Summary
A Carbon Black IR partner submitted the following file, for additional analysis. We plan on putting out a TAU-TIN on this variant, but I wanted to get the information out to this community first, for those that may be dealing with this in the field.
|
File Name : 651bfd311a3cf9d49e3593bb6397b739c8fe34301167e74ddbd45883e1f7887f
File Size : 136,704 bytes
MD5 : 83e62d4a75135be4b1c1f4dda936d5cd
SHA256 : 651bfd311a3cf9d49e3593bb6397b739c8fe34301167e74ddbd45883e1f7887f
Fuzzy : 3072:QeDQw3tj8JshF6Cc86iNSnX662Yzs3UFAYxPxTqf7p1+14o:QeDQw3tj8JshF6Cr6WSnqAs3URPxTqf
Magic : CDF V2 Document, Little Endian,
Os: Windows, Version 6.1
Code page: 1252
Author: Gust Johnson
Template: Normal.dotm
Revision Number: 1
Name of Creating Application: Microsoft Office Word
Create Time/Date: Mon Sep 23 07:15:00 2019
Last Saved Time/Date: Mon Sep 23 07:15:00 2019
Number of Pages: 1; Number of Words: 86
Number of Characters: 492; Security: 0
|
Table 1: Submitted sample metadata
The sample itself is part of a recent emotet campaign that leveraged phishing as the initial vector. Numerous phishing emails were located in public repos like VirusTotal. These emails targeted organizations and individuals based in the Middle East, Europe, and the US. Many of the emails contained Spanish text in the body, however all of them had an attached document.
Figure 1: Sample Phishing Emails
The documents contained VB macros, that would run once the user enabled macros in Word. These macros would ultimately invoke PowerShell, which would in turn down a payload from one of several compromised sites. That payload was run, and decrypt several stages of secondary code, and ultimately copy itself to a final location, where it would run as a service. This final directory varied between two locations and final payload name would additionally be different. The image below is a high level overview of the process.
Figure 2: Sample overview
Technical Analysis
Word Dropper
The dropper itself was a recently created word document that contained three separate macro sections. The images below highlight the document specific metadata and the various streams there were located in this sample.
Figure 3: Sample metadata and streams
The images below depict the streams once decompressed from the ole structure. All of the streams (stream 8, 9, and 10) used in the attack contained additional obfuscation and junk code.
Figure 4: Streams 8, 9, and 10 respectively
The primary stream of interest would remove junk code and characters, and would combine the contents of text boxes contained in the Word document itself. The image below depicts the above code once the junk code was removed and the variables were renamed to represent their function.
Figure 5: Stream 10 beautified for analysis
The contents of one of the text boxes are displayed in the image below, and shows the base64 encoded data, it should be noted that this data as displayed contained junk characters that were removed by the replc_func, in the image above. It should be noted that this first stage of code uses the winmgmts:Win32_Process, to run the PowerShell command. This will cause the PowerShell command to be invoked by WMIC, via wmiprvse.exe, which severs the relationship between the PowerShell process and the original dropper document.
Figure 6: Base64 encoded PowerShell command
First Stage PowerShell
Once base64 decoded the command above would result in the PowerShell command depicted below. The same command, that has been cleaned up and variable renamed for analysis directly follows. The command will iterate through a list of compromised sites and save the response as 475.exe in the env:userprofile directory (C:\users\[current logged in user]\475.exe). If the response that is provided back is greater than ~22Kb it will then execute that payload.
