Emotet

 Tactical report for emotet malware



Identification

Vendor
Detection
TrendMicro
Trojan.W97M.EMOTET.AFKW
Microsoft
TrojanDownloader:O97M/Emotet.OA!MTB
Ikarus
Trojan-Downloader.VBA.Emotet

The following table contains a list of artifacts that had been analyzed within this document.

PE timestamp
MD5
Size in bytes
File name
Description
2019-10-11 Sat12:46:00 UTC
0643324FA7F74A3C5288CDE9D26C19A8
281.5 KB (288256 bytes)
Index.html
downloader





Summary

Emotet was originally designed as a banking malware that attempted to sneak onto your computer and steal sensitive and private information .The infection may arrive either via malicious script, macro-enabled document files, or malicious link. Emotet emails may contain familiar branding designed to look like a legitimate email. Emotet also uses C&C servers to receive updates and install updated versions of the software, install additional malware such as other banking Trojans, or to act as a dumping ground for stolen information such as financial credentials, usernames and passwords, and email addresses.

Technical analysis of malicious word
As shown in figure (0) this is the first view of emotet so once we open word and enable micro then it execute malicious micro code.



Figure (0)

As shown in figure (1), (2) the obfuscation is malware is high. makes some calculation to connect to specific urls.

Figure (1)


Figure (2)

Command and control server

It opens PowerShell and executes command as shown in figure (3) with is encodes with base64.

Figure (3)

Figure (3)
After decoding it using base64 the result will be embedded urls as shown in figure (4).



Figure (4)

Then after handling it and extracting urls we get result as shown in figure (5).


Figure (5)
So emotet connects to these domains and gets executable file.


Domains


  1. https://thesilverant[.]com/test/dvr9/.
  2. http://firstmnd[.]com/wp/wp-content/3k960/.
  3. http://citylandgovap[.]net/8dqs5fv/6J/.
  4. http://deredia[.]com/cgi-bin/cbas/.
  5. http://fattoriaiponti[.]com/wp-admin/o1wiEqPfN/.

HTTP Requests
 These are full http request of each domain as shown in figure (6), (7), and (8).

Figure (6)

Figure (7)
Figure (8)
Figure (9)
Figure (10)
Figure (11)
It drops file called 3k960.exe as shown in figure (8). This file is executable file, so let’s see purpose of it.
When we execute file 3k960.exe, it drops file called reswnop.exe in path C:\Users\UserName\AppData\Local\reswnop then creates new process called reswnop.exe and finally deletes 3k960.exe file as shown in figure (12), (13), and (14).

Figure (12)
 
Figure (13)

Figure (14)

So let’s see purpose of file reswnop.exe.

PE timestamp
MD5
Size in bytes
File name
Description
2019-9-30
Mon 18:18:17 UTC
D09A466039FFE16E231A202BD6259DB8
57.5 KB (58,880 bytes)
reswnop.exe
Infection +downloader

Technical analysis

Obfuscation
The import address table and strings of emotet is already encrypted inside the code as shown in figure (15) so that’s mean it will resolve during run time in specified functions.

Figure (15)

So for simplification, it resolves Apies using hash value then assign every hash value to global variable and finally call the global variable. The 2 subroutine below are responsible for resolve Apies and strings not all of them as shown in figure (16).

Figure (16)


Persistence
It resolves string called --8c4f2ffd as command line to create new process with current executable of filename as shown in figure (17), (18).

Figure (17)

Figure (18)


If process already created with the following parameter then it continues execution of malware.
It gets serial number of volume then it creates 2 new mutex and event as shown in figure (19), (20), and (21).


Figure (19)

Figure (20)

Figure (21)


It checks for debugger is present or not if yes or if it couldn’t create mutex then it will terminate as shown in figure (22).


Figure (22)

The main functionality of malware is divided into 4 switch cases based on global variable.

Default case
It resolves apis of library called advapi32.dll as shown in figure (23).

Figure (23)

It resolves apis of library called shell32.dll as shown in figure (24).

Figure (24)

It gets computer name and add 8 numbers to it as shown in figure (25).

Figure (25)
It deletes file called chunkbased.exe in system windows directory as shown in figure (26).

Figure (260

It deletes zone identifier of malware running file to prevent tracing as shown in figure (27).


Figure (27)

 It creates service called reswnop as shown in figure (28) with the following parameters as shown in table and starts it.

Figure (28)
Parameter
Value
ServiceName
reswnop <current file name>
DisplayName
reswnop
DesiredAccess
SERVICE_CHANGE_CONFIG|SERVICE_START
ServiceType
SERVICE_WIN32_OWN_PROCESS
StartType
SERVICE_AUTO_START
ErrorControl
SERVICE_ERROR_IGNORE

It changes value of global variable to 1 to change to another execution.

It checks for debugger is present or not using timing technique as shown in figure (29).


Figure (29)

Case (1)
It resolves apis of libraries called crypt32.dll, urlmon.dll, userenv.dll, wininet.dll, wtsapi32_dll as shown in figure (30 to 34).


Figure (30)

Figure (31)

Figure (32)

Figure (33)

Figure (34)


It list windows crypto apis and generate new key as shown in figure (35), maybe this key used for decryption downloaded thing.

Figure (35)

It moves (computer name + <8 number of serial volume>) to global variable.
It sets global variable to 2 to navigate to case 2 as shown in figure (36).


Figure (36)

Case 2
It gets pc_name,RtlGetVersion, GetNativeSystemInfo  as shown in figure (37) and other information as shown in figure (38) preparing them to send to attacker server.


Figure (37)

Figure (38)

Command and control server
It decodes ip address and prints it as shown in figure (39).

Figure (40)

It decodes string as to use them for post url as shown in figure (41), (42).


