search

TrojanSpy.Win32.EMOTET.YJCCY

March 26, 2022
 Analysis by: Maria Emreen Viray
 PLATFORM:

Windows

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:
 INFORMATION EXPOSURE:

  • Threat Type: Trojan Spy

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  OVERVIEW

This Trojan Spy arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It deletes the initially executed copy of itself.

  TECHNICAL DETAILS

File Size:

679,936 bytes

File Type:

DLL

Memory Resident:

Yes

Initial Samples Received Date:

25 Mar 2022

Arrival Details

This Trojan Spy arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Trojan Spy adds the following folders:

  • %System%\{random}
  • %AppDataLocal%\{random}

(Note: %System% is the Windows system folder, where it usually is C:\Windows\System32 on all Windows operating system versions.. %AppDataLocal% is the Local Application Data folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Application Data on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Local on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

It drops and executes the following files:

  • %System%\{random}\{random characters}.{3 random characters}
  • %AppDataLocal%\{random}\{random characters}.{3 random characters}

(Note: %System% is the Windows system folder, where it usually is C:\Windows\System32 on all Windows operating system versions.. %AppDataLocal% is the Local Application Data folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Application Data on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Local on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

It adds the following processes:

  • %System%\regsvr32.exe /s "%System%\{random}\{random characters}.{3 random characters}"
  • %System%\regsvr32.exe /s "%AppDataLocal%\{random}\{random characters}.{3 random characters}"

(Note: %System% is the Windows system folder, where it usually is C:\Windows\System32 on all Windows operating system versions.. %AppDataLocal% is the Local Application Data folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Application Data on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Local on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

Other System Modifications

This Trojan Spy adds the following registry entries:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
services\{File name of dropped file}
ImagePath = %System%\regsvr32.exe /s "%System%\{random}\{random characters}.{3 random characters}"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
{File name of dropped file} = %System%\regsvr32.exe /s "%AppDataLocal%\{random}\{random characters}.{3 random characters}"

Other Details

This Trojan Spy connects to the following possibly malicious URL:

  • http://{BLOCKED}.{BLOCKED}.40.183:80
  • http://{BLOCKED}.{BLOCKED}.218.63:8080
  • http://{BLOCKED}.{BLOCKED}.25.250:8080
  • http://{BLOCKED}.{BLOCKED}.124.41:7080
  • http://{BLOCKED}.{BLOCKED}.201.2:443
  • http://{BLOCKED}.{BLOCKED}.151.129:8080
  • http://{BLOCKED}.{BLOCKED}.24.231:80
  • http://{BLOCKED}.{BLOCKED}.88.10:8080
  • http://{BLOCKED}.{BLOCKED}.21.73:7080
  • http://{BLOCKED}.{BLOCKED}.116.246:8080
  • http://{BLOCKED}.{BLOCKED}.201.4:443
  • http://{BLOCKED}.{BLOCKED}.106.96:8080
  • http://{BLOCKED}.{BLOCKED}.72.26:8080
  • http://{BLOCKED}.{BLOCKED}.17.99:8080
  • http://{BLOCKED}.{BLOCKED}.201.15:8080
  • http://{BLOCKED}.{BLOCKED}.46.182:443
  • http://{BLOCKED}.{BLOCKED}.84.195:8080
  • http://{BLOCKED}.{BLOCKED}.222.11:443
  • http://{BLOCKED}.{BLOCKED}.2.232:8080
  • http://{BLOCKED}.{BLOCKED}.0.91:8080
  • http://{BLOCKED}.{BLOCKED}.42.236:80
  • http://{BLOCKED}.{BLOCKED}.188.93:443
  • http://{BLOCKED}.{BLOCKED}.98.99:8080
  • http://{BLOCKED}.{BLOCKED}.222.101:443
  • http://{BLOCKED}.{BLOCKED}.140.238:7080
  • http://{BLOCKED}.{BLOCKED}.115.35:8080
  • http://{BLOCKED}.{BLOCKED}.150.244:8080
  • http://{BLOCKED}.{BLOCKED}.135.203:7080
  • http://{BLOCKED}.{BLOCKED}.40.196:8080
  • http://{BLOCKED}.{BLOCKED}.152.127:8080
  • http://{BLOCKED}.{BLOCKED}.221.247:8080
  • http://{BLOCKED}.{BLOCKED}.54.215:443
  • http://{BLOCKED}.{BLOCKED}.133.20:443
  • http://{BLOCKED}.{BLOCKED}.82.211:8080
  • http://{BLOCKED}.{BLOCKED}.232.124:443
  • http://{BLOCKED}.{BLOCKED}.128.118:443
  • http://{BLOCKED}.{BLOCKED}.225.142:8080
  • http://{BLOCKED}.{BLOCKED}.212.92:8080
  • http://{BLOCKED}.{BLOCKED}.114.231:8080
  • http://{BLOCKED}.{BLOCKED}.193.249:8080
  • http://{BLOCKED}.{BLOCKED}.146.25:7080
  • http://{BLOCKED}.{BLOCKED}.59.82:8080
  • http://{BLOCKED}.{BLOCKED}.158.56:8080
  • http://{BLOCKED}.{BLOCKED}.7.5:8080
  • http://{BLOCKED}.{BLOCKED}.99.3:8080
  • http://{BLOCKED}.{BLOCKED}.251.50:443
  • http://{BLOCKED}.{BLOCKED}.147.66:8080
  • http://{BLOCKED}.{BLOCKED}.117.186:8080
  • http://{BLOCKED}.{BLOCKED}.98.206:8080
  • http://{BLOCKED}.{BLOCKED}.20.25:443
  • http://{BLOCKED}.{BLOCKED}.226.206:443
  • http://{BLOCKED}.{BLOCKED}.226.45:443
  • http://{BLOCKED}.{BLOCKED}.115.99:8080
  • http://{BLOCKED}.{BLOCKED}.112.196:8080
  • http://{BLOCKED}.{BLOCKED}.212.216:8080
  • http://{BLOCKED}.{BLOCKED}.109.124:443
  • http://{BLOCKED}.{BLOCKED}.30.83:443
  • http://{BLOCKED}.{BLOCKED}.212.130:7080
  • http://{BLOCKED}.{BLOCKED}.111.200:7080
  • http://{BLOCKED}.{BLOCKED}.246.206:443
  • http://{BLOCKED}.{BLOCKED}.128.192:443

It deletes the initially executed copy of itself.