Figure 7: Second stage PowerShell command
Second Stage Emotet
At the time of testing from the five C2s that are listed, only two unique payloads or samples were being provided via responses. The metadata for each of those files is listed in the table below.
|
File Name : index.html
File Size : 169,984 bytes
MD5 : 692b5738f923a8b6ed55f3ad76daf5d4
SHA256 : 7b19d210d01ac6cccebd6e472f71f775c8f2daf2418017d4cbe96fc70529c0be
Fuzzy : 3072:gFQkkM+s5MOYydjlMTlsrnY3hAMf6xE7jXC1LgRY1kHvz4bEVSbpL5Pn2ovUwU:61MOb8szY3hARE7mhg8kHPovb
Compiled Time : Tue Sep 24 19:21:05 2019 UTC
PE Sections (5) : Name Size MD5
.text 47,104 0859a5fdee16cf69b322d1aacc27bd10
.rdata 9,728 793d14b9ff7392d94c6420b1871f6463
.data 512 41e51248dddb1b60d7db8ca6db979a8a
.idata 4,608 541e55814c21fe7d585915d6554567f9
.rsrc 107,008 6a8ec956ab20550b8f051f2b9b899020
Magic : PE32 executable for MS Windows (GUI) Intel 80386 32-bit
|
|
File Name : index.html
File Size : 307,204 bytes
MD5 : 0f80dc57270ad210a4bd8ebfcbe7dca7
SHA256 : 6133c66304706806d04fe3938b85d901de0b06fe9b43b313f1fa95c6f280eb48
Fuzzy : 6144:FWAg+sr2J9xoWZcb0lI3yTNwGCrWOH8mVmsYzI:FxJEqcIlMtqH8mrzI
Compiled Time : Wed Sep 25 18:29:12 2019 UTC
PE Sections (4) : Name Size MD5
.text 143,360 ba4dc09013fa6359139fec5c6dd656c4
.rdata 40,960 f856720c152598d04acc5fd839a13e2f
.data 12,288 45cee536e79e71e2ae176473d8e73fed
.rsrc 106,496 72bb16a8148396113a44592dbb007db4
+ 0x4b000 4 4a7d1ed414474e4033ac29ccb8653d9b None
Magic : PE32 executable for MS Windows (GUI) Intel 80386 32-bit
|
Table 2: Emotet Sample metadata
The samples are not the same, however they functionality is almost identical. Both samples were recently compiled and are related to numerous other samples that have been observed in the wild recently (these hashes can be located in the IOC section of this document). The primary difference between these samples and the Emotet samples there were documented as part of a campaign in June of 2019, is that the current sample utilize RC4 encryption to conceal secondary shell code. The images below show the function responsible for resolving additional APIs needed for execution (which works off of a common CRC32 api hash lookup), as well as decrypting additional code using the RC4 algorithm. It should be noted that in both of these samples there are two RC4 keys that are hard coded. The secondary shellcode is first decrypted using the first RC4 key, then control is passed to the decrypted payload, and additional shellcode is then decrypted using the second RC4 key.
Figure 8: Emotet Sample decryption function
As you can see from the image above and the one depicted below, the functionality of the samples is identical.
Figure 9: Emotet Sample decryption function
Detection
The native analytics engine creates numerous alerts based off of the behaviors exhibited by the overall process of this campaign (originating with the Word document through through the final payload).
Figure 10: Alerts based off of behavioral analytics engine
Detection - Defense
Detecting PowerShell processes that create executables on disk, can be accomplished by searching for processes named powershell.exe and combining that with the TTP:CODE_DROP argument. Additionally creating policies for terminating known_malware, as well as terminating or denying suspected malware, Unknown application or process, or Not listed applications that try to communicate over the network can also assist spreading during a suspected incident or outbreak. It should be noted that this can also severely affect normal or legitimate applications, that could directly impact business needs.
Figure 11: Code Drop detections
Suggested Investigation queries for Defense are listed in the table below.
|
all.app name:powershell.exe AND TTP:CODE_DROP
|
|
TTP:SUSPICIOUS_BEHAVIOR OR TTP:PACKED_CALL
|
Table 3: Emotet Defense queries
Detection - ThreatHunter
The following images highlight some approaches to hunt for emotet samples that are part of this larger family. These techniques may need to be tweaked or processes negated from the results based off of the environment that it is being used in.
