Upatre Zbot ameliya@dd-kate.com Alina-FAX lojasdeouro.com

1. Trojan.Downloader.Upatre Email Campaign
2. Reported by neonprimetime security
3. http://neonprimetime.blogspot.com
4.  
5. *****
6. From: [email protected]
7. Subject(s):
8. Alina-FAX pNxXCD_864975
9. Alina-FAX VxBElw_165562
10. Alina-FAX ydkQrc_045052
11. cGKZn7_902344
12. 7wLntD_102365
13. Alina-FAX k6vw9d_163911
14. Alina-FAX Oe9BXH_737904
15. Alina-FAX T9wKzF_930430
16. Alina-FAX TgyhYW_268841
17. Alina-FAX 3E4ymh_658825
18. Alina-FAX 9tcT0i_490824
19. Alina-FAX oW39tV_753875
20. Attachments(s):
21. pNxXCD_864975.zip
22. VxBElw_165562.zip
23. ydkQrc_045052.zip
24. cGKZn7_902344.zip
25. 7wLntD_102365.zip
26. k6vw9d_163911.zip
27. Oe9BXH_737904.zip
28. T9wKzF_930430.zip
29. TgyhYW_268841.zip
30. 3E4ymh_658825.zip
31. 9tcT0i_490824.zip
32. oW39tV_753875.zip
33.  
34. *****
35. Matches:
36.  
37. Trojan.Zbot
38.  
39. Suspicious.JIT.a
40.  
41.  
42. BLACKLIST User-Agent known malicious user-agent string - Mazilla/5.0 - Win.Backdoor.Upatre (1:33207)
43.  
44. alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BLACKLIST User-Agent known malicious user-agent string - Mazilla/5.0 - Win.Backdoor.Upatre"; flow:to_server,established; content:"User-Agent: Mazilla/5.0|0D 0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:33207; rev:2; )
45. *****
46.  
47. 216.146.43.70
48. GET http://checkip.dyndns.org/
49. User-Agent: Mazilla/5.0::
50.  
51. 141.105.141.87
52. GET http://141.105.141.87:13878/0604uk21/<REDACTED WORKSTATION NAME>/41/1/1/EMLBEMDBFGEBEI
53. User-Agent: Mazilla/5.0
54.  
55. 162.252.57.88
56. GET http://encomiendaexpress.com/es/images/mut103.png
57. User-Agent: Mazilla/5.0
58.  
59. 5.206.231.133
60. GET http://lojasdeouro.com/wp-includes/images/mut103.png
61. User-Agent: Mazilla/5.0
62.  
63. ****
64. Files touched or accessed:
65.  
66. C:\Users\Administrator\AppData\Local\Temp\eisqwp.exe
67. C:\Windows\System32\WOW64LOG.DLL
68. C:\Users\ADMINI~1\AppData\Local\Temp\CRTDLL.DLL
69. C:\Users\ADMINI~1\AppData\Local\Temp\VERSION.DLL
70. C:\Users\ADMINI~1\AppData\Local\Temp\DWMAPI.DLL
71. C:\Users\ADMINI~1\AppData\Local\Temp\RICHED32.DLL
72. C:\Windows\SysWOW64\RPCSS.DLL
73. C:\Users\Administrator\AppData\Local\Temp\dmiB03A.tmp
74. C:\Windows\SysWOW64\cmd.exe
75. C:\Users\ADMINI~1\AppData\Local\Temp\API-MS-WIN-DOWNLEVEL-ADVAPI32-L2-1-0.DLL
76. C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat
77. C:\Users\ADMINI~1\AppData\Local\Temp\IPHLPAPI.DLL
78. C:\Users\ADMINI~1\AppData\Local\Temp\WINNSI.DLL
79. C:\Users\ADMINI~1\AppData\Local\Temp\API-MS-WIN-DOWNLEVEL-SHLWAPI-L2-1-0.DLL
80. C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies
81. C:\Users\ADMINI~1\AppData\Local\Temp\DHCPCSVC.DLL
82. C:\Users\ADMINI~1\AppData\Local\Temp\CRYPTSP.DLL
83. C:\Users\ADMINI~1\AppData\Local\Temp\RPCRTREMOTE.DLL
84.  
85. ****
86. Assembly utilized:
87.  
88. 71C9FCE1 movzx eax, ax;71C9FCE4 push eax;71C9FCE5 call 0xffffffffffff74a4;71C9FCEA push dword 0x71c9fff0;71C9FCEF mov [ebp-0x8], eax;71C9FCF2 call 0xffffffffffffcf61;71C9FCF7 push 0x11;71C9FCF9 movzx eax, ax;71C9FCFC mov esi, 0x89;71C9FD01 push esi;
89.  
90. ****
91. Registries touched or accessed:
92.  
93. \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\ComputerName\ActiveComputerName\"ComputerName"
94. \REGISTRY\USER\S-1-5-21-2529703413-2662079939-3113469119-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\"ProxyEnable" = 0x00000000
95. \REGISTRY\USER\S-1-5-21-2529703413-2662079939-3113469119-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\"ProxyOverride"
96. \REGISTRY\USER\S-1-5-21-2529703413-2662079939-3113469119-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\"AutoConfigURL"
97. \REGISTRY\USER\S-1-5-21-2529703413-2662079939-3113469119-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\"AutoDetect"
98. \REGISTRY\USER\S-1-5-21-2529703413-2662079939-3113469119-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\"SavedLegacySettings" = 46 00 00 00 1c 00 00 00 09 00 00 00 0d 00 00 00 31 30 2e 30 2e 30 2e 32 3a 38 30 38 30 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 00 00 00 0a 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
99. \REGISTRY\USER\S-1-5-21-2529703413-2662079939-3113469119-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\"ProxyBypass"
100. \REGISTRY\USER\S-1-5-21-2529703413-2662079939-3113469119-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\"IntranetName"
101. \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\"IntranetName"
102. \REGISTRY\USER\S-1-5-21-2529703413-2662079939-3113469119-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\"UNCAsIntranet" = 0x00000000
103. \REGISTRY\USER\S-1-5-21-2529703413-2662079939-3113469119-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\"AutoDetect" = 0x00000001
104. \REGISTRY\USER\S-1-5-21-2529703413-2662079939-3113469119-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\"UNCAsIntranet" = 0x00000000
105. \REGISTRY\USER\S-1-5-21-2529703413-2662079939-3113469119-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\"CachePrefix" = Cookie: