TROJ_UPATRE.YYSLB
TrojanDownloader:Win32/Upatre(Microsoft), Upatre-FACE!8A17C846576C(McAfee), Troj/Upatre-NP(Sophos),
Windows
Threat Type: Trojan
Destructiveness: No
Encrypted:
In the wild: Yes
OVERVIEW
This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
It deletes itself after execution.
TECHNICAL DETAILS
Arrival Details
This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
Installation
This Trojan drops the following copies of itself into the affected system and executes them:
- %User Temp%\datevoxdj.exe
(Note: %User Temp% is the user's temporary folder, where it usually is C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Local\Temp on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.)
It drops the following files:
- %User Temp%\TmpC77A.txt
(Note: %User Temp% is the user's temporary folder, where it usually is C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Local\Temp on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.)
It drops and executes the following files:
- %User Temp%\fxhnlsqr.exe
(Note: %User Temp% is the user's temporary folder, where it usually is C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Local\Temp on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.)
Other Details
This Trojan connects to the following possibly malicious URL:
- http://{BLOCKED}8.{BLOCKED}0.194.101
- {BLOCKED}09.{BLOCKED}6.226.85/upd_file3.zip
- {BLOCKED}62.{BLOCKED}55.126.8/upd_file3.zip
- {BLOCKED}73.{BLOCKED}16.240.56/upd_file3.zip
- {BLOCKED}73.{BLOCKED}43.255.79/upd_file3.zip
- {BLOCKED}73.{BLOCKED}48.22.227/upd_file3.zip
- {BLOCKED}73.{BLOCKED}48.27.163/upd_file3.zip
- {BLOCKED}73.{BLOCKED}48.29.43/upd_file3.zip
- {BLOCKED}73.{BLOCKED}48.31.1/upd_file3.zip
- {BLOCKED}73.{BLOCKED}48.31.6/upd_file3.zip
- {BLOCKED}76.{BLOCKED}6.251.208/upd_file3.zip
- {BLOCKED}78.{BLOCKED}14.221.89/upd_file3.zip
- {BLOCKED}88.{BLOCKED}55.165.154/upd_file3.zip
- {BLOCKED}88.{BLOCKED}55.167.4/upd_file3.zip
- {BLOCKED}88.{BLOCKED}55.169.176/upd_file3.zip
- {BLOCKED}88.{BLOCKED}55.236.2/upd_file3.zip
- {BLOCKED}88.{BLOCKED}55.239.34/upd_file3.zip
- {BLOCKED}08.{BLOCKED}23.130.173/upd_file3.zip
- {BLOCKED}16.{BLOCKED}54.231.11/upd_file3.zip
- {BLOCKED}4.2{BLOCKED}0.92.193/upd_file3.zip
- {BLOCKED}4.3{BLOCKED}.131.116/upd_file3.zip
- {BLOCKED}8.1{BLOCKED}9.5.32/upd_file3.zip
- {BLOCKED}8.1{BLOCKED}0.246.142/upd_file3.zip
- {BLOCKED}9.1{BLOCKED}3.81.211/upd_file3.zip
- {BLOCKED}9.9{BLOCKED}204.114/upd_file3.zip
- {BLOCKED}0.1{BLOCKED}1.191.206/upd_file3.zip
- {BLOCKED}1.1{BLOCKED}4.36.73/upd_file3.zip
- {BLOCKED}2.2{BLOCKED}0.82.80/upd_file3.zip
- {BLOCKED}3.1{BLOCKED}5.203.173/upd_file3.zip
- {BLOCKED}5.1{BLOCKED}7.112.81/upd_file3.zip
- {BLOCKED}7.9{BLOCKED}.125.74/upd_file3.zip
- {BLOCKED}8.2{BLOCKED}4.215.92/upd_file3.zip
It deletes itself after execution.