TROJ_INJECT.XXTWZ
Trojan:Win32/Emotet.G(Microsoft);Trojan-Dropper.Win32.Injector.lmaq (Kaspersky);Gen:Variant.Zusy.131675(Bitdefender)
Windows
Threat Type: Trojan
Destructiveness: No
Encrypted:
In the wild: Yes
OVERVIEW
This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
It deletes the initially executed copy of itself.
TECHNICAL DETAILS
Arrival Details
This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
Installation
This Trojan drops the following copies of itself into the affected system:
- %AppDataLocal%\{random name}\{random name}.exe
(Note: %AppDataLocal% is the Application Data folder found in Local Settings, where it is usually C:\Documents and Settings\{user name}\Local Settings\Application Data on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Local on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.)
Autostart Technique
This Trojan adds the following registry entries to enable its automatic execution at every system startup:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
{random name} = "%AppDataLocal%\{random name}\{random name}.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\policies\
Explorer\Run
{random name} = "%AppDataLocal%\{random name}\{random name}.exe"
Other System Modifications
This Trojan adds the following registry keys:
HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\Main\FeatureControl\
FEATURE_BROWSER_EMULATION
HKEY_LOCAL_MACHINE\Software\Microsoft\
Internet Explorer\Main\FeatureControl\
FEATURE_BROWSER_EMULATION
HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\Main\FeatureControl\
FEATURE_AJAX_CONNECTIONEVENTS
HKEY_LOCAL_MACHINE\Software\{8 random values}
HKEY_CURRENT_USER\Software\{8 random values}
It adds the following registry entries:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\
Microsoft\Windows NT\SystemRestore
DisableConfig = "1"
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\
Microsoft\Windows NT\SystemRestore
DisableSR = "1"
HKEY_LOCAL_MACHINE\SYSTEM\{Current Control Set}\
Hardware Profiles\0001\Software\
Microsoft\windows\CurrentVersion\
Internet Settings
ProxyEnable = "1"
Other Details
This Trojan connects to the following possibly malicious URL:
- {BLOCKED}.{BLOCKED}9.21.250:8080
- {BLOCKED}.{BLOCKED}3.161.177:80
- {BLOCKED}.{BLOCKED}7.194.46:80
- {BLOCKED}.{BLOCKED}5.142.131:80
- {BLOCKED}.{BLOCKED}1.47.22:443
- {BLOCKED}.{BLOCKED}.241.186:80
- {BLOCKED}.{BLOCKED}.83.74:443
- {BLOCKED}.{BLOCKED}6.139.156:443
- {BLOCKED}.{BLOCKED}.99.3:443
- {BLOCKED}.{BLOCKED}5.72.92:80
- {BLOCKED}.{BLOCKED}4.7.148:8080
- {BLOCKED}.{BLOCKED}86.112.134:80
- {BLOCKED}.{BLOCKED}97.99.69:8080
- {BLOCKED}.{BLOCKED}.15.45:80
- {BLOCKED}.{BLOCKED}.57.87:8080
- {BLOCKED}.{BLOCKED}.153.101:8080
- {BLOCKED}.{BLOCKED}.18.146:80
- {BLOCKED}.{BLOCKED}.7.120:80
- {BLOCKED}.{BLOCKED}09.235.201:8080
- {BLOCKED}.{BLOCKED}.16.193:443
- {BLOCKED}.{BLOCKED}2.242.48:80
- {BLOCKED}.{BLOCKED}.13.32:80
- {BLOCKED}.{BLOCKED}2.88.253:28758
- {BLOCKED}.{BLOCKED}.105.47:80
- {BLOCKED}.{BLOCKED}.92.78:443
- {BLOCKED}.{BLOCKED}76.236.241:80
- {BLOCKED}.{BLOCKED}11.205.134:80
- {BLOCKED}.{BLOCKED}.228.133:80
- {BLOCKED}.{BLOCKED}2.124.140:443
- {BLOCKED}.{BLOCKED}9.183.148:8080
- {BLOCKED}.{BLOCKED}73.195.66:80
- {BLOCKED}.{BLOCKED}9.52.195:80
