Win32/Upatre.BI - Part TwoConfig

This is the second part of the four part series on "Win32/Upatre.BI". Check out the other parts here:

The first blog post of the series on Upatre showed how to unpack the malware. You can download the unpacked sample from malwr.com if you like to retrace my reversing steps.

This second part focuses on the configuration of Upatre. The first section presents the format of the data structures used to store configuration details, such as

  • the executable name
  • the C2 address, port, and root directory
  • the urls that host the (encrypted) malware downloads
  • the keys to decrypt and validate the downloaded content

The second section then employs a small IDA script to extract and format the configuration information of ten samples (including the unpacked one). All analysed samples use the same configuration format, but they use it in slightly different ways. For example, all Upatre samples decrypt downloaded content with a key from the configuration file, but the key-scheduling algorithm might be different. I list the differences in the overview, but elaborate on the details in the upcoming blog post on Upatre.

Format of Upatre’s Configuration

Introduction

As mentioned in part one, the unpacked code is position independent. All functions and global variable are accessed by a global offset table. This offset table is located at the start of the .text section. Upatre gets the absolute address of the offset table by rounding down the EIP — which it obtains by a fake call — to the page boundary. It then adds the six offsets (stored as WORDs) to the base address to obtain a table of absolute addresses:

.text:0040127A                 call    $+5
.text:0040127F                 pop     eax
.text:00401280                 sub     esp, 64h
.text:00401283                 mov     ebp, esp
.text:00401285                 and     ax, 0F000h
.text:00401289                 add     esp, 0FFFFFF7Ch
.text:0040128F                 push    6
.text:00401291                 pop     ecx
.text:00401292                 push    eax
.text:00401293                 lea     eax, [ebp+64h+global_address_table]
.text:00401296                 pop     esi
.text:00401297                 mov     edi, eax
.text:00401299                 mov     ebx, esi
.text:0040129B
.text:0040129B loc_40129B:                       
.text:0040129B                 xor     eax, eax
.text:0040129D                 lodsw
.text:0040129F                 add     eax, ebx
.text:004012A1                 stosd
.text:004012A2                 loop    loc_40129B

The following table shows the six entries of the offset table. The address column shows the resulting absolute address given the .text section starts at 0x401000:

row offset address type name
0 1380h 0x402380 data config
2 Ch 0x40100C subroutine fetch_and_advance
4 14h 0x401014 subroutine decrypt_strings_and_get_os_infos
6 138h 0x401138 subroutine get_decrypted_string_by_index
8 13Fh 0x40113F subroutine get_field_of_target
10 14Dh 0x40114D subroutine send_user_infos

The first row points to the configuration data. The routines fetch_and_advance, get_decrypted_strings and get_field_of_target are stubs to access the data structures. Half of the decrypt_strings_and_get_os_infos routine, namely the decryption part, is discussed in this post, the remaining half, as well as the routine send_user_infos, follow in the third part.

Upatre uses one large structure as its configuration — referenced by the first entry of the global offset table. The config information is read inside decrypt_strings_and_get_os_infos which reveals most of the format. The following illustration shows an overview of the config data structure with example values from the examined sample:

Port

The first two bytes of the config denote the lowest port address used in C2 communications. Each time the port referenced a random number of up to 3 is added, which results in a port range of four ports:

.text:00401786 FF 93 00 11 00 00       call    [ebx+imports.GetTickCount]
.text:0040178C 83 E0 03                and     eax, 3
.text:0040178F 03 45 C8                add     eax, [ebp+64h+port]

(Encrypted) Strings

Starting at offset 0x2 the config contains a list of strings. Each string is zero-terminated. For example:

36 60 36 60 00 36 60 4F  36 60 00 7C 63 76 7D 00

Some samples store the strings in plaintext; my sample used the XOR key 0x13 to obfuscate the strings. The strings are first decrypted — if necessary — and then stored as Unicode in a newly allocated sections. The above list of encrypted strings, for instance, becomes:

25 00 73 00 25 00 73 00  00 00 25 00 73 00 5C 00  %.s.%.s...%.s.\.
25 00 73 00 00 00 6F 00  70 00 65 00 6E 00 00 00  %.s...o.p.e.n...

which represents the strings “%s%s”, “%s\%s” and “open”. Upatre also stores the pointers to the decrypted string in an array of pointers:

02854FE0 dd offset aSS                           ; *%s%s*
02854FE4 dd offset aSS_0                         ; *%s\\%s*
02854FE8 dd offset aOpen                         ; *open*
...

The list of strings is terminated by byte 0x01, which is neither a printable ASCII character itself, nor decrypts to one. All above steps are performed by the following snippet.

.text:00401034     next_string:                        
.text:00401034     mov     [ebx], edi
.text:00401036     add     ebx, 4
.text:00401039
.text:00401039     next_letter:                       
.text:00401039     lodsb
.text:0040103A     cmp     al, 1
.text:0040103C     jz      short all_strings_done     
.text:0040103E     test    al, al
.text:00401040     jz      short loc_401044
.text:00401042     xor     al, 13h
.text:00401044
.text:00401044     loc_401044:                       
.text:00401044     stosw
.text:00401046     inc     ecx
.text:00401047     test    al, al
.text:00401049     jnz     short next_letter
.text:0040104B     jmp     short next_string
.text:0040104D     ; ----------------------------------------

The following helper subroutine is used to get a decrypted string by an index passed in ecx:

