Article Directory
Overview
Upatre is a Downloader discovered in 2013. It has been used as a download tool for other malicious families such as Dyre and GameOver Zeus. Many decoys are disguised as pdf files to trick users into clicking. Upatre files are usually small and have a single function, but they are used. Countermeasures are worth analyzing
Sample information
The sample is a pe sample disguised as a pdf file
SHA1: 377f6a84c823dc9f0fd615040b7abbc2454c0e03
Sample analysis
This sample is mainly divided into two operations before downloading malware: anti-virtual sandbox and code obfuscation
Anti-virtual sandbox
Starting from the entry point, the malicious sample will create a windows window and the window callback function to receive messages. Only when the received message is WM_COMMAND and lpara is the handle of the edit window, the malicious code can continue to execute.
The malicious sample does this to counter the virtual sandbox. If the virtual sandbox does not implement the windows window system and cannot simulate the message mechanism of windows, then the follow-up behavior cannot be performed in the virtual sandbox.
Code obfuscation
The base address plus 16AB and the data at address 402084 XOR 16 bytes one by one to get the VirtualProtect string
Obtain the export function address of the module through the pe structure address offset
Call VirtualProtect to change the memory attribute of address 402280 to readable, writable and executable, then decrypt this memory address data, and return to 402280 to execute the code
shellcode part
The decrypted shellcode uses the call_get_func_addr function to obtain the address of the above function
Rename itself and copy it to the temporary directory to start
Internet connection, download and execute malicious program
to sum up
Although the downloader sparrow upatre is small, it has all the internal organs, especially the technology of using the windows message mechanism to fight the anti-virus virtual sandbox is worth learning. Only by continuous learning and understanding of various countermeasures can we better detect and kill viruses