Win32/Emotet [Threat Name] go to Threat

Win32/Emotet.AW [Threat Variant Name]

Category trojan
Size 201216 B
Detection created Jul 26, 2017
Detection database version 15809
Aliases Trojan.Win32.Agent.nfapjt (Kaspersky)
  Ransom.Kovter (Symantec)
Short description

The trojan serves as a backdoor. It can be controlled remotely.

Installation

When executed, the trojan may create copies of itself using the following filenames:

  • %system%\­%variable1%%variable2%.exe
  • %localappdata%\­Microsoft\­Windows\­%variable1%%variable2%.exe
  • %temp%\­%variable3%.TMP

The %variable1%, %variable2% is one of the following strings:

  • agent
  • app
  • audio
  • bio
  • bits
  • cache
  • card
  • cart
  • cert
  • com
  • crypt
  • dcom
  • defrag
  • device
  • dhcp
  • dns
  • event
  • evt
  • flt
  • gdi
  • group
  • help
  • home
  • host
  • info
  • iso
  • launch
  • log
  • logon
  • lookup
  • man
  • math
  • mgmt
  • msi
  • ncb
  • net
  • nv
  • nvidia
  • proc
  • prop
  • prov
  • provider
  • reg
  • rpc
  • screen
  • search
  • sec
  • server
  • service
  • shed
  • shedule
  • spec
  • srv
  • storage
  • svc
  • sys
  • system
  • task
  • time
  • video
  • view
  • win
  • window
  • wlan
  • wmi

A string with variable content is used instead of %variable3% .


In order to be executed on every system start, the trojan sets the following Registry entry:

  • [HKEY_CURRENT_USER\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "%variable1%%variable2%" = "%system%\­%variable1%%variable2%.exe"
    • "%variable1%%variable2%" = "%localappdata%\­Microsoft\­Windows\­%variable1%%variable2%.exe"

The trojan registers itself as a system service using the following name:

  • %variable1%%variable2%

This causes the trojan to be executed on every system start.

Information stealing

The trojan collects the following information:

  • computer name
  • volume serial number
  • CPU information
  • operating system version
  • list of running processes

The trojan attempts to send gathered information to a remote machine.


Payload information

The trojan acquires data and commands from a remote computer or the Internet.


The trojan contains a list of (8) IP addresses. The HTTP, HTTPS protocol is used in the communication.


It may perform the following actions:

  • download files from a remote computer and/or the Internet
  • run executable files
Other information

The trojan may attempt to download files from the Internet.


The files are stored in the following locations:

  • %system%\­%variable4%.exe
  • %localappdata%\­Microsoft\­Windows\­%variable4%.exe
  • %commonappdata%\­%variable4%.exe

A string with variable content is used instead of %variable4% .


The files are then executed.


The trojan may delete the following files:

  • %system%\­%variable1%%variable2%.exe:Zone.Identifier
  • %localappdata%\­Microsoft\­Windows\­%variable1%%variable2%.exe:Zone.Identifier

Please enable Javascript to ensure correct displaying of this content and refresh this page.