Figure 12: ThreatHunter detections
Some of the most effective searches for ThreatHunter are listed in the table below.
|
crossproc_name:explorer.exe filemod_name:*.exe filemod_count:[2 TO *] process_publisher_state:FILE_SIGNATURE_STATE_NOT_SIGNED modload_name:cryptbase.dll
|
|
process_name:powershell.exe netconn_count:[1 TO * ] filemod_name:*.exe
|
|
(process_name:system32\\* OR process_name:appdata\local\**\*) filemod_name:*.exe netconn_count:[1 TO *] childproc_count:[1 TO *] process_publisher_state:FILE_SIGNATURE_STATE_NOT_SIGNED
|
Table 4: Emotet ThreatHunter queries
Detection - Response
Additionally the corresponding queries for Response are listed in the table below.
|
digsig_result:"Unsigned" crossproc_name:explorer.exe filemod:*.exe filemod_count:[2 TO *] modload:cryptbase.dll crossproc_name:explorer.exe
|
|
process_name:powershell.exe filemod:*.exe netconn_count:[1 TO *]
|
|
(path:c:\windows\system32\*.exe OR path:appdata\local\*\*) filemod:*.exe netconn_count:[1 TO *] childproc_count:[1 TO *] digsig_result:"Unsigned"
|
Table 5: Emotet Response queries
IOCs
Yara
|
rule trojan_emotet_2019_Q3 : TAU commodity
{
meta:
author = "CarbonBlack Threat Research" // jmyers
date = "2019-Oct-4"
Validity = 8
severity = 8
description = "Emotet Variants from October 2019 campaign"
rule_version = 1
yara_version = "3.10.0"
Confidence = "Prod"
Priority = "Medium"
TLP = "White"
exemplar_hashes = "7b19d210d01ac6cccebd6e472f71f775c8f2daf2418017d4cbe96fc70529c0be, 6133c66304706806d04fe3938b85d901de0b06fe9b43b313f1fa95c6f280eb48"
strings:
$s1 = "kernel32.dll" wide
$s2 = "crypt32.dll" wide
$s3 = "advapi32.dll" wide
$s4 = "VirtualAlloc"
$s5 = "Decrypt Key Fail"
$b1 = {6A 40 68 00 30 00 00}
$b2 = {68 E8 00 00 00 }
$b3 = {3D 00 01 00 00}
$b4 = {8? ?? 00 01 00 00}
condition:
uint16(0) == 0x5a4d and
filesize < 500KB and
all of ($s*) and
all of ($b*)
}
|
Hashes
|
SHA256
|
Type
|
|
6a5576a1676ad0bb219b18eafb74e669165ac4f7037525e57c87d8d7ec7452fc
|
Emotet Variant
|
|
6133c66304706806d04fe3938b85d901de0b06fe9b43b313f1fa95c6f280eb48
|
Emotet Variant
|
|
da41364ff28e692d756c7f9d638b095c4c1e092c757dacc2d7d335351905ae4a
|
Emotet Variant
|
|
f9048a361e80d54f65586bab3905427b18cb654542cf1cc90660ea5952b11948
|
Emotet Variant
|
|
d05f96192822022c2618b31b4db9e2485db5903fbe12d96e0a7ed9440e3ff805
|
Emotet Variant
|
|
6cb7fe3e990cf66426a509c156629d9ae887b2af4cc843dc1c920f84fb5be001
|
Emotet Variant
|
|
7b19d210d01ac6cccebd6e472f71f775c8f2daf2418017d4cbe96fc70529c0be
|
Emotet Variant
|
|
28ef8575f1752b85357a17303893cdfcdfa3556981e2c540b3442903d347e6a9
|
Emotet Variant
|
|
d9e8e1dccf3a652114fd7a8f22aa38404487498f235f2d20beffc5585f75ab35
|