.text:00401138 ; ecx = index
.text:00401138 ; Attributes: bp-based frame
.text:00401138
.text:00401138 get_decrypted_string_by_index proc near
.text:00401138
.text:00401138 decrypted_strings= dword ptr  60h
.text:00401138
.text:00401138 mov     eax, [ebp+decrypted_strings]
.text:0040113B mov     eax, [eax+ecx*4]
.text:0040113E retn
.text:0040113E get_decrypted_string_by_index

Some of the strings have a predefined purpose:

index example meaning
3 text/* first accept-type of the downloads
4 application/* second accept-type of the downloads
6 Mozilla/5.0 (Windows NT 6.1; WOW64; rv:37.0) Gecko/20100101 Firefox/37.0 user-agent
7 wevadez.exe exe name of Upatre
8 LogE83.tmp temp file used to store downloaded content

The remaining strings are dull (like the format string %s%s), or referenced by the targets which are discussed later.

Decryption Keys

Upatre is mainly a downloader for other malware. The downloaded content, as will be shown in the fourth part of this blog series, is encrypted with a four byte key. The keys are stored in a variable sized array, with the number of elements indicated by one byte at the start of the array. For example, my samples stores one key:

.rdata:004025D9 db    1
.rdata:004025DA dd 3CB1A338h

Check Keys

Upatre also validates the decrypted downloads by comparing four bytes of the download to a second key. These keys are again stored in a variable sized array following the decryption keys, for example:

.rdata:004025DE db    1
.rdata:004025DF dd 6B5519C2h

Edit June 17, 2015: Some Upatre samples have no check keys. They use a simplified payload format, see the fourth part of this blog series.

Network Targets

After the two key arrays follows another array which contains information about the network targets. Each network target — except for the C2 server address — is represented by a 7 byte data structure (Edit: older samples use 6 bytes per target). Again a one byte value at the start denotes the size of the array, for example:

.rdata:004025E3  db  11h
.rdata:004025E4  target <2Dh, 0Bh, 0Ch, 0, 0, 0Ah, 0>
.rdata:004025EB  target <2Dh, 0Dh, 0Eh, 0, 0, 0Ah, 0>
.rdata:004025F2  target <2Dh, 0Fh, 10h, 0, 0, 0Ah, 0>
.rdata:004025F9  target <2Dh, 11h, 12h, 0, 0, 0Ah, 0>
.rdata:00402600  target <2Dh, 13h, 14h, 0, 0, 0Ah, 0>

Upatre uses the following slim subroutine to access fields of a specific target:

.text:0040113F get_field_of_target
.text:0040113F
.text:0040113F targets= dword ptr -80h
.text:0040113F var_1C= dword ptr -1Ch
.text:0040113F
.text:0040113F movzx   ecx, ah
.text:00401142 xor     ah, ah
.text:00401144 add     ecx, [ebp+64h+targets]
.text:00401147 mov     eax, [ecx+eax*8]
.text:0040114A xor     ecx, ecx
.text:0040114C retn
.text:0040114C get_field_of_target

The subroutine has two arguments: the target number passed in register al, and the desired field in ah. The subroutine returns four consecutive fields in register eax. Of this return value sometimes al is used, in this case argument ah corresponds to the retrieved field index. In other cases ah is accessed, which means for argument ah the field ah + 1 is accessed. By looking at all calls to the get_field_of_target-subroutine, one can quickly find out the purpose of most fields.

1st Field - C2 root directory

The first field of a target is needed when the target is used as C2 callback, i.e., as a receiver for user information. In those cases the first value of the first field serves as the index into the array of decrypted strings:

.text:00401158 mov     edi, [ebp+64h+path]
.text:0040115B push    '/'
.text:0040115D pop     eax
.text:0040115E stosw
.text:00401160 mov     eax, [ebp+64h+ip_nr]
.text:00401163 call    [ebp+64h+get_field_of_target]
.text:00401166 movzx   ecx, al
.text:00401169 call    [ebp+64h+get_decrypted_strings]
...
(string is copied to path)

The referenced string is used as the root directory of HTTP GET requests to the C2 host (the details follow in the third part of this blog series).

2nd Field - Server Name

Here is an example where a target’s second field is referenced:

.text:0040163B mov     eax, ecx        ; tar_nr
.text:0040163D call    [ebp+64h+get_field_of_target]
.text:00401640 mov     cl, ah
.text:00401642 call    [ebp+64h+get_decrypted_string_by_index]
.text:00401645 push    eax
.text:00401646 push    [ebp+64h+hInternetOpenHandle]
.text:00401649 call    [ebx+imports.InternetConnectW]

The resulting value is used to fetch a decrypted string, which in turn is then used as the server name for the InternetConnectW call. The field can also be -1, in these cases the target is skipped:

.text:004015A4 check_target_index:
.text:004015A4 mov     [ebp+64h+tar_nr], eax
.text:004015A7 call    [ebp+64h+get_field_of_target]
.text:004015AA inc     ah
.text:004015AC jz      short next_ip

3rd Field - Download Path

The following snippet first reads the third field of a target.

.text:0040167E mov     ah, 1
.text:00401680 call    [ebp+64h+get_field_of_target]
.text:00401683 mov     cl, ah
.text:00401685 call    [ebp+64h+get_decrypted_string_by_index]
.text:00401688 push    eax
.text:00401689 push    esi
.text:0040168A push    edi
.text:0040168B call    [ebx+imports.HttpOpenRequestW]

The field value is used to reference a decrypted string, which is used as the target of the HttpOpenRequestW call. The third field denotes the url path for the second stage downloads.

