UPATRE
Microsoft: Upatre; Symantec: Upatre; Kaspersky: Upatre
Windows
Threat Type: Trojan
Destructiveness: No
Encrypted:
In the wild: Yes
OVERVIEW
Spammed via email
UPATRE was first spotted in August 2013, after the fall of Blackhole Exploit Kit. Its variants usually arrive onto systems as malicious files attached to spammed messages, or as a link to a malicious website hosting the malware itself.
UPATRE malware, upon installation,, will download and execute additional malware on the affected system. Some of the downloaded malware by UPATRE are ZEUS, CRILOCK, DYREZA and ROVNIX variants. Such malware severely compromises the security of the system they affect, and in CRILOCK's case, render it useless due to its file-encrypting routines.
New variants of UPATRE are now capable of stealing system information such as the affected system’s computer name and operating system.
TECHNICAL DETAILS
Connects to URLs/IPs, Drops files
Installation
This Trojan drops the following copies of itself into the affected system and executes them:
- %User Temp%\pdfviewer.exe
- %User Temp%\informix.exe
- %User Temp%\ELuXJ36.exe
- %User Temp%\goofit5.exe
- %User Temp%\vybzl.exe
(Note: %User Temp% is the user's temporary folder, where it usually is C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Local\Temp on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.)
It drops the following files:
- %User Temp%\temp_4662.txt
- %User Temp%\{5letters}{2digits}.exe
- %User Temp%\mix_T17.tmp
- %User Temp%\tep-D366.txt
- %User Temp%\tep-043.txt
- %User Temp%\EXE1.exe
- %User Temp%\utt69B9.tmp
(Note: %User Temp% is the user's temporary folder, where it usually is C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Local\Temp on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.)
Other System Modifications
This Trojan adds the following registry entries:
HKEY_LOCAL_MACHINE \Software\Microsoft\
ESENT\Process\document81723\
DEBUG
Trace Level = null
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion
marker_UAC_bypassed = TRUE
Other Details
This Trojan connects to the following possibly malicious URL:
- http://{BLOCKED}s.com/look2.pdf
- http://{BLOCKED}a.com/mandoc/look2.pdf
- http://{BLOCKED}onidarte.it/mandoc/seo21.pdf
- http://{BLOCKED}drifting.com/news/seo21.pdf
- http://{BLOCKED}eriayahorrodeenergia.com/mandoc/listc.pdf
- http://www.{BLOCKED}rivinglessons.com/mandoc/listc.pdf
- http://{BLOCKED}ab.net/mandoc/instr1.pdf
- http://{BLOCKED}dragovic.com/mandoc/instr1.pdf
- http://{BLOCKED}otelpatong.com/document/wis22.jpa
- http://{BLOCKED}beli.com:80/images/wis22.jpa
- http://202.153.35.133:{random port}/1401_11/{computer name of affected system}/0/{OS version}-{service pack}/0/
- http://{BLOCKED}.153.35.133:{random port}/1401_11/{computer name of affected system}/{value}/{value}/{value}
- http://{BLOCKED}.153.35.133:{random port}/2101us21/{computer name of affected system}/0/{OS version}-{service pack}/0/
- http://{BLOCKED}.153.35.133:{random port}/2101us21/{computer name of affected system}/{value}/{value}/{value}
- http://{BLOCKED}.153.35.133:22446/1401uk21/{computername}/0/{OS Version}-{Service Pack}/0/
- http://{BLOCKED}.153.35.133/22446/{computername}/{value1}/{value2}/{value3}/
- http://{BLOCKED}.153.35.133/0901us2/{computername}/0/{OS Version}-{Service Pack}/0/
- http://{BLOCKED}.153.35.133/0901us2/{computername}/{value1}/{value2}/{value3}/
- http://{BLOCKED}.210.204.149:{random port}/0812us22/{computer name}/0/{os version and service pack}/0
- http://{BLOCKED}.210.204.149:{random port}/0812us22/{computer name}/1/0/0