The latest version of Emotet downloader has a few new updates. In this post we'll have a look at these updates.
These are the new updates:
- Obfuscation pattern is different to that in the past (3942 lines of VBS code)
- Powershell.exe is copied over to Temp and executed from there (evasion technique)
- Only one payload URI - this is a major change
Let's take a look at the malware and analyse it.
Infection vector is the usual phishing email with a Word document attachment.
Once you open the document, it asks you to enable the macros. Once enabled, the code executes.
Here's a look at a part of the code:
Now, let's start analysing the code. We start by inserting breaks at main code sections, and starting with the function AutoOpen().
There's a fair bit going on here but we focus on the interesting parts of the code. The first function we analyse is the one that creates a new folder in the Temp directory and then copies over the contents of the Powershell folder into it.
Have a look at the animation below - you can clearly see the new folder 'ie_u_nd_iua_m' being created.
The contents of the WindowsPowerShell\v1.0 folder are then copied into this folder, as you can see in the images below:
The images above show us the function that copies the files over to the new folder, with the variables and their values (loaded) highlighted. Now, take a look at the animation below to see the content from WindowsPowerShell\v1.0 being copied over to the new folder in Temp.
After the files have been copied over, the Powershell executable is copied to a new file, in this case, wznwtyeizh.exe, look at the animation and images below.
This new executable (which is Powershell.exe) is then launched to execute the rest of the code, which downloads and executes the final payload.
There could be a few reasons for this added process. It could be effectively used for bypassing security controls, for example, basic default-type Application Whitelisting, that rely on process names or paths to block network traffic for a specific application.
It definitely bypasses the Windows Firewall, if you're using it for blocking PowerShell from downloading files off the internet (which, by the way, was a great way of thwarting a lot of malware, at least up until now).
And finally, here's the heavily obfuscated code (new pattern in this version) that is executed via this newly created PS executable.
Complete code to be executed in PowerShell:
To decode the final commands that are run to download, save and execute the final payload, we follow the same technique I explained previously in this post.
Since it doesn't use AES encryption for encrypting the code, the decoding part is faster. Follow the steps in the image below to decode the commands and extract the IOC (Download URI).
This is the first major version change after the authors dropped AES encryption for the encrypting the commands.
Sample Reference and IoCs
URI IoC: hxxp://sportfingers[.]org/hmlopfgosu.exe
VBS code for this downloader
Script for decoding the commands