While tracking Emotet activity, Binary Defense’s analysts found that Emotet dropped a Wi-Fi spreader that used brute-force password guessing, contained inside a self-extracting RAR file. Inside the RAR file were two files, worm.exe and service.exe, which were used to spread Emotet over Wi-Fi.
Using an internal password list, worm.exe attempts to brute-force access to any nearby Wi-Fi network. If the attempt is successful, worm.exe sends the network name and password to a hard-coded Command and Control (C2) server and then attempts to brute-force access to any computers on the network. For any computer that is successfully accessed, worm.exe will install service and drop service.exe to be executed by the newly-created service. Service.exe contains an embedded Emotet binary, which is dropped and executed, installing Emotet on the remote system.