Upatre.SMJ a Malware Hides in encrypted PNG Image
The Dell Sonicwall Threats Research team observed reports of a New Malware family named GAV: Upatre.SMJ actively spreading in the wild. This time attackers used a dropper to download the original Malware that hides in Image (encrypted PNG) files to avoid detection by Firewalls.
![](http://software.sonicwall.com/gav/Upatre.SMJ_files/image001.png)
Infection Cycle:
The Malware uses the following icon:
![](http://software.sonicwall.com/gav/Upatre.SMJ_files/image002.png)
Md5:
-
051e79a2d44a8dba92e98ae9c4be2399 – Major Executable
Dropper:
-
88ff4cfd4154c9b112a963700dfcd560 – Image PNG file
The Malware adds the following files to the system:
-
Malware.exe
-
%Temp%tzojedox.exe
-
%Temp%TZ9D-23.txt
-
Tzojedox.exe
-
%Temp%kiuwken.exe
-
%Temp%TZ9D-23.txt
-
-
Kiuwken.exe
-
C:WINDOWSenCSuFWrQQsXBxp.exe
-
The Malware adds the following key to the Windows registry to ensure persistence upon reboot:
![](http://software.sonicwall.com/gav/Upatre.SMJ_files/image003.png)
![](http://software.sonicwall.com/gav/Upatre.SMJ_files/image004.png)
Once the computer is compromised, the malware copies its own executable file to Temp folder.
![](http://software.sonicwall.com/gav/Upatre.SMJ_files/image005.png)
The file tzojedox.exe is dropped after malware launches on the target system, the malware tries to download PNG encrypted files from its own C&C server such as following domains:
![](http://software.sonicwall.com/gav/Upatre.SMJ_files/image006.png)
Here is an example of encrypted PNG file:
![](http://software.sonicwall.com/gav/Upatre.SMJ_files/image007.png)
The malware tries to retrieves your computer name, version of your windows and your IP address then its transfers information to its own C&C server such as following IPs:
![](http://software.sonicwall.com/gav/Upatre.SMJ_files/image008.png)
Command and Control (C&C) Traffic
Upatre.SMJ performs C&C communication over 443 and 80 ports. The malware sends your system information to its own C&C server via following format, here are some examples:
![](http://software.sonicwall.com/gav/Upatre.SMJ_files/image009.png)
![](http://software.sonicwall.com/gav/Upatre.SMJ_files/image010.png)
![](http://software.sonicwall.com/gav/Upatre.SMJ_files/image011.png)
We have been monitoring varying hits over the past few days for the signature that blocks this threat:
![](http://software.sonicwall.com/gav/Upatre.SMJ_files/image012.png)
SonicWALL Gateway AntiVirus provides protection against this threat via the following signature:
-
GAV: Upatre.SMJ (Trojan)