Emotet Variant
|
|
468899958462e77f4baf93b123b6c37dd8b3b4374a5111feed459a277e12ee62
|
Dropper Variant
|
|
821d138f7e5dd4d5bdd4b0ba947beb69e58e7892986b9cf3cc81fc320947539f
|
Dropper Variant
|
|
5265e77a224b83e6000cad62703b258534f1b0fd6c48388216f810ec6100b7c8
|
Dropper Variant
|
|
47c874592bad09492afa84bee0d0e459f36128a3647fb7428e9307e370ed161d
|
Dropper Variant
|
|
28546c1f49513142d43966d75eeb7c75a6cdb8446776ca73037643cc78d8be0d
|
Dropper Variant
|
|
a601b2cf342a86dcb41cf224eba94f275893cf613a2d3242887902fda17c57a2
|
Dropper Variant
|
|
15f2e31392e42bdd3c29d187edf9e4211bc36d856514439014b3b4ae13b81f30
|
Dropper Variant
|
|
fef7cb962db325b065c7161c34150af74eeb858b17f8ad1f5a473abbfc5b1dcc
|
Dropper Variant
|
|
ac51e554bc2ad368b643dc90006d656592db56bda610b4ec326bd9203f633b59
|
Dropper Variant
|
|
1da5734277160a96810320a8abcf58a038dad57e75c43256686692ca91c2d9a5
|
Dropper Variant
|
|
b757710fb19a487125d66369f09aa034466ace522d5c415875435d63d63efac0
|
Dropper Variant
|
|
54d159010665c2f92145fde70050eb97d4d7cf33c99f025f2a76890f1e5e6777
|
Dropper Variant
|
|
38fcabe55c4f929103244191d0185295904fa805cff0f6b0ffcaa4d99ae36330
|
Dropper Variant
|
|
788a3827a553afc2e9e39bee9da5cdb999d185543d8241447125d92fda8f9209
|
Dropper Variant
|
|
2a2698b18609cf6be29cb75365fe2504e3e5c82b840f660002dff00adc6fe4c4
|
Dropper Variant
|
|
651bfd311a3cf9d49e3593bb6397b739c8fe34301167e74ddbd45883e1f7887f
|
Dropper Variant
|
|
0d3cc36561abe65205b031e01d8dde731a15218115ce52922a289a50cb29b753
|
Dropper Variant
|
|
db5bccfb026fae128334c292d2829343b18dcea95c44186919f93a36dafe38cf
|
Dropper Variant
|
|
24a120bf46fe78bd3731dafb7def77f2ad312c58c985b26c82df2502cde2fb95
|
Dropper Variant
|
|
7ff20c61ed51df88164c7ecfab0775caf6bc234aac528b6f1bcf6861dd2a9913
|
Dropper Variant
|
|
c907c668dd361e21422ede2af0ed68fdf6875793aa891d66173aca3d0431556a
|
Dropper Variant
|
|
06c0667be2c51f19db87e929e9d94d6a03cd44de0c79c7e38796a55745be6b59
|
Dropper Variant
|
|
4bff7c03bbe3a2672257d0507a9ddb1df9a820cf99b5f8b15df1417c58c344a9
|
Dropper Variant
|
|
7feed412ef14e5ea64f30cbecac21be3c78b52ac573be3c8f694ab51b944affb
|
Dropper Variant
|
|
de74dc4992a463232ee673433679d174115c12b9fe4ffb8de13506dcbf20247d
|
Dropper Variant
|
|
2f3061a59cb2d8268dc4e058bda57bd1c34e5ac0bd8a94e04d2cc44411b7660f
|
Dropper Variant
|
|
50f97a815218f1cd3328590367b61af59fd5066160f15736560a83355b47adb9
|
Dropper Variant
|
|
5ebc0bfb460f0d51d2b9f9193d4c6d7cce3b98356e6a936a3e5daada3b54fe90
|
Dropper Variant
|
|
93c0861660fd85be3a63673218ce1656b0280565840d224e3453f08b6d369737
|
Dropper Variant
|
|
531407af1b7d2881d09d341cb92421bfdb19d8b09a6604d75f5a78f3fc45d37f
|
Dropper Variant
|
|
