# Upatre - Trojan Downloader **secrary.com/ReversingMalware/Upatre/** [cd ../reverse_engineering_malware 6 minutes read](https://secrary.com/ReversingMalware) [You can get the sample from theZoo](https://github.com/ytisf/theZoo/tree/master/malwares/Binaries/Waski.Upatre) SHA-256: `1b893ca3b782679b1e5d1afecb75be7bcc145b5da21a30f6c18dbddc9c6de4e7` [We can use behavior analysis from hybrid-analysis.](https://www.hybrid-analysis.com/sample/1b893ca3b782679b1e5d1afecb75be7bcc145b5da21a30f6c18dbddc9c6de4e7?environmentId=100) Seems like there is no known protection mechanism. In the strings, there is nothing important other than this base64 encoded string: ----- …and imports is not eloquent but there is our friend `GetProcAddress :` Let’s open in `IDA :` ``` sub_403760 is used to get necessary Win API functions: ``` ----- Inside `sub_403760, malware decrytes strings and uses` `GetProcAddress to get` addresses of functions: To decrypt strings before call `GetProcAddress,` `Upatre uses following decryption routine:` ----- Inside `sub_402F30 malware uses this teqnique to get addresses for following Win API` functions: ``` NtAllocateVirtualMemory, NtUnmapViewOfSection, CreateThread, WaitForSingleObject, LoadLibraryA, HeapAlloc, RtlAllocateHeap, RtlDecompressBuffer, FlushInstructionCache, NtGetContextThread . ``` The decryption routine is used heavily by malware in different places to get plain text. ----- At `00403572,` `Upatre decodes base64 encoded string and saves at` `004051B0 (I` renamed variable as `decrypted_bin ):` At `0040386D it creates a new thread:` ----- Main work starts inside the thread at `00403900, Where it decryptes and gets addresses for` several Win API functions: `CreateProcessW,` `ExitProcess,` `NtWriteVirtualMemory,` ``` NtSetContextThread, etc. ``` Creates itself as a new process in suspended mode and saves `Context :` ## Anti-Debug: ----- There is one interesting anti-debug trick, at the start, it saves `PEB and uses` `BeingDebug` value `[PEB+2] in XOR decryption routine, outside of a debugger this value is` `0 and` adding `0 don’t cause any error, but if we try to add` `1 (which is the value of` `[PEB+2] if` the executable is inside a debugger) it may cause error. In this case ``` RtlDecompressBuffer returns 0xC0000242 (STATUS_BAD_COMPRESSION_BUFFER) ``` error. The reason of this error is that before calling `RtlDecompressBuffer, malware` decrypts(with XOR) decoded strings using `0x4C+[PEB+2] which is` `0x4D inside a` debugger instead of `0x4C, because of this result is corrupted output.` ``` [eax+2] is the value of BeingDebug : ``` ----- We can use `ScyllaHide plugin for` `IDA to defeat this anti-debug method.` Decompresses decoded and decrypted base64 string using `RtlDecompressBuffer (format` ``` COMPRESSION_FORMAT_LZNT1 ): ``` …and writes into suspened process: After decompress it calls `NtSetContextThread, value of` `EIP is` `401265 :` ----- Resumes thread and exits: Before `NtResumeProcess call attach` `x32dbg to child process and set` `EIP to` `401265 :` Close `IDA and start analyzing of the child process.` Tries to read `uttE047.tmp file from` `%TEMP% directory without success:` ----- Creates one and writes location of the executable: Inside of `uttE047.tmp file:` Copies executale to `%TEMP% directory as` `utilview.exe :` ----- …and creates as new process: This process is exactly same as the first process, creates a new process and injects decoded and decompressed code. Let’s reverse last part (injected code) a little bit higher level. Now we are here: sample.exe -> sample.exe -> utilview.exe -> utilview.exe The injected code is also same as before it checks `uttE047.tmp file, but this time there is` ``` uttE047.tmp in %TEMP% directory and malware goes a different direction, reads the ``` content of `uttE047.tmp, which is the location of the executable and removes that` executable: ----- After this it gets IP of the victim using `checkip.dyndns.com :` Also, there is a typo in user-agent string: and parses IP from returned file: ----- It tries to download `questd.pdf from` `http://penangstreetfood.net/wp-` ``` content/uploads/questd.pdf and http://yumproject.com/wpcontent/uploads/2014/11/questd.pdf without success. ``` Sends `GET requests to` `95.181.46.38 with client related information, last string derives` from victim’s IP address, `B is instead of` `.` That’s all… `Upatre ’s main function is to download malicious files.` ## Note If you prefer you can use my script to extract payload instead of doing it manually: I know, I overlook many things related to `Upatre, due to my limited knowledge, if you find` something interesting please contact me. I’m new to reversing malware and any kind of feedback is helpful for me. Twitter: [@_qaz_qaz](https://twitter.com/_qaz_qaz) -----