You can get the sample from theZoo
We can use behavior analysis from hybrid-analysis.
Seems like there is no known protection mechanism.
In the strings, there is nothing important other than this base64 encoded string:
…and imports is not eloquent but there is our friend
Let’s open in
sub_403760 is used to get necessary Win API functions:
sub_403760, malware decrytes strings and uses
GetProcAddress to get addresses of functions:
To decrypt strings before call
Upatre uses following decryption routine:
sub_402F30 malware uses this teqnique to get addresses for following Win API functions:
The decryption routine is used heavily by malware in different places to get plain text.
Upatre decodes base64 encoded string and saves at
004051B0(I renamed variable as
0040386D it creates a new thread:
Main work starts inside the thread at
00403900, Where it decryptes and gets addresses for several Win API functions:
Creates itself as a new process in suspended mode and saves
Decompresses decoded base64 string using
COMPRESSION_FORMAT_LZNT1): …and writes into suspened process:
There is one interesting anti-debug trick, at the start it saves
PEB and adds
[PEB+2] at different places, outside of a debugger this value is
0 and adding
0don’t causes any error, but if we try to add
1 (which is the value of
[PEB+2] if the executable is inside a debugger) it may cause error. In this case
[eax+2] is the value of
We can use
ScyllaHide plugin for
IDA to defeat this anti-debug method.
Back to our analysis, after decompress it calls
NtSetContextThread, value of
401265: Resumes thread and exits:
NtResumeProcess call attach
x32dbg to child process and set
IDA and start analyzing of the child process.
Tries to read
uttE047.tmp file from
%TEMP% directory without success:
Creates one and writes location of the executable:
Copies executale to
%TEMP% directory as
…and creates as new process:
This process is exactly same as the first process, creates a new process and injects decoded and decompressed code.
Let’s reverse last part (injected code) a little bit higher level.
Now we are here: sample.exe -> sample.exe -> utilview.exe -> utilview.exe
The injected code is also same as before it checks
uttE047.tmpfile, but this time there is
%TEMP% directory and malware goes a different direction, reads the content of
uttE047.tmp, which is the location of the executable and removes that executable:
After this it gets IP of the victim using
Also, there is a typo in user-agent string:
and parses IP from returned file:
It tries to download
http://yumproject.com/wp-content/uploads/2014/11/questd.pdf without success.
GET requests to
220.127.116.11 with client related information, last string derives from victim’s IP address,
Bis instead of
Upatre’s main function is to download malicious files.
I know, I overlook many things related to
Upatre, due to my limited knowledge, if you find something interesting please contact me.