4rd Field - Key Index

The fourth field of a target is read in the following snippet. It is used as index into the download keys array:

.text:0040180B mov     eax, [ebp+64h+tar_nr]
.text:0040180E mov     ah, 2
.text:00401810 call    [ebp+64h+get_field_of_target]
.text:00401813 mov     cl, ah
.text:00401815 shl     ecx, 2
.text:00401818 mov     eax, [ebp+64h+download_keys]

In a similar call, the same field is used to index the check keys:

.text:00401857 mov     eax, [ebp+64h+tar_nr]
.text:0040185A inc     ah
.text:0040185C inc     ah
.text:0040185E call    [ebp+64h+get_field_of_target]
.text:00401861 mov     cl, ah
.text:00401863 shl     ecx, 2
.text:00401866 mov     eax, [ebp+64h+check_keys]

6th Field - Another Exe Filename

The sixth fields points to a decrypted exe filename. This filename is not used in the my samples — maybe the filename is used by the downloaded payload (which I didn’t analyse).

Purpose of Targets

The first entry in the targets list has a special meaning for all except one sample: it is used to determine the IP address of the victim. All samples with client IP detection used the icanhazip.com website. The remaining targets are used to host the second stage malware.

Observed Config Files

Edit: Added three more samples (June 17th, 2015). This section shows the config files of 10 different samples. The config files were read with the following IDA Pro script:

def print_row(a, b, c=""):
    print("{:<15} | {:<40} | {}".format(a, b, c))

def get_keys(ea):
    keys = []
    nr_keys = Byte(ea)
    ea += 1
    for i in range(nr_keys):
        keys.append(Dword(ea)); ea += 4

    return keys, ea

def print_keys(keys, type_):
    keys_str = ", ".join(["{:08x}".format(k) for k in keys])
    s = "s" if len(keys) > 1 else ""
    print_row("{} {} key{}".format(len(keys), type_, s),  keys_str)

def get_target_info(target, strings):
    id_ = strings[target[0]]
    url = "{}{}".format(strings[target[1]], strings[target[2]])
    file_ = strings[target[5]]
    return url, id_, file_

print_row("field", "value", "comment")
print_row("---", "---", "---")

ea = ScreenEA()
enc = AskYN(1, "are the string encrypted?")

# port
port = Word(ea); ea += 2

# strings 
strings = []
s = ""
while Byte(ea) != 1:
    b = Byte(ea)
    if b and enc:
        b ^= 0x13
    if not b:
        strings.append(s)
        s = ""
    else:
        s += chr(b)
    ea += 1


# string infos
print_row("port", port, "range {0}-{1}".format(port, port+3))
print_row("accept-type", "{}, {}".format(strings[3], strings[4]))
print_row("user-agent", strings[6])
print_row("malware name", strings[7],  "in %Temp% folder")
print_row("temp file", strings[8], "in %Temp% folder")

#  keys
ea += 1
dec_keys, ea = get_keys(ea)
print_keys(dec_keys, "decryption")
check_keys, ea = get_keys(ea)
print_keys(check_keys, "check")


# C2 server
print_row("C2 server", strings[9])

# targets
nr_targets = Byte(ea); ea += 1
print_row("nr of targets", "{}".format(nr_targets))
for k in range(nr_targets):
    target = []
    for l in range(7):
        target.append(Byte(ea)); ea += 1
    url, id_, file_= get_target_info(target, strings)
    if k == 0:
        usage = "client ip"
        url = "http://" + url
        extra = ""
    else:
        usage = "download {}".format(k)
        url = "https://" + url
        extra = "id = {}, file = {}".format(id_, file_)

    print_row(usage, url, extra) 

All samples were obtained from malwr.com and are shared by the uploader. I use the first eight letters of the hex representation of the MD5 sum as identifier. For each samples I also list the following:

  • whether or not the strings are encrypted
  • whether the first target is used to determine the client’s IP
  • which key-scheduling instruction is used to decrypt downloads. The decryption algorithm is shown in the fourth and last part of this series.

The values after id = denote the root directory used in C2 callbacks. The value after file = is the executable name presumably used by second stage payloads.

Sample 0x7347d213

(This is the sample from this blog post). Sample information:

MD5 7347d2130ab55eac7d6413ee2b515cf1
string encryption yes
client ip yes
key scheduling dec

Configuration:

field value comment
port 13380 range 13380-13383
accept-type text/*, application/*  
user-agent Mozilla/5.0 (Windows NT 6.1; WOW64; rv:37.0) Gecko/20100101 Firefox/37.0  
malware name wevadez.exe in %Temp% folder
temp file LogE83.tmp in %Temp% folder
decryption key 3cb1a338  
check key 6b5519c2  
C2 server 91.211.17.201  
nr of targets 17  
client ip http://icanhazip.com/  
download 1 https://95.143.141.50/picc21.png id = PS21, file = hV.exe
download 2 https://92.38.41.38/picc21.png id = PS21, file = hV.exe
download 3 https://95.143.130.63/picc21.png id = PS21, file = hV.exe
download 4 https://95.143.131.160/picc21.png id = PS21, file = hV.exe
download 5 https://95.143.128.70/picc21.png id = PS21, file = hV.exe
download 6 https://87.249.149.40/picc21.png id = PS21, file = hV.exe
download 7 https://195.146.118.46/picc21.png id = PS21, file = hV.exe
download 8 https://77.48.30.156/picc21.png id = PS21, file = hV.exe
download 9 https://91.221.217.139/picc21.png id = PS21, file = hV.exe
download 10 https://77.95.195.68/picc21.png id = PS21, file = hV.exe
download 11 https://81.90.164.134/picc21.png id = PS21, file = hV.exe
download 12 https://109.75.154.46/picc21.png id = PS21, file = hV.exe
download 13 https://95.143.134.103/picc21.png id = PS21, file = hV.exe
download 14 https://216.245.211.242/picc21.png id = PS21, file = hV.exe
download 15 https://95.143.131.73/picc21.png id = PS21, file = hV.exe
download 16 https://95.143.132.118/picc21.png id = PS21, file = hV.exe

