1/13

Upatre - Trojan Downloader
secrary.com/ReversingMalware/Upatre/

cd ../reverse_engineering_malware 6 minutes read
You can get the sample from theZoo

SHA-256: 1b893ca3b782679b1e5d1afecb75be7bcc145b5da21a30f6c18dbddc9c6de4e7

We can use behavior analysis from hybrid-analysis.

Seems like there is no known protection mechanism.

In the strings, there is nothing important other than this base64 encoded string:

https://secrary.com/ReversingMalware/Upatre/
https://secrary.com/ReversingMalware
https://github.com/ytisf/theZoo/tree/master/malwares/Binaries/Waski.Upatre
https://www.hybrid-analysis.com/sample/1b893ca3b782679b1e5d1afecb75be7bcc145b5da21a30f6c18dbddc9c6de4e7?environmentId=100


2/13

…and imports is not eloquent but there is our friend GetProcAddress :

Let’s open in IDA :

sub_403760  is used to get necessary Win API functions:



3/13

Inside sub_403760 , malware decrytes strings and uses GetProcAddress  to get
addresses of functions:

To decrypt strings before call GetProcAddress , Upatre  uses following decryption routine:



4/13

Inside sub_402F30  malware uses this teqnique to get addresses for following Win API
functions:

NtAllocateVirtualMemory , NtUnmapViewOfSection , CreateThread ,
WaitForSingleObject , LoadLibraryA , HeapAlloc , RtlAllocateHeap ,
RtlDecompressBuffer , FlushInstructionCache , NtGetContextThread .

The decryption routine is used heavily by malware in different places to get plain text.



5/13

At 00403572 , Upatre  decodes base64 encoded string and saves at 004051B0 (I
renamed variable as decrypted_bin ):

At 0040386D  it creates a new thread:



6/13

Main work starts inside the thread at 00403900 , Where it decryptes and gets addresses for
several Win API functions: CreateProcessW , ExitProcess , NtWriteVirtualMemory ,
NtSetContextThread , etc.

Creates itself as a new process in suspended mode and saves Context :

Anti-Debug:



7/13

There is one interesting anti-debug trick, at the start, it saves PEB  and uses BeingDebug
value [PEB+2]  in XOR decryption routine, outside of a debugger this value is 0  and
adding 0  don’t cause any error, but if we try to add 1  (which is the value of [PEB+2]  if
the executable is inside a debugger) it may cause error. In this case
RtlDecompressBuffer  returns 0xC0000242 (STATUS_BAD_COMPRESSION_BUFFER)

error.

The reason of this error is that before calling RtlDecompressBuffer , malware
decrypts(with XOR) decoded strings using 0x4C+[PEB+2]  which is 0x4D  inside a
debugger instead of 0x4C , because of this result is corrupted output.

[eax+2]  is the value of BeingDebug :



8/13

We can use ScyllaHide  plugin for IDA  to defeat this anti-debug method.

Decompresses decoded and decrypted base64 string using RtlDecompressBuffer  (format
COMPRESSION_FORMAT_LZNT1 ):

…and writes into suspened process:

After decompress it calls NtSetContextThread , value of EIP  is 401265 :



9/13

Resumes thread and exits:

Before NtResumeProcess  call attach x32dbg  to child process and set EIP  to 401265 :

Close IDA  and start analyzing of the child process.

Tries to read uttE047.tmp  file from %TEMP%  directory without success:



10/13

Creates one and writes location of the executable:

Inside of uttE047.tmp  file:

Copies executale to %TEMP%  directory as utilview.exe :



11/13

…and creates as new process:

This process is exactly same as the first process, creates a new process and injects
decoded and decompressed code.

Let’s reverse last part (injected code) a little bit higher level.

Now we are here: sample.exe -> sample.exe -> utilview.exe -> utilview.exe

The injected code is also same as before it checks uttE047.tmp  file, but this time there is
uttE047.tmp  in %TEMP%  directory and malware goes a different direction, reads the

content of uttE047.tmp , which is the location of the executable and removes that
executable:



12/13

After this it gets IP of the victim using checkip.dyndns.com :

Also, there is a typo in user-agent string:

and parses IP from returned file:



13/13

It tries to download questd.pdf  from http://penangstreetfood.net/wp-
content/uploads/questd.pdf  and http://yumproject.com/wp-
content/uploads/2014/11/questd.pdf  without success.

Sends GET  requests to 95.181.46.38  with client related information, last string derives
from victim’s IP address, B  is instead of .  

That’s all… Upatre ’s main function is to download malicious files.

Note

If you prefer you can use my script to extract payload instead of doing it manually:

I know, I overlook many things related to Upatre , due to my limited knowledge, if you find
something interesting please contact me.

I’m new to reversing malware and any kind of feedback is helpful for me.

Twitter: @_qaz_qaz

https://twitter.com/_qaz_qaz