Figure (41)

Figure (42)

It decodes full url request as shown in figure (43).

Figure (43)
Full url
  • "Referer: http://<ip>/cookies/devices/prep/merge/Content-Type: application/x-www-form-ur”
It generates long string as shown in figure (44).

Figure (44)

It gets user agent and connect to internet as shown in figure (45).

Figure (45)

User-Agent
  • "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Trident/7.0; .NET4.0E; .NET4.0C; .NET CLR 3.5.307".
It connects to attacker ip using port 443 as shown in figure (46).



Figure (47)

Post request

Figure (48)

Then download file but the usual thing is that emotet tries to connects to large number of ip and install another malware files for more persistence as shown in figure (49).

Figure (49)

He is some list of ip address that emotet connects to them.

  • 93.184.221.240
  • 23.50.187.167
  • 204.79.197.203
  • 213.158.179.25
  • 151.101.241.108
  • 93.184.220.29
  • 172.217.18.227
  • 52.142.114.2
  • 204.79.197.200
  • 151.193.128.14
  • 213.158.179.25
  • 104.18.25.243
  • 37.252.172.100
  • 107.23.115.104
  • 172.217.19.34
  • 37.252.172.250
  • 151.101.241.108
  • 172.217.18.227
  • 23.57.84.236
  • 23.57.85.127
  • 185.63.144.5
  • 151.101.242.2
  • 52.77.178.234
  • 40.90.23.208
  • 37.252.172.250
  • 104.18.21.226
  • 23.50.156.242
  • 23.50.156.242
  • 151.139.128.14
  • 52.85.22.70
  • 204.13.202.71
  • 204.79.197.200
  • 182.50.136.239
  • 37.252.172.250
  • 212.82.100.176
  • 192.35.177.64
  • 52.85.22.74
  • 79.140.95.97
  • 52.85.22.138
  • 213.158.179.161
  • 2.19.27.190
  • 2.20.231.146

It creates another registry key for persistence in infected machine as shown in figure (50) with the following parameters as shown in table.

Figure (50)

ValueName
reswnop < current malware name >
hKey
HKEY_CURRENT_USER
Subkey
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Options
REG_OPTION_NON_VOLATILE
Access
KEY_SET_VALUE


Case 3
It terminates process with set new event then exit as shown in figure (50).

Figure (50)





If you wanna learn malware analysis you can check my YouTube channel I'm trying publish analysis of malware and some methods to analysis malwares.
Please don't forgot subscribe my channel Than you ♥  
YouTube channel 
https://www.youtube.com/channel/UCParXHaBXBmqRdHuVUg21pA


 






References
  1. https://www.nirsoft.net/utils/mailpv.html.
  2. https://www.us-cert.gov/ncas/alerts/TA18-201A..
  3. http://www.cse.yorku.ca/~oz/hash.html.
Malware analyst : Mahmoud El Menshawy.
Contact Me : mahmoudmorsy372@gmail.com.

linkedin profile : https://www.linkedin.com/in/mahmoudmorsy1/.













Comments

Post a Comment

Popular posts from this blog

Phishing Attacks 23_4_2022

Image
  If you wanna learn how to detect phishing emails  only by your eye , you can check my udemy course here  . My udemy course   (1) Sender ip 180.214.238.82 From "Dang Thi Thu Hien<hiendang@panpacific.co.kr>" Subject "RE: [SSC CS] F22 03/09 Buy Shipping request_04062022" Attachment "SEALOGISTICS DEBIT NOTE.zip" MD5 add8e964a595d7af30f02783943c3a00 SHA256 24f6485539bc5d700d17ec8d629827ea80dfae2eb2189e872f4b8ae0e7f1d66f Family AgentTesla   If you wanna know how to analysis AgentTesla Malware you can      check my analysis in YouTube   AgentTesla .         (2) Sender ip 138.197.200.182 From "Nguyen Thi Quy <nguyen@47.fximnii.sbs>" Subject "RE: Purchase Inquiry: KPC/PU-231(MECH...
Read more

Phishing Attacks 3_3_2021

Image
  If you wanna learn how to detect phishing emails  only by your eye , you can check my udemy course here  . My udemy course (1) Sender ip 45.137.22.124 From "Cheng Yong"<rosa@franball.net>" Subject "RV: Shipping advice - 2nd container under ct.876" Attachment "SHIPPING ADVICE#202203.zip" MD5 aa2d18552a8d5041e4c757cee09f2c4d SHA256 0628b564bad3c4e59644e91398899f88143aa2eb3473e720270fb1566c628d60 Family AgentTesla If you wanna know how to analysis AgentTesla Malware you can      check my analysis in YouTube   AgentTesla .       (2) Sender ip 2.56.56.35 From "contato@vastoverde.com.br" Subject "fwd :Outstanding Remittance payment" Attachment "receipt_pdf.z" ...
Read more

Phishing Attacks 15_12_2021

Image
  If you wanna learn how to detect phishing emails  only by your eye , you can check my udemy course here  . My udemy course (1) Sender ip 37.0.10.173 From "Mona Bharti <m.bhart@frigel.com>" Subject "Purchase Order 1212200205_PR21220055" Attachment "Purchase Order 1212200205_PR21220055.zip" MD5 5e1c9b4e130a7a9bb68ed6e6f414ff20 SHA256 0ba7a7c7189d5bcd38048ba7418ff521d6a00ab36804b8980c4d51ba43fcf070 Family AgentTesla If you wanna know how to analysis AgentTesla Malware you can      check my analysis in YouTube   AgentTesla .          (2) Sender ip 45.137.22.181 From "ajay.katoch@unilever.com" Subject "RE: invoice & packing list for shipping order no. 411301" Attachment ...
Read more