Back to overview

Threat intelligence

Urelas spy Trojan drops multiple malware families (Aug 22nd, 2014)

by Security News

The Dell Sonicwall Threats Research team has received reports of a recent variant of the Urelas Trojan. This Trojan is known for its spying capability and has the ability to monitor certain gaming applications. It also sends screenshots and other system information to a remote C&C server. It can also download and install malware from other families.

Infection Cycle:

The Trojan uses the following icon:

The Trojan adds the following files to the filesystem:

  • %USERPROFILE%Local SettingsTempgolfinfo.ini
  • %USERPROFILE%Local SettingsTempsanfdr.bat (cleanup script)
  • %USERPROFILE%Local SettingsTempjiokf.exe
  • %USERPROFILE%Local SettingsTemppoetr.exe (copy of original)
  • %SYSTEM32%d3d8caps.dat
  • %SYSTEM32%d3d9caps.dat
  • %SYSTEM32%pokdre.exe

The Trojan adds the following keys to the Windows registry:

  • HKEY_LOCAL_MACHINESOFTWAREMicrosoftESENTProcesspoetrDEBUG Trace Level ""
  • HKEY_LOCAL_MACHINESOFTWAREMicrosoftESENTProcesspokdreDEBUG Trace Level ""
  • HKEY_CURRENT_USERSoftwareMicrosoftWindows NTCurrentVersionWindows Run "%SYSTEM32%pokdre.exe"
  • HKEY_CURRENT_USERSoftwareMicrosoftWindows NTCurrentVersionWindows TrayKey "jiokf"

The .bat file dropped by pokdre.exe contains the following script to clean up traces of the infection:

      :Repeat
      del "{rundir}pokdre.exe"
      if exist "{rundir}pokdre.exe" goto Repeat
      rmdir "{rundir}"
      del "%USERPROFILE%Local SettingsTempsanfdr.bat"

The Trojan was observed engaging in the following encrypted communication with a remote C&C server. All communication is tagged with the AS101 string:

The Trojan was later seen requesting and downloading an additional malicious executable file (pokdre.exe) :

golfinfo.ini contains the following encrypted data:

This data was seen being sent from the C&C server. The .dat files d3d8caps.dat and d3d9caps.dat contain decrypted data that was sent from the C&C server.

During analysis we were able to identify a very basic decryption routine which simply uses the NOT operator for decryption:

Using the above knowledge we were able to fully decrypt golfinfo.ini thus revealing 2 C&C server ip addresses and infection filenames:

SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

  • GAV: Packman.0 (Trojan)
  • GAV: Urelas.AB_3 (Trojan)
  • GAV: Virut.Q.gen (Trojan)
  • GAV: Beaugrit.A_15 (Trojan)

Share This Article

An Article By

Security News

The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.