Urelas spy Trojan drops multiple malware families

August 22, 2014

The Dell Sonicwall Threats Research team has received reports of a recent variant of the Urelas Trojan. This Trojan is known for its spying capability and has the ability to monitor certain gaming applications. It also sends screenshots and other system information to a remote C&C server. It can also download and install malware from other families.

Infection Cycle:

The Trojan uses the following icon:

The Trojan adds the following files to the filesystem:

  • %USERPROFILE%Local SettingsTempgolfinfo.ini
  • %USERPROFILE%Local SettingsTempsanfdr.bat (cleanup script)
  • %USERPROFILE%Local SettingsTempjiokf.exe [Detected as GAV: Packman.0 (Trojan)]
  • %USERPROFILE%Local SettingsTemppoetr.exe (copy of original) [Detected as GAV: Urelas.AB_3 (Trojan)]
  • %SYSTEM32%d3d8caps.dat [Detected as GAV: Urelas.AB_3#enc (Trojan)]
  • %SYSTEM32%d3d9caps.dat [Detected as GAV: Urelas.AB_3#enc (Trojan)]
  • %SYSTEM32%pokdre.exe [Detected as GAV: Beaugrit.A_15 (Trojan)]

The Trojan adds the following keys to the Windows registry:

  • HKEY_LOCAL_MACHINESOFTWAREMicrosoftESENTProcesspoetrDEBUG Trace Level ""
  • HKEY_LOCAL_MACHINESOFTWAREMicrosoftESENTProcesspokdreDEBUG Trace Level ""
  • HKEY_CURRENT_USERSoftwareMicrosoftWindows NTCurrentVersionWindows Run "%SYSTEM32%pokdre.exe"
  • HKEY_CURRENT_USERSoftwareMicrosoftWindows NTCurrentVersionWindows TrayKey "jiokf"

The .bat file dropped by pokdre.exe contains the following script to clean up traces of the infection:

      del "{rundir}pokdre.exe"
      if exist "{rundir}pokdre.exe" goto Repeat
      rmdir "{rundir}"
      del "%USERPROFILE%Local SettingsTempsanfdr.bat"

The Trojan was observed engaging in the following encrypted communication with a remote C&C server. All communication is tagged with the AS101 string:

The Trojan was later seen requesting and downloading an additional malicious executable file (pokdre.exe) [Detected as GAV: Beaugrit.A_15 (Trojan)]:

golfinfo.ini contains the following encrypted data:

This data was seen being sent from the C&C server. The .dat files d3d8caps.dat and d3d9caps.dat contain decrypted data that was sent from the C&C server.

During analysis we were able to identify a very basic decryption routine which simply uses the NOT operator for decryption:

Using the above knowledge we were able to fully decrypt golfinfo.ini thus revealing 2 C&C server ip addresses and infection filenames:

SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

  • GAV: Packman.0 (Trojan)
  • GAV: Urelas.AB_3 (Trojan)
  • GAV: Virut.Q.gen (Trojan)
  • GAV: Beaugrit.A_15 (Trojan)