Win32/Upatre (alias Waski)

Forum for analysis and discussion about malware.

unixfreaxjp
Posts: 501
Joined: Thu Apr 12, 2012 4:53 pm

Re: Win32/Upatre

Post by unixfreaxjp » Thu Mar 13, 2014 6:27 am

Upatre campaign (email)
Image

Downloads Gameover/Zbot
Image

VT:
Upatre: https://www.virustotal.com/en/file/3c07 ... 394688935/
Zbot: https://www.virustotal.com/en/file/d2f7 ... 394689196/

Set of samples
Image
You do not have the required permissions to view the files attached to this post.

unixfreaxjp
Posts: 501
Joined: Thu Apr 12, 2012 4:53 pm

Re: Win32/Upatre

Post by unixfreaxjp » Sat Mar 15, 2014 5:40 am

Three malvertisements of Upatre.
Image
Downloading Zbot(GMO) in the below URLs

Code: Select all

h00p://sienashops.it/image_data/al2602.nub
h00p://theeventroom.co.uk/Images/al2602.nub
h00p://gobemall.com/img/p/1/0/1/1203a.ton
h00p://gobehost.info/images/headers/13003UKp.ton
h00p://creativemindsplanet.com/images/headers/a.ssa
h00p://mpbp.org/images/banners/1203UKp.ssa
Hashes are listed in here: http://pastebin.com/raw.php?i=N6AgVqzt

VT:
https://www.virustotal.com/en/file/539f ... /analysis/
https://www.virustotal.com/en/file/8091 ... /analysis/
https://www.virustotal.com/en/file/130c ... /analysis/

tips: Malware typical headers used for downloads zbots:
Image

I attached all downloaded + Zbot (+drops) files
You do not have the required permissions to view the files attached to this post.

unixfreaxjp
Posts: 501
Joined: Thu Apr 12, 2012 4:53 pm

Re: Win32/Upatre

Post by unixfreaxjp » Tue Mar 18, 2014 11:43 pm

Today's Upatre with attempt for downloading ZeusP2P Gameover
Pic:
Image
VT: https://www.virustotal.com/en/file/f5bc ... 395183670/

Spam source: yua.dynamic.so-net.net.tw (61.62.44.173)
Template: (suspected) Cutwail (it looks like a new template used, so I have no reference on this one)

Download callback URL: 184.172.57.26 (hacked WP sites, USA service)

Code: Select all

Wed Mar 19 08:41:49 JST 2014|184.172.57.26|184.172.57.26-static.reverse.softlayer.com.|36351 | 184.172.0.0/18 | SOFTLAYER | US | SOFTLAYER.COM | THEPLANET.COM INTERNET SERVICES INC.
HTTP Download request header:

Code: Select all

GET /blog/wp-content/uploads/2014/03/1803FR.enc HTTP/1.1
Accept: text/*, application/*
User-Agent: Updates downloader
Host: kbpark.com
Cache-Control: no-cache

Sample is attached, w/o traffic.
You do not have the required permissions to view the files attached to this post.

unixfreaxjp
Posts: 501
Joined: Thu Apr 12, 2012 4:53 pm

Re: Win32/Upatre

Post by unixfreaxjp » Sat Mar 22, 2014 12:45 pm

Received this Upatre campaign today:
Image
Is downloading another payload, not the usual gameover or zbot, I call it "unknown trojan stealer", anyone knows what it is?

details I wrote in VT's comments, please bare to look at those, sorry, I am outside (travelling) now.

