TROJ_UPATRE.YYSLU

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It executes the downloaded files. As a result, malicious routines of the downloaded files are exhibited on the affected system.

It deletes the initially executed copy of itself.

Arrival Details

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Trojan drops the following copies of itself into the affected system:

• %User Temp%\lookwiuce.exe

(Note: %User Temp% is the user's temporary folder, where it usually is C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Local\Temp on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.)

Download Routine

This Trojan connects to the following website(s) to download and execute a malicious file:

• https://{BLOCKED}.{BLOCKED}.226.85./pica12.png
• https://{BLOCKED}.{BLOCKED}.92.193./pica12.png
• https://{BLOCKED}.{BLOCKED}.251.208./pica12.png
• https://{BLOCKED}.{BLOCKED}.240.56./pica12.png
• https://{BLOCKED}.{BLOCKED}.81.211./pica12.png
• https://{BLOCKED}.{BLOCKED}.231.11./pica12.png
• https://{BLOCKED}.{BLOCKED}.131.116./pica12.png
• https://{BLOCKED}.{BLOCKED}.123.66./pica12.png
• https://{BLOCKED}.{BLOCKED}.82.80./pica12.png
• https://{BLOCKED}.{BLOCKED}.121.6./pica12.png
• https://{BLOCKED}.{BLOCKED}.22.227./pica12.png
• https://{BLOCKED}.{BLOCKED}.31.6./pica12.png
• https://{BLOCKED}.{BLOCKED}.255.79./pica12.png
• https://{BLOCKED}.{BLOCKED}.04.114./pica12.png
• https://{BLOCKED}.{BLOCKED}.239.34./pica12.png
• https://{BLOCKED}.{BLOCKED}.64.184./pica12.png
• https://{BLOCKED}.{BLOCKED}.171.44./pica12.png
• https://{BLOCKED}.{BLOCKED}.236.173./pica12.png
• https://{BLOCKED}.{BLOCKED}.63.33./pica12.png
• https://{BLOCKED}.{BLOCKED}.130.24./pica12.png
• https://{BLOCKED}.{BLOCKED}.93.250./pica12.png
• https://{BLOCKED}.{BLOCKED}.61.218./pica12.png
• https://{BLOCKED}.{BLOCKED}.11.253./pica12.png
• https://{BLOCKED}.{BLOCKED}.217.188./pica12.png
• https://{BLOCKED}.{BLOCKED}.75.164./pica12.png
• https://{BLOCKED}.{BLOCKED}.248.137./pica12.png
• https://{BLOCKED}.{BLOCKED}.247.74./pica12.png
• https://{BLOCKED}.{BLOCKED}.30.156./pica12.png
• https://{BLOCKED}.{BLOCKED}.195.68./pica12.png
• https://{BLOCKED}.{BLOCKED}.144.177./pica12.png
• https://{BLOCKED}.{BLOCKED}.59.145./pica12.png
• https://{BLOCKED}.{BLOCKED}.141.50./pica12.png
• https://{BLOCKED}.{BLOCKED}.203.19./pica12.png
• https://{BLOCKED}.{BLOCKED}.142.189./pica12.png
• https://{BLOCKED}.{BLOCKED}.104.170./pica12.png
• https://{BLOCKED}.{BLOCKED}.81.120./pica12.png
• https://{BLOCKED}.{BLOCKED}.161.47./pica12.png
• https://{BLOCKED}.{BLOCKED}.210.122./pica12.png
• https://{BLOCKED}.{BLOCKED}.175.7./pica12.png
• https://{BLOCKED}.{BLOCKED}.205.218./pica12.png
• https://{BLOCKED}.{BLOCKED}.205.251./pica12.png
• https://{BLOCKED}.{BLOCKED}.109.250./pica12.png
• https://{BLOCKED}.{BLOCKED}.103.232./pica12.png
• https://{BLOCKED}.{BLOCKED}.242.203./pica12.png
• https://{BLOCKED}.{BLOCKED}.30.118./pica12.png
• https://{BLOCKED}.{BLOCKED}.99.183./pica12.png
• https://{BLOCKED}.{BLOCKED}.100.49./pica12.png
• https://{BLOCKED}.{BLOCKED}.36.52./pica12.png
• https://{BLOCKED}.{BLOCKED}.147.104./pica12.png
• https://{BLOCKED}.{BLOCKED}.250.35./pica12.png

It saves the files it downloads using the following names:

• %User Temp%\kilkeewo.exe ← detected as TSPY_DYRE.SLU

(Note: %User Temp% is the user's temporary folder, where it usually is C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Local\Temp on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.)

It then executes the downloaded files. As a result, malicious routines of the downloaded files are exhibited on the affected system.

Information Theft

This Trojan gathers the following data:

• Computer Name
• OS version
• Service Pack

Other Details

This Trojan connects to the following URL(s) to get the affected system's IP address:

• http://icanhazip.com/

It deletes the initially executed copy of itself

NOTES:
This Trojan connects to the following URLs to report infection of the affected system:

• http://{BLOCKED}.{BLOCKED}.142.12:{port}/PICB/{Host Name}/0/{OS Version}-{Service Pack}/0/{value}
• http://{BLOCKED}.{BLOCKED}.142.12:{port}/PICB/{Host Name}/{data}/{data}/{data}/{value}

It installs authentication certificates to enable access to download sites.