Analysis by: Miguel Carlo Ang
ALIASES:

Trojan:Win32/Emotet.G(Microsoft);Trojan-Dropper.Win32.Injector.lmaq (Kaspersky);Gen:Variant.Zusy.131675(Bitdefender)

 PLATFORM:

Windows

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:
 INFORMATION EXPOSURE:

  • Threat Type: Trojan

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  OVERVIEW

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It deletes the initially executed copy of itself.

  TECHNICAL DETAILS

File Size: 270,336 bytes
File Type: EXE
Memory Resident: Yes
Initial Samples Received Date: 13 Mar 2015

Arrival Details

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Trojan drops the following copies of itself into the affected system:

  • %Application Data%\Microsoft\msdb327ac70.exe

(Note: %Application Data% is the Application Data folder, where it usually is C:\Documents and Settings\{user name}\Application Data on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Roaming on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.)

Autostart Technique

This Trojan adds the following registry entries to enable its automatic execution at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
msdb327ac70.exe = ""%Application Data%\Microsoft\msdb327ac70.exe""

Other System Modifications

This Trojan adds the following registry keys:

HKEY_CURRENT_USER\Software\Local AppWizard-Generated Applications

HKEY_CURRENT_USER\Software\Local AppWizard-Generated Applications\
7_1

HKEY_CURRENT_USER\Software\Local AppWizard-Generated Applications\
7_1\Recent File List

HKEY_CURRENT_USER\Software\Local AppWizard-Generated Applications\
7_1\Settings

HKEY_CURRENT_USER\Software\Microsoft\
Multimedia\Audio\Box

HKEY_CURRENT_USER\Software\Microsoft\
Multimedia\Audio\Box\
d256a9206

HKEY_CURRENT_USER\Software\Microsoft\
Multimedia\Audio\Box\
d256a9207

HKEY_CURRENT_USER\Software\Microsoft\
Multimedia\Audio\Box\
d256a9208

It adds the following registry entries:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Internet Settings
GlobalUserOffline = 0

Other Details

This Trojan deletes the initially executed copy of itself

Mobile Malware Routine

This Trojan accesses the following possibly malicious URL(s):

  • http://{BLOCKED}.{BLOCKED}.138.90:8080/d256a920/95252f74/
  • http://{BLOCKED}.{BLOCKED}.254.29:8080/d256a920/95252f74/
  • http://{BLOCKED}.{BLOCKED}.85.224:8080/d256a920/95252f74/
  • http://{BLOCKED}.{BLOCKED}.129.13:8080/d256a920/95252f74/
  • http://{BLOCKED}.{BLOCKED}.151.38:8080/d256a920/95252f74/
  • http://{BLOCKED}.{BLOCKED}.207.58:8080/d256a920/95252f74/
  • http://{BLOCKED}.{BLOCKED}.17.67:8080/d256a920/95252f74/
  • http://{BLOCKED}.{BLOCKED}.6.134:8080/d256a920/95252f74/
  • http://{BLOCKED}.{BLOCKED}.189.24:8080/d256a920/95252f74/
  • http://{BLOCKED}.{BLOCKED}.213.41:8080/d256a920/95252f74/
  • http://{BLOCKED}.{BLOCKED}.225.91:8080/d256a920/95252f74/
  • http://{BLOCKED}.{BLOCKED}.160.196:8080/d256a920/95252f74/
  • http://{BLOCKED}.{BLOCKED}.193.123:8080/d256a920/95252f74/
  • http://{BLOCKED}.{BLOCKED}.135.44:8080/d256a920/95252f74/
  • http://{BLOCKED}.{BLOCKED}.3.194:8080/d256a920/95252f74/
  • http://{BLOCKED}.{BLOCKED}.17.144:8080/d256a920/95252f74/
  • http://{BLOCKED}.{BLOCKED}.105.107:8080/d256a920/95252f74/
  • http://{BLOCKED}.{BLOCKED}.224.231:8080/d256a920/95252f74/