arrow_back
search
close

TROJ_EMOTET.XXRW

June 26, 2015
 Analysis by: Cris Nowell Pantanilla
 ALIASES:

Trojan:Win32/Emotet.G (Microsoft); Backdoor.Win32.Androm.hfkr (Fortinet)

 PLATFORM:

Windows

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:
 INFORMATION EXPOSURE:

  • Threat Type: Spyware

  • Destructiveness: No

  • Encrypted: Yes

  • In the wild: Yes

  OVERVIEW


This spyware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

However, as of this writing, the said sites are inaccessible.

  TECHNICAL DETAILS

File Size:

151,552 bytes

File Type:

EXE

Memory Resident:

Yes

Initial Samples Received Date:

10 Jun 2015

Arrival Details

This spyware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This spyware drops the following copies of itself into the affected system:

  • %AppDataLocal%\{random}.exe

(Note: %AppDataLocal% is the Application Data folder found in Local Settings, where it is usually C:\Documents and Settings\{user name}\Local Settings\Application Data on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Local on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.)

It injects threads into the following normal process(es):

  • explorer.exe

Autostart Technique

This spyware adds the following registry entries to enable its automatic execution at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
{random} = = "%AppDataLocal%\{random}.exe"

Other System Modifications

This spyware adds the following registry entries:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Internet Settings
GlobalUserOffline = "0"

Other Details

This spyware connects to the following possibly malicious URL:

  • http://{BLOCKED}.{BLOCKED}.148.38:8080/{random}/{random}.php
  • http://{BLOCKED}.{BLOCKED}.38.36:8080/{random}/{random}.php
  • http://{BLOCKED}.{BLOCKED}.17.211:8080/{random}/{random}.php
  • http://{BLOCKED}.{BLOCKED}.133.96:8080/{random}/{random}.php
  • http://{BLOCKED}.{BLOCKED}.201.56:8080/{random}/{random}.php
  • http://{BLOCKED}.{BLOCKED}.209.150:8080/{random}/{random}.php
  • http://{BLOCKED}.{BLOCKED}.244.17:8080/{random}/{random}.php
  • http://{BLOCKED}.{BLOCKED}.96:8080/{random}/{random}.php

However, as of this writing, the said sites are inaccessible.