Trojan:Win32/Fauppod!ml is a detection that is based on machine learning and is assigned to an unspecified threat type. Usually such threats are identified by behavior rather than signatures. Nonetheless, this exact malware detection poses a serious hazard, as it appears to flag the activity of a targeted infostealer trojan.
Trojan:Win32/Fauppod!ml Overview
Trojan:Win32/Fauppod!ml is a generic detection name that Microsoft Defender assigns to malware detected by its AI detection system. Typically, this detection points at the activity of an infostealer that primarily targets banking data. The “ml” in the detection name exactly indicates the use of a machine learning system, rather than traditional signature-based detection methods. Usually, over time, as more information about its behavior is analyzed, this detection gets a more specific detection name.
As mentioned at the beginning, the main goal of Fauppod is to steal the credentials of online accounts. One thing it goes for in particular is login credentials for online banking accounts.
Main spreading ways of this malware are malicious email attachments (attached Word or Excel files) in emails, or via sketchy game mods or other files from sketchy sources. Despite targeting specifically banking information, it is not picky about its victims, stealing info from all categories of users.
Fauppod Analysis
Let’s take a closer look at the technical part of how Fauppod!ml behaves on the system. The first thing the malware does after launching is to check if it is the only copy of malware running on the device. It achieves this by creating and accessing mutexes:
\Sessions\1\BaseNamedObjects\Local\ZonesCacheCounterMutex.
\Sessions\1\BaseNamedObjects\Local\ZonesLockedCacheCounterMutex.
Since our example is a DLL file, it needs a legitimate Rundll32.exe process to run. The malware copies the legitimate Rundll32.exe file to the temporary folder C:\Users\User\AppData\Local\Temp\rundll32.exe and utilizing process hijacking techniques.
Next, the malware checks the UAC status and the presence of anti-malware on the system. It checks these registry keys to disable system defenses and ensure persistence:
HKEY_LOCAL_MACHINE\SOFTWARE
HKEY_CURRENT_USER\Software\Policies
HKEY_CURRENT_USER/Software/Microsoft/Internet Explorer/Security
HKEY_CURRENT_USER\Software\Microsoft/Windows NT\CurrentVersion
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft/Windows\CurrentVersion\Uninstall
Fauppod Execution
The malware executes shell commands that allow it to perform its main function:
C:\Users\User\AppData\Local\Temp\rundll32.exe rpl909.zip.dll
“C:\Windows\System32\rundll32.exe” C:\Users\A4148~1.MON\AppData\Local\Temp\b81d42902b581dd9fea37c4b6a8ff180.19772.dll,DllMain
After that, the malware deploys payloads and injects itself into legitimate processes, allowing it to function without raising suspicions from security software. It also manipulates processes such as wmiadap.exe, svchost.exe and cmd.exe, which are legitimate processes. The malware executes the following processes:
wmiadap.exe /F /T /R
%windir%\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
%windir%\system32\wbem\wmiprvse.exe.
%windir%\System32\svchost.exe -k WerSvcGroup
13f43b565119f43f7155f96cafa8b05d.exe
C:Windows/System32 loaddll32.exe loaddll32.exe “C:\Users\user\Desktop\init.dll”.
C:Windows / Windows / SysWOW64 / cmd.exe cmd.exe /C rundll32.exe “C:\Users / User / Desktop /init.dll”,#1.
C:Windows/sysWOW64/rundll32.exe rundll32.exe “C:\Users/User/Desktop/init.dll”,#1.
C:\Windows/SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\init.dll,_Clockcould@8.
C:\Windows/SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\init.dll,_DllRegisterServer@0
C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\User\Desktop\init.dll,_Representfinish@4.
So, we can conclude that the malware is also abusing the svchost.exe process in WerSvcGroup, which is related to the Windows Error Reporting Service. This is a common practice of malware that uses this process to mask its actions by injecting code into system services. The 13f43b565119f43f7155f96cafa8b05d.exe executable also appears to be part of the payload.
Fauppod Connections
The malware uses both standard addresses and ports as well as non-standard ones. Among the standard ones:
GET watson.microsoft.comhttp://watson.microsoft.com/StageOne/rundll32_exe/6_1_7600_16385/4a5bc637/StackHash_1abe/0_0_0_0/00000000/c0000005/fd8b3a80.htm?LCID=1040&OS=6.1.7601.2.00010100.1.0.48.17514&SM=LENOVO&SPN=64755N2&BV=7UET92WW%20(3.22%20)&MID=F2EC8DC6-EB4A-4B44-95EF-9B81DC7C287B
Using standard ports that belong to Microsoft allows you to hide your actions. On the other hand, using suspicious addresses and non-standard ports indicates communication with the C2 server. In our case, these addresses are:
97.107.127.161:443
45.33.94.33:5037
159.89.91.92:5037
158.69.118.130:1443
Some of the IP addresses in the list (and quite a few others that I’ve excluded for the sake of readability) correspond to compromised websites. This is a oftenly used tactic: attackers use a hacked website as an intermediary command server, while the request looks legitimate for anyone who tries to find the traces.
Is Trojan:Win32/Fauppod!ml False Detection?
As I have mentioned several times already, Trojan:Win32/Fauppod!ml is a heuristic detection based on machine learning. This means it can sometimes result in false positives. That is, Heuristic methods analyze file patterns, behaviors, and structural elements rather than relying on pre-defined signatures. As a result, legitimate software with uncommon characteristics or behaviors may be flagged as suspicious. In such cases, after some time, the anti-malware software stops flagging the file as a threat.
How to Remove Trojan Fauppod?
If you encounter Trojan:Win32/Fauppod!ml and are unsure whether it’s a false detection or a real threat, an effective solution is to use a third-party anti-malware solution. GridinSoft Anti-Malware would be a great option that can both confirm the threat and disprove it. Use the instructions below to scan your device for threats.