W2KM_UPATRE.A
PLATFORM:
Windows
OVERALL RISK RATING:
DAMAGE POTENTIAL:
DISTRIBUTION POTENTIAL:
REPORTED INFECTION:
INFORMATION EXPOSURE:
Threat Type: Trojan
Destructiveness: No
Encrypted:
In the wild: Yes
OVERVIEW
This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
TECHNICAL DETAILS
File Size: 95,744 bytes
File Type: DOC
Initial Samples Received Date: 09 Oct 2015
Arrival Details
This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
Installation
This Trojan drops a copy of itself in the following folders using different file names:
- %Temp%\287.rtf
- %Temp%\288.rtf
- %Temp%\w12.exe
(Note: %Temp% is the Windows temporary folder, where it usually is C:\Windows\Temp on all Windows operating system versions.)
Other Details
This Trojan connects to the following URL(s) to get the affected system's IP address:
- http://icanhazip.com
It connects to the following possibly malicious URL:
- http://{BLOCKED}.{BLOCKED}.11.51:443/limto1.tar
- http://{BLOCKED}.{BLOCKED}.203.43:443/limto1.tar
- http://{BLOCKED}.{BLOCKED}.49.11:443/limto1.tar
- http://{BLOCKED}.{BLOCKED}.247.74:443/limto1.tar
- http://{BLOCKED}.{BLOCKED}.31.6:443/limto1.tar
- http://{BLOCKED}.{BLOCKED}.117.66:443/limto1.tar
- http://{BLOCKED}.{BLOCKED}.64.160:443/limto1.tar
- http://{BLOCKED}.{BLOCKED}.203.154:443/limto1.tar
- http://{BLOCKED}.{BLOCKED}.93.231:443/limto1.tar
- http://{BLOCKED}.{BLOCKED}.122.150:443/limto1.tar
- http://{BLOCKED}.{BLOCKED}.163.46:443/limto1.tar
- http://{BLOCKED}.{BLOCKED}.164.10:443/limto1.tar
- http://{BLOCKED}.{BLOCKED}.199.21:443/limto1.tar
- http://{BLOCKED}.{BLOCKED}.51.92:443/limto1.tar
- http://{BLOCKED}.{BLOCKED}.56.83:443/limto1.tar
- http://{BLOCKED}.{BLOCKED}.89.57:443/limto1.tar
- http://{BLOCKED}.{BLOCKED}.57.155:443/limto1.tar
- http://{BLOCKED}.{BLOCKED}.197.50:443/limto1.tar
- http://{BLOCKED}.{BLOCKED}.68.78:443/limto1.tar
- http://{BLOCKED}.{BLOCKED}.123.130:443/limto1.tar
- http://{BLOCKED}.{BLOCKED}.138.154:443/limto1.tar
- http://{BLOCKED}.{BLOCKED}.217.188:443/limto1.tar
- http://{BLOCKED}.{BLOCKED}.131.116:443/limto1.tar
- http://{BLOCKED}.{BLOCKED}.20.53:443/limto1.tar
- http://{BLOCKED}.{BLOCKED}.144.177:443/limto1.tar
- http://{BLOCKED}.{BLOCKED}.159.18:443/limto1.tar
- http://{BLOCKED}.{BLOCKED}.13.21:443/limto1.tar
- http://{BLOCKED}.{BLOCKED}.252.207:443/limto1.tar
- http://{BLOCKED}.{BLOCKED}.135.178:443/limto1.tar
- http://{BLOCKED}.{BLOCKED}.201.105:443/limto1.tar
- http://{BLOCKED}.{BLOCKED}.201.61:443/limto1.tar
- http://{BLOCKED}.{BLOCKED}.242.203:443/limto1.tar
- http://{BLOCKED}.{BLOCKED}.171.44:443/limto1.tar
- http://{BLOCKED}.{BLOCKED}.204.114:443/limto1.tar
- http://{BLOCKED}.{BLOCKED}.82.80:443/limto1.tar
- http://{BLOCKED}.{BLOCKED}.101.67:443/limto1.tar
- http://{BLOCKED}.{BLOCKED}.233.105:443/limto1.tar
- http://{BLOCKED}.{BLOCKED}.76.211:443/limto1.tar
- http://{BLOCKED}.{BLOCKED}.64.45:443/limto1.tar
- http://{BLOCKED}.{BLOCKED}.144.37:443/limto1.tar
- http://{BLOCKED}.{BLOCKED}.65.67:443/limto1.tar
- http://{BLOCKED}.{BLOCKED}.168.205:443/limto1.tar
- http://{BLOCKED}.{BLOCKED}.236.122:443/limto1.tar
- http://{BLOCKED}.{BLOCKED}.236.148:443/limto1.tar
- http://{BLOCKED}.{BLOCKED}.20.189:443/limto1.tar
- http://{BLOCKED}.{BLOCKED}.172.232:443/limto1.tar
- http://{BLOCKED}.{BLOCKED}.155.22:443/limto1.tar
- http://{BLOCKED}.{BLOCKED}.82.239:443/limto1.tar
- http://{BLOCKED}.{BLOCKED}.82.66:443/limto1.tar