Sample 0xbda3abd2

Sample information:

MD5 bda3abd2f2a632873baee0fb78fd2813
string encryption no
client ip yes
key scheduling rol

Configuration:

field value comment
port 13068 range 13068-13071
accept-type text/*, application/*  
user-agent Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101 Firefox/38.0  
malware name Pisynika.exe in %Temp% folder
temp file PSC352.tmp in %Temp% folder
decryption key 523ea087  
check key 2b2f8604  
C2 server 188.120.194.101  
nr of targets 21  
client ip http://icanhazip.com/  
download 1 https://69.163.81.211/pictna.png id = NA, file = AW0.exe
download 2 https://216.254.231.11/pictna.png id = NA, file = AW0.exe
download 3 https://24.33.131.116/pictna.png id = NA, file = AW0.exe
download 4 https://68.119.5.32/pictna.png id = NA, file = AW0.exe
download 5 https://71.194.36.73/pictna.png id = NA, file = AW0.exe
download 6 https://97.92.125.74/pictna.png id = NA, file = AW0.exe
download 7 https://98.204.215.92/pictna.png id = NA, file = AW0.exe
download 8 https://70.121.191.206/pictna.png id = NA, file = AW0.exe
download 9 https://72.230.82.80/pictna.png id = NA, file = AW0.exe
download 10 https://178.214.221.89/pictna.png id = NA, file = AW0.exe
download 11 https://173.248.22.227/pictna.png id = NA, file = AW0.exe
download 12 https://173.248.31.1/pictna.png id = NA, file = AW0.exe
download 13 https://173.248.31.6/pictna.png id = NA, file = AW0.exe
download 14 https://188.255.236.2/pictna.png id = NA, file = AW0.exe
download 15 https://188.255.167.4/pictna.png id = NA, file = AW0.exe
download 16 https://173.248.27.163/pictna.png id = NA, file = AW0.exe
download 17 https://173.243.255.79/pictna.png id = NA, file = AW0.exe
download 18 https://69.9.204.114/pictna.png id = NA, file = AW0.exe
download 19 https://73.175.203.173/pictna.png id = NA, file = AW0.exe
download 20 https://188.255.239.34/pictna.png id = NA, file = AW0.exe

Sample 0x95e79d9a

Sample information:

MD5 95e79d9abcc0735d3ce79d75c4cea1ae
string encryption yes
client ip yes
key scheduling dec

Configuration:

field value comment
port 13176 range 13176-13179
accept-type text/, application/  
user-agent Mozilla/5.0 (Windows NT 6.1; WOW64; rv:37.0) Gecko/20100101 Firefox/37.0  
malware name nyupodyt.exe in %Temp% folder
temp file ~DR7892.txt in %Temp% folder
decryption key 71a588f1  
check key 4e1a87a9  
C2 server 93.185.4.90  
nr of targets 16  
client ip http://icanhazip.com/ id = KTA12, file = pBQ.exe
download 1 https://178.214.221.89/kisty12.pdf id = KTA12, file = pBQ.exe
download 2 https://188.255.142.250/kisty12.pdf id = KTA12, file = pBQ.exe
download 3 https://37.57.144.177/kisty12.pdf id = KTA12, file = pBQ.exe
download 4 https://173.248.22.227/kisty12.pdf id = KTA12, file = pBQ.exe
download 5 https://173.248.31.1/kisty12.pdf id = KTA12, file = pBQ.exe
download 6 https://173.248.31.6/kisty12.pdf id = KTA12, file = pBQ.exe
download 7 https://173.248.16.79/kisty12.pdf id = KTA12, file = pBQ.exe
download 8 https://24.240.107.12/kisty12.pdf id = KTA12, file = pBQ.exe
download 9 https://173.248.29.213/kisty12.pdf id = KTA12, file = pBQ.exe
download 10 https://173.248.20.145/kisty12.pdf id = KTA12, file = pBQ.exe
download 11 https://173.248.27.163/kisty12.pdf id = KTA12, file = pBQ.exe
download 12 https://173.243.255.79/kisty12.pdf id = KTA12, file = pBQ.exe
download 13 https://69.9.204.114/kisty12.pdf id = KTA12, file = pBQ.exe
download 14 https://73.175.203.173/kisty12.pdf id = KTA12, file = pBQ.exe
download 15 https://38.124.72.224/kisty12.pdf id = KTA12, file = pBQ.exe

Sample 0x457f0283

Sample information:

MD5 457f0283c17b00b29e335829f6a716fd
string encryption no
client ip yes
key scheduling rol

