Malware Analysis Spotlight: The Return of Emotet
July 22, 2020 | Malware Analysis
Figure 0: VMRay Analyzer Report showing verdict and process graph of a sample from Emotet campaign July 2020.
After a long time of being inactive, the infamous malware delivery framework Emotet is back – the three Emotet botnets started pushing malicious spam on Friday, July 17. In this Malware Analysis Spotlight, we will take a look at one of the Microsoft Word documents used in the campaign (Figure 1).
View the VMRay Analyzer Report for Emotet (July 2020)
Figure 1: Document template used by Emotet.
The document uses a highly obfuscated macro (Figure 2) which upon the opening starts executing.
Figure 2: Obfuscated macro function
The macro starts a Powershell instance with encoded commands (Figure 3) as a program argument. These commands (Figure 3) then try to download Emotet from five hardcoded hosts and save it with a fixed name specified in the command itself (later moved to %AppData%\msvcr100\).
On success, a new process of Emotet is launched. (View the Full List of hosts)
Figure 3: Decoded Powershell program argument.
To achieve persistence, Emotet uses the common registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run.
Figure 4: VMRay Analyzer detects the achieved persistence of Emotet.
Emotet still uses third-party software by NirSoft to steal credentials and gather information. These modules are injected into newly created processes of their own (Figure 5).
Figure 5: Injection Information of process #16 that has NirSoft’s WebBrowserPassView injected.
In addition to the injection information, the modules are visible in VMRay’s extracted function strings file (Figure 6).
Figure 6: Excerpts of VMRay’s extracted function strings files.
The spyware behavior of Emotet is well recognized by VMRay Analyzer (Figure 7).
Compared to previous Emotet campaigns, the ongoing campaign uses a new template for the Word document attached in the spam emails. Nonetheless, the behavior of Emotet and of the downloaded modules within this analysis remains the same compared to previous campaigns.
Figure 7: Detection of the spyware behavior of Emotet.
List of IOCs
| hxxp://www[.]20190607[.]com/wp-admin/ixyjozs/ |
| hxxps://lovely-lollies[.]com/wp-admin/fgvid/ |
| hxxps://www[.]angage[.]com/wp-content/mtincvc/ |
| hxxps://connect-plus[.]co[.]uk/aspnet_client/3yey3rr/ |
| hxxp://mapas[.]hoonicorns[.]pt/comp3/ly8cmti/ |
| 212[.]51[.]142[.]238 |
| 109[.]117[.]53[.]230 |
| 198[.]144[.]158[.]120 |
| cc4e6e42f73500c72d0d0820b4a3c131e2f8fce4d7d730eb8f9fc1b5cc3e882e |
| 8aee4d46b90f06e10635a7584d506d1dc1cd1b81adb6d7cca04a472af44881bd |
| 4110a2697e0ed0e8990847f3828f9b0e4078cff2e423500f69ea0e35228afb28 |
