6 minutes read

You can get the sample from theZoo

SHA-256: 1b893ca3b782679b1e5d1afecb75be7bcc145b5da21a30f6c18dbddc9c6de4e7

We can use behavior analysis from hybrid-analysis.

Seems like there is no known protection mechanism.

In the strings, there is nothing important other than this base64 encoded string:

…and imports is not eloquent but there is our friend GetProcAddress :

Let’s open in IDA :

sub_403760 is used to get necessary Win API functions:

Inside sub_403760 , malware decrytes strings and uses GetProcAddress to get addresses of functions:

To decrypt strings before call GetProcAddress , Upatre uses following decryption routine:

Inside sub_402F30 malware uses this teqnique to get addresses for following Win API functions:

NtAllocateVirtualMemory , NtUnmapViewOfSection , CreateThread , WaitForSingleObject , LoadLibraryA , HeapAlloc , RtlAllocateHeap , RtlDecompressBuffer , FlushInstructionCache , NtGetContextThread .

The decryption routine is used heavily by malware in different places to get plain text.

At 00403572 , Upatre decodes base64 encoded string and saves at 004051B0 (I renamed variable as decrypted_bin ):

At 0040386D it creates a new thread:

Main work starts inside the thread at 00403900 , Where it decryptes and gets addresses for several Win API functions: CreateProcessW , ExitProcess , NtWriteVirtualMemory , NtSetContextThread , etc.

Creates itself as a new process in suspended mode and saves Context :

Anti-Debug:

There is one interesting anti-debug trick, at the start, it saves PEB and uses BeingDebug value [PEB+2] in XOR decryption routine, outside of a debugger this value is 0 and adding 0 don’t cause any error, but if we try to add 1 (which is the value of [PEB+2] if the executable is inside a debugger) it may cause error. In this case RtlDecompressBuffer returns 0xC0000242 (STATUS_BAD_COMPRESSION_BUFFER) error.

The reason of this error is that before calling RtlDecompressBuffer , malware decrypts(with XOR) decoded strings using 0x4C+[PEB+2] which is 0x4D inside a debugger instead of 0x4C , because of this result is corrupted output.

[eax+2] is the value of BeingDebug :

We can use ScyllaHide plugin for IDA to defeat this anti-debug method.

Decompresses decoded and decrypted base64 string using RtlDecompressBuffer (format COMPRESSION_FORMAT_LZNT1 ):

…and writes into suspened process:

After decompress it calls NtSetContextThread , value of EIP is 401265 :

Resumes thread and exits:

Before NtResumeProcess call attach x32dbg to child process and set EIP to 401265 :

Close IDA and start analyzing of the child process.

Tries to read uttE047.tmp file from %TEMP% directory without success:

Creates one and writes location of the executable:

Inside of uttE047.tmp file:

Copies executale to %TEMP% directory as utilview.exe :

…and creates as new process:

This process is exactly same as the first process, creates a new process and injects decoded and decompressed code.

Let’s reverse last part (injected code) a little bit higher level.

Now we are here: sample.exe -> sample.exe -> utilview.exe -> utilview.exe

The injected code is also same as before it checks uttE047.tmp file, but this time there is uttE047.tmp in %TEMP% directory and malware goes a different direction, reads the content of uttE047.tmp , which is the location of the executable and removes that executable:

After this it gets IP of the victim using checkip.dyndns.com :

Also, there is a typo in user-agent string:

and parses IP from returned file:

It tries to download questd.pdf from http://penangstreetfood.net/wp-content/uploads/questd.pdf and http://yumproject.com/wp-content/uploads/2014/11/questd.pdf without success.

Sends GET requests to 95.181.46.38 with client related information, last string derives from victim’s IP address, B is instead of .

That’s all… Upatre ’s main function is to download malicious files.

Note

If you prefer you can use my script to extract payload instead of doing it manually:

I know, I overlook many things related to Upatre , due to my limited knowledge, if you find something interesting please contact me.

I’m new to reversing malware and any kind of feedback is helpful for me.

Twitter: @_qaz_qaz