Trojan.W97M.EMOTET.SMI
2023425
&Բ;:
HEUR:Trojan.Script.Generic (KASPERSKY); TrojanDownloader:O97M/Emotet.S!MTB (MICROSOFT)
&Բ;ץåȥե`:
Windows
&Բ;Σꓶ:
&Բ;`:
&Բ;Ⱦ:
&Բ;Ⱦȷ:
&Բ;鱨©:
- ޥ륦: ȥľR
- ƉӤПo: ʤ
- Ż: Ϥ
- ȾПo: Ϥ
? Ҫ
ȾU· `ͥåȤΥ`, Υޥ륦
ȥɥޥϡΥޥ륦dzٱɴǰٳ⣨Ҫע⣩˷षޤ
ϡȥɥޥǤϡdzٱ٤Τ٤ƤΥ`ȥˌ른ͥåʗʳǤ
ޥ륦ϡΥޥ륦ɤ뤫⤢±Ȥ`äƥ`ɤ뤳Ȥˤꥳԥ`뤷ޤ
Ԕ
ե륵 549,777,920 bytes
DOC
곣פ ʤ
k 202338
ڥ` å`ܥåαʾ, URLޤIPɥ쥹˽ӾA, եΥ`, ե
뷽
ޥ륦ϡΥޥ륦ɤ뤫⤢±Ȥ`äƥ`ɤ뤳Ȥˤꥳԥ`뤷ޤ
ȩ`
ޥ륦ϡ¤ΥեӤޤ
- {Malware Path}\{Time} deleted afterwards
ޥ륦ϡ¤Υեɤޤ
- {Malware Path}\{Time}\{filename} from downloaded zipped file
- {Malware Path}\{Time}.tmp renamed and moved copy of {filename}
ޥ륦ϡ¤ΥץӤޤ
- "%System%\regsvr32.exe"??/s "{Malware File Path}\{Time}.tmp" if download is successful
(]%System%եϡƥեǡΥڥ`ƥƥ(OS)Ǥͨ"C:\Windows\System32" Ǥ.)
`ɻ
ޥ륦ϡ¤ΰ±Ȥ˥ʥե`ɤƌgФޤ
- http://www.{BLOCKED}k.com/wp-includes/UmAJjAP/?{Time}&c={Country ID}
- https://{BLOCKED}t.lv/wp-admin/S8jHW33QU77gLz/?{Time}&c={Country ID}
- http://beyond.{BLOCKED}eyou.co.za/dR05Bvq90dvlsVBzn/?{Time}&c={Country ID}
- http://{BLOCKED}sky.com/advice/ZRSaP7QA5yTv1fZs/?{Time}&c={Country ID}
- http://{BLOCKED}uang.com/images/48onjwxGImMdiUx/?{Time}&c={Country ID}
- http://{BLOCKED}v.com/ki7xh/QpSQfw9CPTFtNs4/?{Time}&c={Country ID}
- https://{BLOCKED}p.com/ncsA/g7zWosP/?{Time}&c={Country ID}
- https://{BLOCKED}o.su/eshop_app/HH2j9SH/?{Time}
- http://{BLOCKED}x.su/services/WSxJ50NpOv7W/?{Time}
- https://{BLOCKED}ster.net/bitrix/FLx/?{Time}
- http://www.{BLOCKED}t.kz/faq/OneqxLnCFRgtiOXoo/?{Time}
- http://{BLOCKED}x.by/personal/i2l4DLYTQAhh1ZuQof/?{Time}
- http://{BLOCKED}in.su/personal/OzsyCyDFCfANBPNvH/?{Time}
- https://{BLOCKED}s.rent/ebcc974e24/AGN/?{Time}
- https://{BLOCKED}ity.by/bitrix/Bov/?{Time}
- https://{BLOCKED}-gourmet.kz/404/EDt0f/?{Time}&c={Country ID}
- https://{BLOCKED}stsupplies.com.au/configNQS/Es2oE4GEH7fbZ/?{Time}&c={Country ID}
- https://a{BLOCKED}isbane.org.au/ARCHIVE/Cen7LJ4iXlpWfb0/?{Time}&c={Country ID}
