Urelas spy Trojan drops multiple malware families (Aug 22nd, 2014)


The Dell Sonicwall Threats Research team has received reports of a recent variant of the Urelas Trojan. This Trojan is known for its spying capability and has the ability to monitor certain gaming applications. It also sends screenshots and other system information to a remote C&C server. It can also download and install malware from other families.

Infection Cycle:

The Trojan uses the following icon:

The Trojan adds the following files to the filesystem:

  • %USERPROFILE%Local SettingsTempgolfinfo.ini
  • %USERPROFILE%Local SettingsTempsanfdr.bat (cleanup script)
  • %USERPROFILE%Local SettingsTempjiokf.exe [Detected as GAV: Packman.0 (Trojan)]
  • %USERPROFILE%Local SettingsTemppoetr.exe (copy of original) [Detected as GAV: Urelas.AB_3 (Trojan)]
  • %SYSTEM32%d3d8caps.dat [Detected as GAV: Urelas.AB_3#enc (Trojan)]
  • %SYSTEM32%d3d9caps.dat [Detected as GAV: Urelas.AB_3#enc (Trojan)]
  • %SYSTEM32%pokdre.exe [Detected as GAV: Beaugrit.A_15 (Trojan)]

The Trojan adds the following keys to the Windows registry:

  • HKEY_LOCAL_MACHINESOFTWAREMicrosoftESENTProcesspoetrDEBUG Trace Level “”
  • HKEY_LOCAL_MACHINESOFTWAREMicrosoftESENTProcesspokdreDEBUG Trace Level “”
  • HKEY_CURRENT_USERSoftwareMicrosoftWindows NTCurrentVersionWindows Run “%SYSTEM32%pokdre.exe”
  • HKEY_CURRENT_USERSoftwareMicrosoftWindows NTCurrentVersionWindows TrayKey “jiokf”

The .bat file dropped by pokdre.exe contains the following script to clean up traces of the infection:

      del "{rundir}pokdre.exe"
      if exist "{rundir}pokdre.exe" goto Repeat
      rmdir "{rundir}"
      del "%USERPROFILE%Local SettingsTempsanfdr.bat"

The Trojan was observed engaging in the following encrypted communication with a remote C&C server. All communication is tagged with the AS101 string:

The Trojan was later seen requesting and downloading an additional malicious executable file (pokdre.exe) [Detected as GAV: Beaugrit.A_15 (Trojan)]:

golfinfo.ini contains the following encrypted data:

This data was seen being sent from the C&C server. The .dat files d3d8caps.dat and d3d9caps.dat contain decrypted data that was sent from the C&C server.

During analysis we were able to identify a very basic decryption routine which simply uses the NOT operator for decryption:

Using the above knowledge we were able to fully decrypt golfinfo.ini thus revealing 2 C&C server ip addresses and infection filenames:

SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

  • GAV: Packman.0 (Trojan)
  • GAV: Urelas.AB_3 (Trojan)
  • GAV: Virut.Q.gen (Trojan)
  • GAV: Beaugrit.A_15 (Trojan)
Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.