Configuration:

field value comment
port 13068 range 13068-13071
accept-type text/*, application/*  
user-agent Mozilla/5.0 (Windows NT 6.1) AppleWebKit/536.36 (KHTML, like Gecko) Chrome/42.0.2357.81 Safari/536.36  
malware name uticopfull.exe in %Temp% folder
temp file UticopSetup.log in %Temp% folder
decryption key 2B415B20  
check key 64FDFF57  
C2 server 188.120.194.101  
nr of targets 16  
client ip http://icanhazip.com/  
download 1 216.51.193.145/taser4.png id = SALE4, file = xD8.exe
download 2 96.46.103.232/taser4.png id = SALE4, file = xD8.exe
download 3 68.70.242.203/taser4.png id = SALE4, file = xD8.exe
download 4 66.215.30.118/taser4.png id = SALE4, file = xD8.exe
download 5 107.161.207.151/taser4.png id = SALE4, file = xD8.exe
download 6 31.131.142.204/taser4.png id = SALE4, file = xD8.exe
download 7 96.46.99.183/taser4.png id = SALE4, file = xD8.exe
download 8 188.255.175.252/taser4.png id = SALE4, file = xD8.exe
download 9 96.46.100.49/taser4.png id = SALE4, file = xD8.exe
download 10 64.111.36.52/taser4.png id = SALE4, file = xD8.exe
download 11 38.124.74.146/taser4.png id = SALE4, file = xD8.exe
download 12 38.124.69.206/taser4.png id = SALE4, file = xD8.exe
download 13 38.124.174.66/taser4.png id = SALE4, file = xD8.exe
download 14 38.124.74.146/taser4.png id = SALE4, file = xD8.exe
download 15 38.124.174.213/taser4.png id = SALE4, file = xD8.exe

Sample 0x105beb32

Sample information:

MD5 105beb3223cbff3641cbe881bc4fbf45
string encryption yes
client ip yes
key scheduling rol

Configuration:

field value comment
port 13100 range 13100-13103
accept-type text/*, application/*  
user-agent Mozilla/5.0 (Windows NT 6.1) AppleWebKit/538.37 (KHTML, like Gecko) Chrome/44.0.2457.82 Safari/538.37  
malware name Mivinad.exe in %Temp% folder
temp file Mivi-738.log in %Temp% folder
decryption key 3e51cf28  
check key 74090789  
C2 server 188.120.194.101  
nr of targets 20  
client ip http://icanhazip.com/  
download 1 https://78.32.124.231/j11.zip id = AMG11, file = lL8.exe
download 2 https://76.105.248.137/j11.zip id = AMG11, file = lL8.exe
download 3 https://75.132.173.27/j11.zip id = AMG11, file = lL8.exe
download 4 https://76.84.81.120/j11.zip id = AMG11, file = lL8.exe
download 5 https://76.28.92.4/j11.zip id = AMG11, file = lL8.exe
download 6 https://65.74.106.143/j11.zip id = AMG11, file = lL8.exe
download 7 https://66.191.25.136/j11.zip id = AMG11, file = lL8.exe
download 8 https://98.222.64.184/j11.zip id = AMG11, file = lL8.exe
download 9 https://69.144.171.44/j11.zip id = AMG11, file = lL8.exe
download 10 https://65.33.236.173/j11.zip id = AMG11, file = lL8.exe
download 11 https://66.227.223.219/j11.zip id = AMG11, file = lL8.exe
download 12 https://96.37.204.12/j11.zip id = AMG11, file = lL8.exe
download 13 https://66.196.63.33/j11.zip id = AMG11, file = lL8.exe
download 14 https://69.142.124.76/j11.zip id = AMG11, file = lL8.exe
download 15 https://216.16.93.250/j11.zip id = AMG11, file = lL8.exe
download 16 https://24.19.25.40/j11.zip id = AMG11, file = lL8.exe
download 17 https://98.246.210.27/j11.zip id = AMG11, file = lL8.exe
download 18 https://66.196.61.218/j11.zip id = AMG11, file = lL8.exe
download 19 https://71.99.130.24/j11.zip id = AMG11, file = lL8.exe

Sample 0x8d00dfdc

Sample information:

MD5 8d00dfdc4d7932b8db5322ce439cd44b
string encryption no
client ip yes
key scheduling rol

Configuration:

field value comment
port 13096 range 13096-13099
accept-type text/*, application/*  
user-agent Mozilla/5.0 (Windows NT 6.1) AppleWebKit/538.37 (KHTML, like Gecko) Chrome/44.0.2457.82 Safari/538.37  
malware name Gycijaba.exe in %Temp% folder
temp file Gyci7EC9.txt in %Temp% folder
decryption key 3e51cf28  
check key 74090789  
C2 server 188.120.194.101  
nr of targets 20  
client ip http://icanhazip.com/  
download 1 https://78.32.124.231/ua.png id = UAM, file = Ner5.exe
download 2 https://76.105.248.137/ua.png id = UAM, file = Ner5.exe
download 3 https://75.132.173.27/ua.png id = UAM, file = Ner5.exe
download 4 https://76.84.81.120/ua.png id = UAM, file = Ner5.exe
download 5 https://76.28.92.4/ua.png id = UAM, file = Ner5.exe
download 6 https://65.74.106.143/ua.png id = UAM, file = Ner5.exe
download 7 https://66.191.25.136/ua.png id = UAM, file = Ner5.exe
download 8 https://98.222.64.184/ua.png id = UAM, file = Ner5.exe
download 9 https://69.144.171.44/ua.png id = UAM, file = Ner5.exe
download 10 https://65.33.236.173/ua.png id = UAM, file = Ner5.exe
download 11 https://66.227.223.219/ua.png id = UAM, file = Ner5.exe
download 12 https://96.37.204.12/ua.png id = UAM, file = Ner5.exe
download 13 https://66.196.63.33/ua.png id = UAM, file = Ner5.exe
download 14 https://69.142.124.76/ua.png id = UAM, file = Ner5.exe
download 15 https://216.16.93.250/ua.png id = UAM, file = Ner5.exe
download 16 https://24.19.25.40/ua.png id = UAM, file = Ner5.exe
download 17 https://98.246.210.27/ua.png id = UAM, file = Ner5.exe
download 18 https://66.196.61.218/ua.png id = UAM, file = Ner5.exe
download 19 https://71.99.130.24/ua.png id = UAM, file = Ner5.exe

