Home / malware

PDF

TrojanDownloader:Win32/Eterock.A

First posted on 20 July 2019.
Source: Microsoft

Aliases :

TrojanDownloader:Win32/Eterock.A is also known as W32.Eternalrocks, MicroBotMassiveNet.

Explanation :

Installation

This malware consists of several files. It will first download and install the .Net framework and the Tor browser. It will then drop or download two main programs masquerading as svchost.exe and taskhost.exe. The svchost.exe creates persistent scheduled tasks to run itself and taskhost.exe. It also adds Windows Firewall rules to allow the malicious processes and Tor browser to listen or connect through TCP and UDP.  It also communicates with its command and control (C&C) server on the Tor network to download files or retrieve further instructions. Taskhost.exe is the exploit component of the malware and attempts to spread itself by exploiting remote machines using known SMB exploits from the Shadow Brokers exploit dump (ArchiTouch, DoublePulsar, EternalBlue, EternalChampion, EternalRomance, EternalSynergy, and SMBTouch). 

For those organizations who have not yet applied the security update, we suggest you immediately deploy Microsoft Security Bulletin MS17-010 if you have not already done so.

The malware will attempt to download and install the following files from the following locations:

hxxp://download.microsoft.com/download/5/6/7/567758a3-759e-473e-bf8f-52154438565a/dotnetfx.exe hxxp://download.microsoft.com/download/a/3/f/a3f1bf98-18f3-4036-9b68-8e6de530ce0a/NetFx64.exe hxxp://archive.torproject.org/tor-package-archive/torbrowser/4.0.1/tor-win32-tor-0.2.5.10.zip hxxp://api.nuget.org/packages/taskscheduler.2.5.23.nupkg hxxp://api.nuget.org/packages/sharpziplib.0.86.0.nupk

 It drops and writes files to the following locations:

C:Program FilesMicrosoft Updatesin C:Program FilesMicrosoft Updatesconfigs C:Program FilesMicrosoft Updatespayloads C:Program FilesMicrosoft Updatesshawdowbrokers.zip C:Program FilesMicrosoft Updatessvchost.exe C:Program FilesMicrosoft Updates askhost.exe C:Program FilesMicrosoft UpdatesTemp or.zip C:Program FilesMicrosoft UpdatesTor or.exe C:Program FilesMicrosoft Updates orunzip.exe

It communicates with the C&C server on the Tor network:

hxxp://ubgdgno5eswkhmpy.onion/updates/info?id= hxxp://ubgdgno5eswkhmpy.onion/updates/download?id=

It can configure and listen on a Tor hidden service, including:

HiddenServicePort 57480 127.0.0.1:41375

It adds the following Firewall rules for its files and open ports:

Microsoft Update Helper Microsoft Update Installer Microsoft Update Service Open TCP Port Open UDP Port

It can add a firewall rule named "Malware SMB Block" to block incoming TCP on port 445. 

Payload

Downloads malware

This threat can download other malware onto your PC. It downloads two main programs masquerading as svchost.exe and taskhost.exe.

Taskhost.exe is the exploit component of the malware and attempts to spread itself by exploiting remote machines using known SMB exploits from the Shadow Brokers exploit dump (ArchiTouch, DoublePulsar, EternalBlue, EternalChampion, EternalRomance, EternalSynergy, and SMBTouch). 

Connects to a remote host

We have seen this threat connect to a remote host, including: hxxp://ubgdgno5eswkhmpy.onion/updates/info?id= hxxp://ubgdgno5eswkhmpy.onion/updates/download?id= Malware can connect to a remote host to do any of the following: Download and run files (including updates or other malware) Receive instructions from a malicious hacker

This malware description was published using the analysis of files

SHA1 b05f2d07d0af1184066f766bc78d1b680236c1b3 TrojanDownloader:Win32/Eterock.A SHA1 7ffc0e123e6111e558fb99844d3b317694e419b2 Trojan:Win32/Eterock.A SHA1 8a2cfe220eebde096c17266f1ba597a1065211ab TrojanDropper:MSIL/Eterock.A

 

  Analysis by Jody Koo

Last update 20 July 2019

 

TOP