IP of the victim using checkip.dyndns.com:

image

Also, there is a typo in user-agent string:

image

and parses IP from returned file:

image

It tries to download questd.pdf from http://penangstreetfood.net/wp-content/uploads/questd.pdf and http://yumproject.com/wp-content/uploads/2014/11/questd.pdf without success.

image

Sends GET requests to 95.181.46.38 with client related information, last string derives from victim’s IP address, B is instead of . image

That’s all… Upatre’s main function is to download malicious files.

Note

If you prefer you can use my script to extract payload instead of doing it manually:

I know, I overlook many things related to Upatre, due to my limited knowledge, if you find something interesting please contact me.

I’m new to reversing malware and any kind of feedback is helpful for me.

Twitter: @_qaz_qaz