Sample 0x98b126f5

Sample information:

MD5 98b126f52ca20fd89eafceed795cee15
string encryption no
client ip no
key scheduling inc

Configuration:

field value comment
port 41300 range 41300-41303
accept-type text/, application/  
user-agent Mazilla/4.0  
malware name mscodecs.exe in %Temp% folder
temp file auat498.tmp in %Temp% folder
decryption key 33c13e3c  
check key 74e7fc60  
C2 server 202.153.35.133  
nr of targets 2  
download 1 http://photolife.ir/logfiles/doc_ku11.pdf id = 2301uk11, file = cOFrcJtt.exe
download 2 https://carrozzeriavolta.com/mandoc/doc_ku11.pdf id = 2301uk11, file = cOFrcJtt.exe

Sample 0x07ea0d7c

Sample information:

MD5 07ea0d7c04af3520da43f38ef8211aa8
string encryption no
client ip yes
key scheduling dec
method this sample uses the simplified payload format without decryption keys and temp file name.

Configuration:

field value comment
port 13164 range 13164-13167
accept-type text/, application/  
user-agent Mozilla/5.0 (Windows NT 6.1) AppleWebKit/538.37 (KHTML, like Gecko) Chrome/44.0.2457.82 Safari/538.37  
malware name razacer.exe in %Temp% folder
decryption key 55c28387  
C2 server 188.120.194.101  
nr of targets 51  
client ip http://icanhazip.com/ id = Img12, file = eprath.exe
download 1 https://173.248.29.43/im12.png id = Img12, file = eprath.exe
download 2 https://109.86.226.85/im12.png id = Img12, file = eprath.exe
download 3 https://24.220.92.193/im12.png id = Img12, file = eprath.exe
download 4 https://176.36.251.208/im12.png id = Img12, file = eprath.exe
download 5 https://188.255.165.154/im12.png id = Img12, file = eprath.exe
download 6 https://173.216.240.56/im12.png id = Img12, file = eprath.exe
download 7 https://68.190.246.142/im12.png id = Img12, file = eprath.exe
download 8 https://188.255.169.176/im12.png id = Img12, file = eprath.exe
download 9 https://75.137.112.81/im12.png id = Img12, file = eprath.exe
download 10 https://69.163.81.211/im12.png id = Img12, file = eprath.exe
download 11 https://216.254.231.11/im12.png id = Img12, file = eprath.exe
download 12 https://24.33.131.116/im12.png id = Img12, file = eprath.exe
download 13 https://68.119.5.32/im12.png id = Img12, file = eprath.exe
download 14 https://97.92.125.74/im12.png id = Img12, file = eprath.exe
download 15 https://98.204.215.92/im12.png id = Img12, file = eprath.exe
download 16 https://72.230.82.80/im12.png id = Img12, file = eprath.exe
download 17 https://208.123.130.173/im12.png id = Img12, file = eprath.exe
download 18 https://178.214.221.89/im12.png id = Img12, file = eprath.exe
download 19 https://173.248.22.227/im12.png id = Img12, file = eprath.exe
download 20 https://173.248.31.1/im12.png id = Img12, file = eprath.exe
download 21 https://173.248.31.6/im12.png id = Img12, file = eprath.exe
download 22 https://173.248.27.163/im12.png id = Img12, file = eprath.exe
download 23 https://173.243.255.79/im12.png id = Img12, file = eprath.exe
download 24 https://69.9.204.114/im12.png id = Img12, file = eprath.exe
download 25 https://73.175.203.173/im12.png id = Img12, file = eprath.exe
download 26 https://188.255.239.34/im12.png id = Img12, file = eprath.exe
download 27 https://75.132.173.27/im12.png id = Img12, file = eprath.exe
download 28 https://76.28.92.4/im12.png id = Img12, file = eprath.exe
download 29 https://71.194.36.73/im12.png id = Img12, file = eprath.exe
download 30 https://98.222.64.184/im12.png id = Img12, file = eprath.exe
download 31 https://69.144.171.44/im12.png id = Img12, file = eprath.exe
download 32 https://65.33.236.173/im12.png id = Img12, file = eprath.exe
download 33 https://66.227.223.219/im12.png id = Img12, file = eprath.exe
download 34 https://96.37.204.12/im12.png id = Img12, file = eprath.exe
download 35 https://66.196.63.33/im12.png id = Img12, file = eprath.exe
download 36 https://71.99.130.24/im12.png id = Img12, file = eprath.exe
download 37 https://216.16.93.250/im12.png id = Img12, file = eprath.exe
download 38 https://24.19.25.40/im12.png id = Img12, file = eprath.exe
download 39 https://98.246.210.27/im12.png id = Img12, file = eprath.exe
download 40 https://66.196.61.218/im12.png id = Img12, file = eprath.exe
download 41 https://69.180.128.71/im12.png id = Img12, file = eprath.exe
download 42 https://98.214.11.253/im12.png id = Img12, file = eprath.exe
download 43 https://24.148.217.188/im12.png id = Img12, file = eprath.exe
download 44 https://98.209.75.164/im12.png id = Img12, file = eprath.exe
download 45 https://76.105.248.137/im12.png id = Img12, file = eprath.exe
download 46 https://67.239.210.131/im12.png id = Img12, file = eprath.exe
download 47 https://173.216.247.74/im12.png id = Img12, file = eprath.exe
download 48 https://64.111.36.35/im12.png id = Img12, file = eprath.exe
download 49 https://69.9.204.16/im12.png id = Img12, file = eprath.exe
download 50 https://77.48.30.156/im12.png id = Img12, file = eprath.exe

