Malware Analysis: Rech-49415128555.doc (Emotet)

August 21st quite a few people across organizations got this document in what looks like a large Phishing campaign. I wanted to understand what this malware does as this had very low detection on VirusTotal. Here is my effort to understand the malware and to record indicators for further hunting and investigation.

Step 1:

Identifying the malicious document

MD5: 2f8222f053940fcf6436759762967f45
SHA-1: bcd6f936d1195c265dab3b559a132e08f7a7052f

VirusTotal Link

history.JPG

Looks like some kind of dropper. It was interesting that VT first saw this file in 2010 and the first submission in August 21st. Where was it hiding for 7 years?

Step 2:

Detonating the malware

I run a couple of custom (Windows 7 & Windows 10) sandboxes with Sysmon from Sysinternals. All web traffic is intercepted with an intercepting web proxy. The network traffic is analyzed and all metadata is extracted and stored.

What did I learn? (End users are the weakest link)

The first thing the document does is it tricks the user into thinking that the document is actually locked / protected.

doc.JPG

Enabling Macro executes Powershell

stage 1.JPG
image_2017-08-24_11-26-50.png

This seems to download a binary with MD5 = C2FCFB112BB4824FC542D7AB8DFDB627. Searching on VT i realized this is Emotet malware. Not surprising this has over 50% detection rate.

emotet_dl.JPG
drop1.JPG

Once this executes, it sets up persistence and moves itself from %TEMP% to %USERPROFILE%\AppData\Local\Microsoft\Windows\shedulesystem.exe

C2 IP: 104.236.252.178 (Digital Ocean)

C2_comms.JPG
_c2_.JPG

Persistence:

persist.JPG

Now that I know this is Emotet I didnt want to waste too much time on this but I wanted to ensure I get all the IOCs out. Decoding the Base64 encoded PowerShell command gives me this:

decoded ps.JPG

Slightly modifying the code and printing the "URL" instead of Invoking it gave me all 5 domains:

stage domains.JPG
dns.JPG

Step 3:

Back to basics

soc-dfir.jpg

Take all the IOCs and make a use case for SIEM / SOC. #DFIR FTW! I hope you enjoy reading this as much as I enjoyed doing this.