Upatre: Sample Set Analysis


Hi. I recently wrapped up an analysis of Upatre. My original intention was to write a generic C2 decoder/extractor for the executables. After analyzing ten samples I realized it was not feasible due to the different encoding algorithms and obfuscation. After analyzing the ten samples I became interested in how Upatre obfuscates/encodes it's executables. My analysis is based off of 94 unique Upatre samples. My sample set might be little skewed because I grabbed the first 100 files sorted by file size with a type zip. Having the files in their original zip file allowed me to have their original file names. I would like to thank VirusTotal for access to the samples and Glenn Edwards for feedback.

Google Docs (HTML)
Git Repo (PDF)

3 comments:

  1. VnSpl0itMarch 23, 2014 at 2:36 AM

    Hi,

    Could you please to provide the sample file ? Thank you very much,

    Best Regards,

    ReplyDelete
    Replies
    1. Alexander HanelMarch 24, 2014 at 9:29 AM

      Sorry, I can not distribute the samples. The hashes are include at the end of the document. If don't have a source for looking up samples by hashes I would recommend signing up for KernelMode.info. Some samples can be downloaded from the following thread http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3019

      Delete
  2. AnonymousMay 6, 2014 at 4:52 AM

    Impressive stuff Alex! :)

    ReplyDelete

Subscribe to: Post Comments (Atom)