Sample 0x7422731b

Sample information:

MD5 7422731bbe817e85dbac70f3f98243b6
string encryption yes
client ip yes
key scheduling dec
method this sample uses the simplified payload format without decryption keys and temp file name.
field value comment
port 13140 range 13140-13143
accept-type text/, application/  
user-agent Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101 Firefox/38.0  
malware name bijaweed.exe in %Temp% folder
decryption key 27185cd3  
C2 server 188.120.194.101  
nr of targets 53  
client ip http://icanhazip.com/ id = Tos21, file = uxajake.exe
download 1 https://173.248.29.43/tos21.zip id = Tos21, file = uxajake.exe
download 2 https://109.86.226.85/tos21.zip id = Tos21, file = uxajake.exe
download 3 https://24.220.92.193/tos21.zip id = Tos21, file = uxajake.exe
download 4 https://176.36.251.208/tos21.zip id = Tos21, file = uxajake.exe
download 5 https://188.255.165.154/tos21.zip id = Tos21, file = uxajake.exe
download 6 https://173.216.240.56/tos21.zip id = Tos21, file = uxajake.exe
download 7 https://68.190.246.142/tos21.zip id = Tos21, file = uxajake.exe
download 8 https://188.255.169.176/tos21.zip id = Tos21, file = uxajake.exe
download 9 https://162.255.126.8/tos21.zip id = Tos21, file = uxajake.exe
download 10 https://75.137.112.81/tos21.zip id = Tos21, file = uxajake.exe
download 11 https://69.163.81.211/tos21.zip id = Tos21, file = uxajake.exe
download 12 https://216.254.231.11/tos21.zip id = Tos21, file = uxajake.exe
download 13 https://24.33.131.116/tos21.zip id = Tos21, file = uxajake.exe
download 14 https://68.119.5.32/tos21.zip id = Tos21, file = uxajake.exe
download 15 https://71.194.36.73/tos21.zip id = Tos21, file = uxajake.exe
download 16 https://97.92.125.74/tos21.zip id = Tos21, file = uxajake.exe
download 17 https://98.204.215.92/tos21.zip id = Tos21, file = uxajake.exe
download 18 https://72.230.82.80/tos21.zip id = Tos21, file = uxajake.exe
download 19 https://208.123.130.173/tos21.zip id = Tos21, file = uxajake.exe
download 20 https://178.214.221.89/tos21.zip id = Tos21, file = uxajake.exe
download 21 https://173.248.22.227/tos21.zip id = Tos21, file = uxajake.exe
download 22 https://173.248.31.1/tos21.zip id = Tos21, file = uxajake.exe
download 23 https://173.248.31.6/tos21.zip id = Tos21, file = uxajake.exe
download 24 https://173.248.27.163/tos21.zip id = Tos21, file = uxajake.exe
download 25 https://173.243.255.79/tos21.zip id = Tos21, file = uxajake.exe
download 26 https://69.9.204.114/tos21.zip id = Tos21, file = uxajake.exe
download 27 https://73.175.203.173/tos21.zip id = Tos21, file = uxajake.exe
download 28 https://188.255.239.34/tos21.zip id = Tos21, file = uxajake.exe
download 29 https://75.132.173.27/tos21.zip id = Tos21, file = uxajake.exe
download 30 https://76.84.81.120/tos21.zip id = Tos21, file = uxajake.exe
download 31 https://76.28.92.4/tos21.zip id = Tos21, file = uxajake.exe
download 32 https://65.74.106.143/tos21.zip id = Tos21, file = uxajake.exe
download 33 https://98.222.64.184/tos21.zip id = Tos21, file = uxajake.exe
download 34 https://69.144.171.44/tos21.zip id = Tos21, file = uxajake.exe
download 35 https://65.33.236.173/tos21.zip id = Tos21, file = uxajake.exe
download 36 https://66.227.223.219/tos21.zip id = Tos21, file = uxajake.exe
download 37 https://96.37.204.12/tos21.zip id = Tos21, file = uxajake.exe
download 38 https://66.196.63.33/tos21.zip id = Tos21, file = uxajake.exe
download 39 https://71.99.130.24/tos21.zip id = Tos21, file = uxajake.exe
download 40 https://216.16.93.250/tos21.zip id = Tos21, file = uxajake.exe
download 41 https://24.19.25.40/tos21.zip id = Tos21, file = uxajake.exe
download 42 https://98.246.210.27/tos21.zip id = Tos21, file = uxajake.exe
download 43 https://66.196.61.218/tos21.zip id = Tos21, file = uxajake.exe
download 44 https://69.180.128.71/tos21.zip id = Tos21, file = uxajake.exe
download 45 https://98.214.11.253/tos21.zip id = Tos21, file = uxajake.exe
download 46 https://24.148.217.188/tos21.zip id = Tos21, file = uxajake.exe
download 47 https://98.209.75.164/tos21.zip id = Tos21, file = uxajake.exe
download 48 https://76.105.248.137/tos21.zip id = Tos21, file = uxajake.exe
download 49 https://67.239.210.131/tos21.zip id = Tos21, file = uxajake.exe
download 50 https://173.216.247.74/tos21.zip id = Tos21, file = uxajake.exe
download 51 https://64.111.36.35/tos21.zip id = Tos21, file = uxajake.exe
download 52 https://69.9.204.16/tos21.zip id = Tos21, file = uxajake.exe

