Analysis by: Arvin Roi Macaraeg

ALIASES:

Trojan-Banker.Win32.Emotet.bunn(KASPERSKY)

 PLATFORM:

Windows

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:
 INFORMATION EXPOSURE:

  • Threat Type: Trojan Spy

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  OVERVIEW

This Trojan Spy arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

  TECHNICAL DETAILS

File Size: 111,535 bytes
File Type: EXE
Memory Resident: Yes
Initial Samples Received Date: 12 Dec 2018

Arrival Details

This Trojan Spy arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Trojan Spy drops the following copies of itself into the affected system and executes them:

  • %System%\{random file name}.exe -> Drop when file is run with admin rights
  • %AppDataLocal%\{Random Filename}\{random file name}.exe -> Drop when file is run without admin rights

(Note: %System% is the Windows system folder, where it usually is C:\Windows\System32 on all Windows operating system versions.. %AppDataLocal% is the Local Application Data folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Application Data on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Local on Windows Vista, 7, and 8.)

It adds the following processes:

  • %AppDataLocal%\{Random Filename}\{random file name}.exe
  • %System%\{random file name}.exe

(Note: %AppDataLocal% is the Local Application Data folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Application Data on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Local on Windows Vista, 7, and 8.. %System% is the Windows system folder, where it usually is C:\Windows\System32 on all Windows operating system versions.)

Autostart Technique

This Trojan Spy adds the following registry entries to enable its automatic execution at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\
CurrentVersion\Run
{random file name} = %AppDataLocal%\{Random Filename}\{random file name}.exe

It starts the following services:

    • Service Name: {random file name}
    • Image Path: %System%\{Random Filename}.exe
    • DisplayName: {Random Filename}
    • Description: Manages audio devices for the Windows Audio service. If this service is stopped, audio devices and effects will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start

(Note: %System% is the Windows system folder, where it usually is C:\Windows\System32 on all Windows operating system versions.)

Other Details

This Trojan Spy connects to the following possibly malicious URL:

  • {BLOCKED}.{BLOCKED}.27.238
  • {BLOCKED}.{BLOCKED}.219.114
  • {BLOCKED}.{BLOCKED}.241.2
  • {BLOCKED}.{BLOCKED}.153.90
  • {BLOCKED}.{BLOCKED}.64.181
  • {BLOCKED}.{BLOCKED}.45.201
  • {BLOCKED}.{BLOCKED}.209.106
  • {BLOCKED}.{BLOCKED}.1.15
  • {BLOCKED}.{BLOCKED}.19.5
  • {BLOCKED}.{BLOCKED}.185.25
  • {BLOCKED}.{BLOCKED}.212.150
  • {BLOCKED}.{BLOCKED}.254.93;
  • {BLOCKED}.{BLOCKED}.117.247
  • {BLOCKED}.{BLOCKED}.143.148
  • {BLOCKED}.{BLOCKED}.213.173
  • {BLOCKED}.{BLOCKED}.79.48
  • {BLOCKED}.{BLOCKED}.145.106
  • {BLOCKED}.{BLOCKED}.90.90
  • {BLOCKED}.{BLOCKED}.139.199
  • {BLOCKED}.{BLOCKED}.134.60
  • {BLOCKED}.{BLOCKED}.86.72
  • {BLOCKED}.{BLOCKED}.73.135
  • {BLOCKED}.{BLOCKED}.128.163