- {BLOCKED}.{BLOCKED}3.249.187:80
- {BLOCKED}.{BLOCKED}.229.173:80
- {BLOCKED}.{BLOCKED}4.210.77:80
- {BLOCKED}.{BLOCKED}4.237.242:80
- {BLOCKED}.{BLOCKED}13.15.115:80
- {BLOCKED}.{BLOCKED}7.23.211:80
- {BLOCKED}.{BLOCKED}48.136.24:80
- {BLOCKED}.{BLOCKED}1.167.241:80
- {BLOCKED}.{BLOCKED}15.130.227:80
- {BLOCKED}.{BLOCKED}19.70.89:80
- {BLOCKED}.{BLOCKED}41.170.166:80
- {BLOCKED}.{BLOCKED}9.4.66:80
- {BLOCKED}.{BLOCKED}1.70.219:80
- {BLOCKED}.{BLOCKED}7.137.72:80
- {BLOCKED}.{BLOCKED}2.209.162:80
- {BLOCKED}.{BLOCKED}3.73.246:443
- {BLOCKED}.{BLOCKED}82.124.121:80
- {BLOCKED}.{BLOCKED}5.239.176:56513
- {BLOCKED}.{BLOCKED}2.250.142:8080
- {BLOCKED}.{BLOCKED}.122.224:80
- {BLOCKED}.{BLOCKED}90.214.11:31106
- {BLOCKED}.{BLOCKED}85.79.12:28215
- {BLOCKED}.{BLOCKED}9.110.47:443
- {BLOCKED}.{BLOCKED}.165.134:80
- {BLOCKED}.{BLOCKED}22.242.28:80
- {BLOCKED}.{BLOCKED}8.47.115:443
- {BLOCKED}.{BLOCKED}43.58.77:48021
- {BLOCKED}.{BLOCKED}9.37.119:80
- {BLOCKED}.{BLOCKED}6.146.143:443
- {BLOCKED}.{BLOCKED}9.34.104:443
- {BLOCKED}.{BLOCKED}123.41:8080
- {BLOCKED}.{BLOCKED}6.192.138:80
- {BLOCKED}.{BLOCKED}0.23.91:80
- {BLOCKED}.{BLOCKED}41.123.198:80
- {BLOCKED}.{BLOCKED}79.129.139:80
- {BLOCKED}.{BLOCKED}2.103.176:80
- {BLOCKED}.{BLOCKED}51.106.144:80
- {BLOCKED}.{BLOCKED}2.144.135:80
- {BLOCKED}.{BLOCKED}8.26.189:80
- {BLOCKED}.{BLOCKED}26.46.131:443
- {BLOCKED}.{BLOCKED}64.73.157:80
- {BLOCKED}.{BLOCKED}43.134.222:80
- {BLOCKED}.{BLOCKED}18.3.73:80
- {BLOCKED}.{BLOCKED}8.103.182:80
- {BLOCKED}.{BLOCKED}30.239.63:29803
- {BLOCKED}.{BLOCKED}.65.126:443
- {BLOCKED}.{BLOCKED}.105.104:80
- {BLOCKED}.{BLOCKED}06.168.143:80
- {BLOCKED}.{BLOCKED}31.95.99:80
- {BLOCKED}.{BLOCKED}2.224.246:55024
- {BLOCKED}.{BLOCKED}37.141.244:51488
- {BLOCKED}.{BLOCKED}.229.163:59478
- {BLOCKED}.{BLOCKED}0.231.98:443
- {BLOCKED}.{BLOCKED}3.120.44:8080
- {BLOCKED}.{BLOCKED}7.65.188:80
- {BLOCKED}.{BLOCKED}8.31.23:443
- {BLOCKED}.{BLOCKED}6.27.38:443
- {BLOCKED}.{BLOCKED}67.202.220:80
- {BLOCKED}.{BLOCKED}.55.198:80
- {BLOCKED}.{BLOCKED}.174.240:80
- {BLOCKED}.{BLOCKED}3.236.137:43325
- {BLOCKED}.{BLOCKED}03.102.35:443
- {BLOCKED}.{BLOCKED}09.121.223:80
- {BLOCKED}.{BLOCKED}0.151.54:53258
- {BLOCKED}.{BLOCKED}6.96.117:20426
- {BLOCKED}.{BLOCKED}.45.65:80
- {BLOCKED}.{BLOCKED}.165.143:80
- {BLOCKED}.{BLOCKED}01.95.202:21376
- {BLOCKED}.{BLOCKED}.19.154:30088
- {BLOCKED}.{BLOCKED}35.201.215:80
- {BLOCKED}.{BLOCKED}5.87.179:8080
- {BLOCKED}.{BLOCKED}03.73.88:80
- {BLOCKED}.{BLOCKED}41.63.165:80
- {BLOCKED}.{BLOCKED}1.36.45:80
- {BLOCKED}.{BLOCKED}94.240.184:8080
- {BLOCKED}.{BLOCKED}40.243.106:8080
- {BLOCKED}.{BLOCKED}4.90.70:443
- {BLOCKED}.{BLOCKED}9.80.200:29501
- {BLOCKED}.{BLOCKED}5.160.78:8080
- {BLOCKED}.{BLOCKED}6.172.42:80
- {BLOCKED}.{BLOCKED}47.46.81:443
- {BLOCKED}.{BLOCKED}.186.37:8080
- {BLOCKED}.{BLOCKED}3.236.236:80
- {BLOCKED}.{BLOCKED}2.119.158:80
- {BLOCKED}.{BLOCKED}.222.105:443
- {BLOCKED}.{BLOCKED}9.202.239:443
- {BLOCKED}.{BLOCKED}.135.138:80
- {BLOCKED}.{BLOCKED}6.22.209:8080
- {BLOCKED}.{BLOCKED}11.172.92:80
- {BLOCKED}.{BLOCKED}1.138.11:80
- {BLOCKED}.{BLOCKED}8.241.223:80
- {BLOCKED}.{BLOCKED}7.248.2:443
- {BLOCKED}.{BLOCKED}//b14-mini.ru/upload.php
It deletes the initially executed copy of itself