- http://{BLOCKED}un.cn/8uhjvgd/nhAOl4DRmdOKz/?{Time}&c={Country ID}
- http://{BLOCKED}.{BLOCKED}.{BLOCKED}.77/wp-content/yxQWf/?{Time}&c={Country ID}
- https://www.s{BLOCKED}t.com/wp-includes/aM4Cz6wp2K4sfQ/?{Time}&c={Country ID}
- https://t{BLOCKED}ka.com:443/pub/WJPrHm5OtTt/?{Time}&c={Country ID}
- http://b{BLOCKED}rio.com.tr/wp-admin/Boo3JTROHh7/?{Time}&c={Country ID}
ޥ륦ϡ¤Υեǥ`ɤե椷ޤ
- {Malware Path}\{Time}.zip deleted afterwards
ޥ륦ϡ¤ΥեӤޤ
- {ޥ륦ѥ}\{rg}
ޥ륦ϡ¤Υեɤޤ
- {ޥ륦ѥ}\{rg}\{ե} `ɤRsե뤫Υե
- {ޥ륦ѥ}\{rg}.tmp {ե}Υԩ`ijƤƄӤե
ޥ륦ϡ¤ΥץӤޤ
- "%System%\regsvr32.exe"??/s "{ޥ륦Υեѥ}\{rg}.tmp" `ɤ˳ɹ
`ɻ
ޥ륦ϡ¤ΰ±Ȥ˥ʥե`ɤƌgФޤ
- ٳٱ://ɷɷ.䰭ٰ.dz/ɱ-Գܻ/ᴡ/?ʱ䰨&=ٰ
- ٳٱ://䰭ٰ./ɱ-峾/833ϱ77/?ʱ䰨&=ٰ
- ٳٱ://DzԻ.䰭ٰdz../0590屹յ/?ʱ䰨&=ٰ
- ٳٱ://䰭ٰ.dz/屹/ܸ鳧7ϴ5ձ1ڴܲ/?ʱ䰨&=ٰ
- ٳٱ://䰭ٰܲԲ.dz//48Dzɳұѻ徱/?ʱ䰨&=ٰ
- ٳٱ://䰭ٰ.dz/쾱7/ϱ賧ϴڷ9ʰչٱ4/?ʱ䰨&=ٰ
- ٳٱ://䰭ٰ.dz/Գ/7´Dz/?ʱ䰨&=ٰ
- ٳٱ://䰭ٰ./DZ岹/29/?ʱ䰨
- ٳٱ://䰭ٰ.//³洳50谿7/?ʱ䰨
- ٳٱ://䰭ٰٱ.Ա/ٰ//?ʱ䰨
- ٳٱ://ɷɷ.䰭ٰ./ڲ/Ա波鲵پݴǴ/?ʱ䰨
- ٳٱ://䰭ٰ./DzԲ/24ٳ۰ղϴ1ܳܲϴǴ/?ʱ䰨
- ٳٱ://䰭ٰ./DzԲ/ٹڴʱ/?ʱ䰨
- ٳٱ://䰭ٰ.Գ/97424/ұ/?ʱ䰨
- ٳٱ://䰭ٰٲ./ٰ/DZ/?ʱ䰨
- ٳٱ://䰭ٰ-dzܰ./404/ٳ0/?ʱ䰨&=ٰ
- ٳٱ://䰭ٰٲܱ.dz./DzԴھϳ/2Ƿ4ҷ7ڲ/?ʱ䰨&=ٰ
- ٳٱ://䰭ٰԱ.ǰ./շ/74ݱ´ڲ0/?ʱ䰨&=ٰ
- ٳٱ://䰭ٰܲ./8ܳᱹ/Գ4ٸ鳾尿/?ʱ䰨&=ٰ
- ٳٱ://䰭ٰ.䰭ٰ.䰭ٰ.77/ɱ-DzԳٱԳ/ϰ´/?ʱ䰨&=ٰ
- ٳٱ://ɷɷ.䰭ٰ.dz/ɱ-Գܻ/46ɱ24ڲ/?ʱ䰨&=ٰ
- ٳٱ://ٵ䰭ٰ첹.dz:443/ܲ/´ʰ5ٰճ/?ʱ䰨&=ٰ
- ٳٱ://䰭ٰ.dz.ٰ/ɱ-峾/Ǵ3ո鰿7/?ʱ䰨&=ٰ
ޥ륦ϡ¤Υեǥ`ɤե椷ޤ
- {ޥ륦ѥ}\{rg}.zip
귽
: 9.800
VSAPI ѥ`Щ` 18.332.06
VSAPI ѥ`` 2023321
VSAPI OPR ѥ`Щ` 18.333.00
VSAPI OPR ѥ`` 2023322
1
Windows 7Windows 8Windows 8.1 Windows 10 Υ`ԥ`ޥ륦⤷ϥɥȤȫ뤿ˡ륹ΌgǰˤϱؤƥΏԪބˤƤ
2
Υޥ륦⤷ϥɥȤΌgФˤꡢ˳Ф˼ؤ줿٤ƤΥե롢եӥ쥸ȥꥭ`䂎ԥ`˥ȩ`뤵Ȥޤޤȩ`뤬ȫǤ볡Ϥڥ`ƥƥࣨˤꥤȩ`뤬ʤϤޤ˳Ф˼ؤ줿ե룯ե쥸ȥ鱨ȷϤʤϡõ˳βϲҪǤΤǡΤ˳˽Ǥ
3
¤Υեޤ
[ Ԕ ]
ݩ`ͥȥե뤬LեԤγϤޤϸ趨ץդåLեȥեΗդΥåܥåˤLեȥեޤ褦ˤƤ - {Malware Path}\{Time}.zip
- {Malware Path}\{Time}\{filename}
- {Malware Path}\{Time}.tmp
4
¤Υեޤ
[ Ԕ ]
]ΥեϡLեȤ趨Ƥ볡Ϥޤϸ趨ץդåLեȥեΗդΥåܥåˤLեȥեޤ褦ˤƤ - {Malware Path}\{Time}
5
¤ΥЩ`ѥ`ե룩뤷륹uƷä륹gФƤTrojan.W97M.EMOTET.SMIȗʳեϤ٤Ƥ ʳ줿ե뤬祦륹uƷˤȤlxޤϥե΄IgФ줿ϡ륹΄IˤƤꡢ혤ؤˤޤ