Upatre: https://www.virustotal.com/en/file/2842 ... 395479710/
stealer: https://www.virustotal.com/en/file/7056 ... 395480781/

Samples:

Code: Select all

2014/03/22  18:13            11,899 012.eml
2014/03/22  10:14           360,448 2103USa.qta
2014/03/22  10:14               111 40425350.cmd.bat
2014/03/22  10:14            11,264 aplib.dll
2014/03/22  10:14            12,800 aplib64.dll
2014/03/22  10:14           360,448 asmlo.exe
2014/03/22  10:14           228,864 client.dll
2014/03/21  17:14            19,456 FAX-032114.scr
2014/03/22  10:14            19,492 mazon.exe
2014/03/22  10:14            59,904 zlib1.dll

6699f43545f6aff4750584e59878c0ae 012.eml
589d74b40157c23cee00135ed388e554 2103USa.qta
27af77c860b9b3fc234175154d09f643 40425350.cmd.bat
7fe2b0b3fc2078130f20070a05daf8d5 aplib.dll
3f4fe60b6d1e05144f6efa098ac381a8 aplib64.dll
589d74b40157c23cee00135ed388e554 asmlo.exe
f428fca692288a1437df2871ebbcc81f client.dll
6b6d5c012f403999c62145668437e617 FAX-032114.scr
52d32a3da4ac83cec80f8fb9d9d38ee6 mazon.exe
80e41408f6d641dc1c0f5353a0cc8125 zlib1.dll
You do not have the required permissions to view the files attached to this post.

unixfreaxjp
Posts: 501
Joined: Thu Apr 12, 2012 4:53 pm

Re: Win32/Upatre

Post by unixfreaxjp » Thu Apr 03, 2014 10:24 am

The Upatre Gameover downloader is back with HTTPS.
Sample: https://www.virustotal.com/en/file/7707 ... 396518288/
Some analysis notes: http://blog.malwaremustdie.org/2014/04/ ... o-ssl.html
Samples set with traffic (pic) is attached
Image
You do not have the required permissions to view the files attached to this post.

User avatar
rnd.usr
Posts: 27
Joined: Tue Apr 15, 2014 6:14 pm

Re: Win32/Upatre

Post by rnd.usr » Fri Aug 22, 2014 8:48 pm

http://blogs.cisco.com/security/snowshoe-flurry/

https://www.virustotal.com/en/file/f137 ... /analysis/

Injects into explorer and sets a startup-value in Run as softwareprotection.exe in %appdata% with name dumpsec. Post data to 108.163.173.26
You do not have the required permissions to view the files attached to this post.

Kimberly
Posts: 14
Joined: Sun Dec 01, 2013 12:49 pm
Contact:

Re: Win32/Upatre

Post by Kimberly » Sun Aug 24, 2014 8:39 am

rnd.usr wrote:Injects into explorer and sets a startup-value in Run as softwareprotection.exe in %appdata% with name dumpsec. Post data to 108.163.173.26
Win32/Spy.Tuscas
https://www.virustotal.com/en/file/48bf ... 408726915/

Other tuscas sample
https://www.virustotal.com/en/file/9ef9 ... /analysis/

User avatar
R136a1
Forum Admin
Posts: 218
Joined: Wed Jul 13, 2011 4:30 pm
Location: Netherlands

Re: Win32/Upatre

Post by R136a1 » Thu Mar 26, 2015 3:50 pm

Recent sample of campaign targeting UK users attached.

Downloads following Dyre/Battdil sample: http://www.kernelmode.info/forum/viewto ... 381#p25514
You do not have the required permissions to view the files attached to this post.

sysopfb
Posts: 97
Joined: Thu Oct 23, 2014 1:22 am
Contact:

Re: Win32/Upatre (alias Waski)

Post by sysopfb » Fri Apr 10, 2015 9:11 pm

Stub changed today, they added an xor loop over the patcheable data section. All samples I went through today used a single byte xor of 13

Lots of samples attached easy to unpack

psuedocode C representation of the added xor loop on the data

Code: Select all

int i = data_blob_position_in_file;
while(file[i] != 0x1)
{
    if(file[i] != 0x0)
        file[i] ^= 0x13;
    i++;

}
Haven't had any time to go over the rest but the payload appears to be the same, rolling xor and then shellcode on top of a LZNT compressed MZ.
You do not have the required permissions to view the files attached to this post.

Post Reply