TROJANSPY.WIN32.EMOTET.THABAAAH
Trojan-Banker.Win32.Emotet.bunn(KASPERSKY)
Windows
Threat Type: Trojan Spy
Destructiveness: No
Encrypted:
In the wild: Yes
OVERVIEW
This Trojan Spy arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
TECHNICAL DETAILS
Arrival Details
This Trojan Spy arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
Installation
This Trojan Spy drops the following copies of itself into the affected system and executes them:
- %System%\{random file name}.exe -> Drop when file is run with admin rights
- %AppDataLocal%\{Random Filename}\{random file name}.exe -> Drop when file is run without admin rights
(Note: %System% is the Windows system folder, where it usually is C:\Windows\System32 on all Windows operating system versions.. %AppDataLocal% is the Local Application Data folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Application Data on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Local on Windows Vista, 7, and 8.)
It adds the following processes:
- %AppDataLocal%\{Random Filename}\{random file name}.exe
- %System%\{random file name}.exe
(Note: %AppDataLocal% is the Local Application Data folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Application Data on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Local on Windows Vista, 7, and 8.. %System% is the Windows system folder, where it usually is C:\Windows\System32 on all Windows operating system versions.)
Autostart Technique
This Trojan Spy adds the following registry entries to enable its automatic execution at every system startup:
HKEY_CURRENT_USER\Software\Microsoft\
CurrentVersion\Run
{random file name} = %AppDataLocal%\{Random Filename}\{random file name}.exe
It starts the following services:
- Service Name: {random file name}
- Image Path: %System%\{Random Filename}.exe
- DisplayName: {Random Filename}
- Description: Manages audio devices for the Windows Audio service. If this service is stopped, audio devices and effects will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start
(Note: %System% is the Windows system folder, where it usually is C:\Windows\System32 on all Windows operating system versions.)
Other Details
This Trojan Spy connects to the following possibly malicious URL:
- {BLOCKED}.{BLOCKED}.27.238
- {BLOCKED}.{BLOCKED}.219.114
- {BLOCKED}.{BLOCKED}.241.2
- {BLOCKED}.{BLOCKED}.153.90
- {BLOCKED}.{BLOCKED}.64.181
- {BLOCKED}.{BLOCKED}.45.201
- {BLOCKED}.{BLOCKED}.209.106
- {BLOCKED}.{BLOCKED}.1.15
- {BLOCKED}.{BLOCKED}.19.5
- {BLOCKED}.{BLOCKED}.185.25
- {BLOCKED}.{BLOCKED}.212.150
- {BLOCKED}.{BLOCKED}.254.93;
- {BLOCKED}.{BLOCKED}.117.247
- {BLOCKED}.{BLOCKED}.143.148
- {BLOCKED}.{BLOCKED}.213.173
- {BLOCKED}.{BLOCKED}.79.48
- {BLOCKED}.{BLOCKED}.145.106
- {BLOCKED}.{BLOCKED}.90.90
- {BLOCKED}.{BLOCKED}.139.199
- {BLOCKED}.{BLOCKED}.134.60
- {BLOCKED}.{BLOCKED}.86.72
- {BLOCKED}.{BLOCKED}.73.135
- {BLOCKED}.{BLOCKED}.128.163