Win32/Emotet [Threat Name] go to Threat
Win32/Emotet.AW [Threat Variant Name]
Category | trojan |
Size | 201216 B |
Aliases | Trojan.Win32.Agent.nfapjt (Kaspersky) |
Ransom.Kovter (Symantec) |
Short description
The trojan serves as a backdoor. It can be controlled remotely.
Installation
When executed, the trojan may create copies of itself using the following filenames:
- %system%\%variable1%%variable2%.exe
- %localappdata%\Microsoft\Windows\%variable1%%variable2%.exe
- %temp%\%variable3%.TMP
The %variable1%, %variable2% is one of the following strings:
- agent
- app
- audio
- bio
- bits
- cache
- card
- cart
- cert
- com
- crypt
- dcom
- defrag
- device
- dhcp
- dns
- event
- evt
- flt
- gdi
- group
- help
- home
- host
- info
- iso
- launch
- log
- logon
- lookup
- man
- math
- mgmt
- msi
- ncb
- net
- nv
- nvidia
- proc
- prop
- prov
- provider
- reg
- rpc
- screen
- search
- sec
- server
- service
- shed
- shedule
- spec
- srv
- storage
- svc
- sys
- system
- task
- time
- video
- view
- win
- window
- wlan
- wmi
A string with variable content is used instead of %variable3% .
In order to be executed on every system start, the trojan sets the following Registry entry:
- [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
- "%variable1%%variable2%" = "%system%\%variable1%%variable2%.exe"
- "%variable1%%variable2%" = "%localappdata%\Microsoft\Windows\%variable1%%variable2%.exe"
The trojan registers itself as a system service using the following name:
- %variable1%%variable2%
This causes the trojan to be executed on every system start.
Information stealing
The trojan collects the following information:
- computer name
- volume serial number
- CPU information
- operating system version
- list of running processes
The trojan attempts to send gathered information to a remote machine.
Payload information
The trojan acquires data and commands from a remote computer or the Internet.
The trojan contains a list of (8) IP addresses. The HTTP, HTTPS protocol is used in the communication.
It may perform the following actions:
- download files from a remote computer and/or the Internet
- run executable files
Other information
The trojan may attempt to download files from the Internet.
The files are stored in the following locations:
- %system%\%variable4%.exe
- %localappdata%\Microsoft\Windows\%variable4%.exe
- %commonappdata%\%variable4%.exe
A string with variable content is used instead of %variable4% .
The files are then executed.
The trojan may delete the following files:
- %system%\%variable1%%variable2%.exe:Zone.Identifier
- %localappdata%\Microsoft\Windows\%variable1%%variable2%.exe:Zone.Identifier