Sample 0x846cb698

Sample information:

MD5 846cb6984114499978d4fe29b5f5afa7
string encryption no
client ip yes
key scheduling rol
field value comment
port 13152 range 13152-13155
accept-type text/, application/  
user-agent Mozilla/5.0 (Windows NT 6.1; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0  
malware name fihatyka.exe in %Temp% folder
temp file FIH_244D.log in %Temp% folder
decryption key 5b244d31  
check key 0250f3d8  
C2 server 188.120.194.101  
nr of targets 51  
client ip http://icanhazip.com/ id = 211, file = QZP1.exe
download 1 https://173.248.29.43/f2011.zip id = 211, file = QZP1.exe
download 2 https://109.86.226.85/f2011.zip id = 211, file = QZP1.exe
download 3 https://24.220.92.193/f2011.zip id = 211, file = QZP1.exe
download 4 https://176.36.251.208/f2011.zip id = 211, file = QZP1.exe
download 5 https://188.255.165.154/f2011.zip id = 211, file = QZP1.exe
download 6 https://173.216.240.56/f2011.zip id = 211, file = QZP1.exe
download 7 https://68.190.246.142/f2011.zip id = 211, file = QZP1.exe
download 8 https://188.255.169.176/f2011.zip id = 211, file = QZP1.exe
download 9 https://75.137.112.81/f2011.zip id = 211, file = QZP1.exe
download 10 https://69.163.81.211/f2011.zip id = 211, file = QZP1.exe
download 11 https://216.254.231.11/f2011.zip id = 211, file = QZP1.exe
download 12 https://24.33.131.116/f2011.zip id = 211, file = QZP1.exe
download 13 https://68.119.5.32/f2011.zip id = 211, file = QZP1.exe
download 14 https://97.92.125.74/f2011.zip id = 211, file = QZP1.exe
download 15 https://98.204.215.92/f2011.zip id = 211, file = QZP1.exe
download 16 https://72.230.82.80/f2011.zip id = 211, file = QZP1.exe
download 17 https://208.123.130.173/f2011.zip id = 211, file = QZP1.exe
download 18 https://178.214.221.89/f2011.zip id = 211, file = QZP1.exe
download 19 https://173.248.22.227/f2011.zip id = 211, file = QZP1.exe
download 20 https://173.248.31.1/f2011.zip id = 211, file = QZP1.exe
download 21 https://173.248.31.6/f2011.zip id = 211, file = QZP1.exe
download 22 https://173.248.27.163/f2011.zip id = 211, file = QZP1.exe
download 23 https://173.243.255.79/f2011.zip id = 211, file = QZP1.exe
download 24 https://69.9.204.114/f2011.zip id = 211, file = QZP1.exe
download 25 https://73.175.203.173/f2011.zip id = 211, file = QZP1.exe
download 26 https://188.255.239.34/f2011.zip id = 211, file = QZP1.exe
download 27 https://75.132.173.27/f2011.zip id = 211, file = QZP1.exe
download 28 https://76.28.92.4/f2011.zip id = 211, file = QZP1.exe
download 29 https://71.194.36.73/f2011.zip id = 211, file = QZP1.exe
download 30 https://98.222.64.184/f2011.zip id = 211, file = QZP1.exe
download 31 https://69.144.171.44/f2011.zip id = 211, file = QZP1.exe
download 32 https://65.33.236.173/f2011.zip id = 211, file = QZP1.exe
download 33 https://66.227.223.219/f2011.zip id = 211, file = QZP1.exe
download 34 https://96.37.204.12/f2011.zip id = 211, file = QZP1.exe
download 35 https://66.196.63.33/f2011.zip id = 211, file = QZP1.exe
download 36 https://71.99.130.24/f2011.zip id = 211, file = QZP1.exe
download 37 https://216.16.93.250/f2011.zip id = 211, file = QZP1.exe
download 38 https://24.19.25.40/f2011.zip id = 211, file = QZP1.exe
download 39 https://98.246.210.27/f2011.zip id = 211, file = QZP1.exe
download 40 https://66.196.61.218/f2011.zip id = 211, file = QZP1.exe
download 41 https://69.180.128.71/f2011.zip id = 211, file = QZP1.exe
download 42 https://98.214.11.253/f2011.zip id = 211, file = QZP1.exe
download 43 https://24.148.217.188/f2011.zip id = 211, file = QZP1.exe
download 44 https://98.209.75.164/f2011.zip id = 211, file = QZP1.exe
download 45 https://76.105.248.137/f2011.zip id = 211, file = QZP1.exe
download 46 https://67.239.210.131/f2011.zip id = 211, file = QZP1.exe
download 47 https://173.216.247.74/f2011.zip id = 211, file = QZP1.exe
download 48 https://64.111.36.35/f2011.zip id = 211, file = QZP1.exe
download 49 https://69.9.204.16/f2011.zip id = 211, file = QZP1.exe
download 50 https://77.48.30.156/f2011.zip id = 211, file = QZP1.exe
comments powered by Disqus