Downloader Trojan that can drop multiple malware (Jan 30th, 2015)
The Dell Sonicwall Threats Research team have discovered a downloader Trojan spreading through email. It can drop various kinds of malware on the system. In this case it dropped ransomware that remained dormant on the system.
Infection Cycle:
The Trojan uses the following PDF icon:
![](http://software.sonicwall.com/gav/upatre.af_8_6.png)
The Trojan makes the following DNS queries:
- stun4.l.google.com
The Trojan adds the following files to the filesystem:
- %TEMP%document.exe [Detected as GAV: Upatre.AF_8 (Trojan)]
- %WINDOWS%VTlrgieTqjTrJGf.exe [Detected as GAV: Ransomer.DYG (Trojan)]
The Trojan reports infection to a C&C server using the User Agent “Mazilla/5.0”:
![](http://software.sonicwall.com/gav/upatre.af_8_3.png)
The Trojan downloads an additional malware executable (kora_k12.pdf) from a remote webserver:
![](http://software.sonicwall.com/gav/upatre.af_8_5.png)
![](http://software.sonicwall.com/gav/upatre.af_8_4.png)
The file is encrypted. During analysis we were able to determine the location of the decryption routine in the executable:
![](http://software.sonicwall.com/gav/upatre.af_8_1.png)
After decyption, the file VTlrgieTqjTrJGf.exe is written to disk. The file appears to be a ransomware Trojan but remains dormant on the filesystem. It uses the following icon:
![](http://software.sonicwall.com/gav/upatre.af_8_2.png)
SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:
- GAV: Upatre.AF_8 (Trojan)
- GAV: Malagent.H_2691 (Trojan)
- GAV: Ransomer.DYG (Trojan)