Analysis by: Mohammed Malubay
ALIASES:

W97m.Downloader.IWZ (Bitdefender); TrojanDownloader:O97M/Emotet.FSK!MTB (Microsoft); a variant of VBA/TrojanDownloader.Agent.TYN trojan (NOD32)

 PLATFORM:

Windows

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:
 SYSTEM IMPACT RATING:
 INFORMATION EXPOSURE:

  • Threat Type: Trojan

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  OVERVIEW

Canal de infección Downloaded from the Internet, Dropped by other malware

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

  TECHNICAL DETAILS

Tamaño del archivo 172,717 bytes
Fecha de recepción de las muestras iniciales 30 Jul 2020

Arrival Details

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Trojan adds the following folders:

  • %System%\dxmasf

(Note: %System% is the Windows system folder, where it usually is C:\Windows\System32 on all Windows operating system versions.)

It drops the following files:

  • %User Temp%\cjzlcrgf.v41.ps1
  • %User Temp%\cbrjodtp.rqu.psm1
  • %User Profile%\74.exe
  • %System%\dxmasf\mswsock.exe

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Local\Temp on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).. %User Profile% is the current user's profile folder, which is usually C:\Documents and Settings\{user name} on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name} on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).. %System% is the Windows system folder, where it usually is C:\Windows\System32 on all Windows operating system versions.)

It adds the following processes:

  • powersheLL -e {base 64-encoded}
  • %User Profile%\74.exe

(Note: %User Profile% is the current user's profile folder, which is usually C:\Documents and Settings\{user name} on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name} on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

Autostart Technique

This Trojan adds and runs the following services:

  • mswsock
    • Start Type: SERVICE_AUTO_START
    • Binary Pathname: "%System%\dxmasf\mswsock.exe"

(Note: %System% is the Windows system folder, where it usually is C:\Windows\System32 on all Windows operating system versions.)

Other System Modifications

This Trojan deletes the following files:

  • %User Temp%\cjzlcrgf.v41.ps1
  • %User Temp%\cbrjodtp.rqu.psm1
  • %User Profile%\74.exe

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Local\Temp on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).. %User Profile% is the current user's profile folder, which is usually C:\Documents and Settings\{user name} on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name} on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

Other Details

This Trojan connects to the following possibly malicious URL:

  • http://{BLOCKED}.uk/loges/v7yi_9z9l1_evrg/
  • http://{BLOCKED}.pl/4995371c/1_m_1dau4ki6f/
  • http://{BLOCKED}.pk/wp-admin/yu7d_oh2g_zmwbfmqo/
  • http://{BLOCKED}.cz/a_b3rvy_ua/
  • http://www.{BLOCKED}.pt/modules/2eyu_76wd_82/