[malwarelabs]

Another sample + config attached
https://www.virustotal.com/fr/file/8e60 ... 429702233/
config: hxxps://217.12.59.234/satk012.png

Memory dump show that's use CVE-2014-4113

[sysopfb]

The "config" is sitting in the shellcode that gets unxored.

That one has the following data
UserAgent to use: Mozilla/5.0 (Windows NT 6.1)
Run from temp as: installtessa.exe
Download payload to temp as: tessaFEB.tmp
Find host ip form: icnahazip.com
Upatre Checkin: 81.7.109.65
campaign: SATK12
Payload downloads:
217.12.59.234/satk012.png
91.240.97.54/satk012.png
80.87.220.102/satk012.png
91.240.97.38/satk012.png
46.151.130.90/satk012.png
91.240.97.64/satk012.png
91.240.97.66/satk012.png
91.240.97.45/satk012.png

The payloads are the png files in this case which is a LZNT compressed dropper with shellcode and some variable data sitting on top of it(after you decode it)

I don't see an exploit being used by that sample

[sysopfb]

The CVE string you're seeing there appears to be from the loader used by the payload (Dyre). Not sure if it's actually exploiting that or just putting that string in the loader for whatever reason.

[EP_X0FF]

@sysopfb

Can you attach payload btw? For me it does nothing.

[sysopfb]

Yup, some pretty interesting strings in the unpacked one. Looks like it has the normal dyre shim uac bypass, references to an av config file and the cve mentioned earlier

Not a normal loader for dyre that I'm used to seeing

[sysopfb]

And here is the normal dyre the loader drops in temp packed and unpacked, it doesn't run properly in my windows 8 vm so I had to patch the check in the highlighted section

[sysopfb]

They've been changing up their payload xor routine quite often lately, today it was a rolling xor with a ROL (ROLling Xor?) on the xor value.

[EP_X0FF]

Sophos detect Upatre downloader as Troj/UACMe-C and Dyre(Dyzap) payload as Troj/UACMe-A.

e.g.
https://www.virustotal.com/en/file/586d ... /analysis/

[Mosh]

Hi All

Looks like Upatre (cancelation_invoice_information.zip) continue dropping Dyre Malware from these IP addresses:

62.204.250.26 (Czech Republic)
87.229.109.250 (Hungary)
217.168.210.122 (Czech Republic)
80.87.220.102 (Slovakia)
93.185.4.90 (Czech Republic)

[EP_X0FF]

Upatre downloader which payload is Dyre(Dyzap).

https://www.virustotal.com/en/file/e1e6 ... /analysis/