TrojanSpy.Win32.EMOTET.BTNSY

Verbindet sich mit einer bestimmten Website, um Daten zu versenden und zu empfangen.

Installation

Schleust die folgenden Eigenkopien in das betroffene System ein und führt sie aus:

• %System%\{string1}{string2}.exe - if run with admin privilages
• %AppDataLocal%\{string1}{string2}\{string1}{string2}.exe - if run without admin privileges
  {string1} and {string2} are randomly chosen from the following strings:
  
  • adam  
  • admin  
  • alaska  
  • ar
  • avat
  • avatar
  • avg      
  • based   
  • cbs  
  • culture
  • daf     
  • dasmrc  
  • define
  • detect
  • dev     
  • diag    
  • eap    
  • earcon
  • enroll  
  • form   
  • guids  
  • idl     
  • indexer
  • iprop    
  • iss     
  • jersey   
  • lime  
  • mapi    
  • mdmmcd   
  • menus  
  • metagen  
  • mfidl   
  • mini   
  • mouse    
  • neutral
  • not
  • panes  
  • pnp  
  • polic  
  • radar    
  • repl  
  • resw    
  • right   
  • ripple
  • sat     
  • serv   
  • shader
  • single
  • slide  
  • source  
  • started  
  • subs  
  • svcs   
  • thunk    
  • tmpl   
  • tuip   
  • turned  
  • uuidgen
  • vsc     
  • wab    
  • wcs    
  • wfp     
  • wgx  
  • without
  • wordpad  
  • zip    

(Hinweis: %System% ist der Windows Systemordner. Er lautet in der Regel C:\Windows\System unter Windows 98 und ME, C:\WINNT\System32 unter Windows NT und 2000 sowie C:\Windows\System32 unter Windows XP und Server 2003.)

Erstellt die folgenden Ordner:

• %AppDataLocal%\{string1}{string2}

Fügt die folgenden Mutexe hinzu, damit nur jeweils eine ihrer Kopien ausgeführt wird:

• PEM{Hash of full file path}
• Global\I{Volume Serial Number}
• Global\M{Volume Serial Number}

Autostart-Technik

Registriert sich als Systemdienst, damit die Ausführung bei jedem Systemstart automatisch erfolgt, indem die folgenden Registrierungsschlüssel hinzufügt werden:

HKEY_LOCAL_MACHINE\System\ControlSet001\
services\{string1}{string2}
Type = 16

HKEY_LOCAL_MACHINE\System\ControlSet001\
services\{string1}{string2}
Start = 2

HKEY_LOCAL_MACHINE\System\ControlSet001\
services\{string1}{string2}
ErrorControl = 0

HKEY_LOCAL_MACHINE\System\ControlSet001\
services\{string1}{string2}
ImagePath = %System%\{string1}{string2}.exe

HKEY_LOCAL_MACHINE\System\ControlSet001\
services\{string1}{string2}
DisplayName = {string1]{string2}

HKEY_LOCAL_MACHINE\System\ControlSet001\
services\{string1}{string2}
ObjectName = LocalSystem

Datendiebstahl

Folgende Daten werden gesammelt:

• Machine Name
• OS Version
• Current Running processes and the process ID of each process

Andere Details

Verbindet sich mit der folgenden Website, um Daten zu versenden und zu empfangen:

• {BLOCKED}.{BLOCKED}.199.76
• {BLOCKED}.{BLOCKED}.143.96
• {BLOCKED}.{BLOCKED}.82.225
• {BLOCKED}.{BLOCKED}.243.126
• {BLOCKED}.{BLOCKED}.61.163
• {BLOCKED}.{BLOCKED}.228.7
• {BLOCKED}.{BLOCKED}.203.51
• {BLOCKED}.{BLOCKED}.254.93
• {BLOCKED}.{BLOCKED}.31.68
• {BLOCKED}.{BLOCKED}.241.251
• {BLOCKED}.{BLOCKED}.168.2
• {BLOCKED}.{BLOCKED}.117.247
• {BLOCKED}.{BLOCKED}.31.206
• {BLOCKED}.{BLOCKED}.208.183
• {BLOCKED}.{BLOCKED}.151.102
• {BLOCKED}.{BLOCKED}.239.130
• {BLOCKED}.{BLOCKED}.213.173
• {BLOCKED}.{BLOCKED}.18.45
• {BLOCKED}.{BLOCKED}.163.11
• {BLOCKED}.{BLOCKED}.54.74
• {BLOCKED}.{BLOCKED}.118.27
• {BLOCKED}.{BLOCKED}.79.48
• {BLOCKED}.{BLOCKED}.162.36
• {BLOCKED}.{BLOCKED}.100.185
• {BLOCKED}.{BLOCKED}.33.82
• {BLOCKED}.{BLOCKED}.84.70
• {BLOCKED}.{BLOCKED}.231.96
• {BLOCKED}.{BLOCKED}.128.163
• {BLOCKED}.{BLOCKED}.32.17
• {BLOCKED}.{BLOCKED}.76.245
• {BLOCKED}.{BLOCKED}.150.93
• {BLOCKED}.{BLOCKED}.52.70
• {BLOCKED}.{BLOCKED}.248.48
• {BLOCKED}.{BLOCKED}.217.39
• {BLOCKED}.{BLOCKED}.214.53
• {BLOCKED}.{BLOCKED}.230.228
• {BLOCKED}.{BLOCKED}.66.29
• {BLOCKED}.{BLOCKED}.19.67
• {BLOCKED}.{BLOCKED}.239.130
• {BLOCKED}.{BLOCKED}.147.203
• {BLOCKED}.{BLOCKED}.30.28
• {BLOCKED}.{BLOCKED}.193.16
• {BLOCKED}.{BLOCKED}.189.46
• {BLOCKED}.{BLOCKED}.139.199
• {BLOCKED}.{BLOCKED}.67.107
• {BLOCKED}.{BLOCKED}.86.72
• {BLOCKED}.{BLOCKED}.90.90
• {BLOCKED}.{BLOCKED}.148.222
• {BLOCKED}.{BLOCKED}.153.46
• {BLOCKED}.{BLOCKED}.66.50