57103821b25d1861eaf2c21a4135eee1306c2879efbb37a6efb856dbb2ab6b30
|
Dropper Variant
|
|
a0e1aebcae4f57f066551847f5c7dfc80c9d831e366ff92ff46ea342ef95b5fe
|
Dropper Variant
|
|
02476c938dec77d1d98aefa352be45f7548b14ba771a650be2ab88a11006533b
|
Dropper Variant
|
|
6662a02c49987bdf964efcbd90af519a2ec20cf9e08a2fd3a1e0b153eb6b21ed
|
Dropper Variant
|
|
a72bc3a50dc1c94f85a4f9c38d2fe7900017979abcac6d0f1cc0e903d82b7163
|
Dropper Variant
|
|
53cad9f095328fab0119fc57738a09355adca40a1f78cb893e98c0aa5f116256
|
Dropper Variant
|
|
3cf0c8bceb3f3e3f5d94a480b66bb8cfbb10dc970cd05f7b4466bd28caa5f71d
|
Dropper Variant
|
|
de5ff0e075b2d0e9131185ce1972bd6e8c481b90cdd59cf7e1440d28931d140e
|
Dropper Variant
|
|
540ef14d06cd6b683bb4300f5db8bdb0512addaac3a28389c9cb7b8769011c78
|
Dropper Variant
|
|
2c9a01fadff238bd62c7724b97460bfcf72d6da0e8bc6c8d5c4f434305f4e86b
|
Dropper Variant
|
|
e7ddbde520177588d438af12d1455ef026fe4007883913397aa24ebb98339722
|
Dropper Variant
|
|
856a4a2e937a3fc54864c3b84d4d730b614fb0050ae54f361ffdf58e9d7cda46
|
Dropper Variant
|
|
89139a273ec96a6e369c6bc6f09ee37efe5949c02478bae846d123219b20ecd6
|
Dropper Variant
|
|
bb2529c9923cc702c9ba8550e3fa9eb2794ed51f68ee59070750bb350ceab874
|
Dropper Variant
|
|
c536262f721cf39942b0e949a38f67f242e6809053219840377a17badd197ef5
|
Dropper Variant
|
|
55b1c8e09a96b77c8f988cd45b0e6c3372a54069cb1da770c2d16179b68c3fbd
|
Dropper Variant
|
|
6eb189621ee6a5bba057be1e5651a6bb0ab6ffa3b2d55d5b32fd1b0aaca9dd1d
|
Dropper Variant
|
|
d2aa1a1667507a26139b9350e3f010717f16ec204be0347f9d9b6ffd03eaf343
|
Dropper Variant
|
|
396ecaec84c3ca6b9be7c2941565e28ad7e5f589e4ac27f8a9c2907f4b9d63a6
|
Dropper Variant
|
|
dd7c18a027eb4b5ede578558d4519a7080645a5b9e7b086a5d04092b7b427146
|
Dropper Variant
|
|
05c405b6abef047e397e1ee5fbbebd01594e42152d42e73d94516a5ec4b03f60
|
Dropper Variant
|
|
08d5e350028dffaa0a9af85c486fbff521d7dc8c39cb16ad30e432e7425b2ad9
|
Dropper Variant
|
|
8e4bd2229a332c4df1954401548f510e3f4c6644098c32dee4b1978e885fb245
|
Dropper Variant
|
|
afeaba456de6de93e2c7958665425dae39507114a24bafe15f4a32132664afbf
|
Dropper Variant
|
|
9e5247ee20e53332b4c0845a66a99396d88d3dbbccf5e20f8b2f1ca1c939d6c0
|
Dropper Variant
|
|
a927d9e2058f3e77c4ab2853cffe6ebf7424e8cfb0ce052eae4ba59ee28ae1d5
|
Dropper Variant
|
|
54eba1120f583d15bd0063dd875e946c3a7416f4d378aeacd388ec07bdb9a78b
|
Dropper Variant
|
|
7d6b50f3d7cfa557c68a3c1db3da4a86fef50a91b88994a4b8e7932723cb1a5f
|
Dropper Variant
|
|
1571c7d3c470bd9f45532b2a0a9ee21dd345bc486c182f4b67a85202af93d8c6
|
Dropper Variant
|
|
2e993de110555b14a5bc91fb87479a6cf0725e0eb675c461434c45083c6b5048
|
Dropper Variant
|
|
9d53b16bfef22fa00b897796f1f3ba751228d4e77c2f64c1d0d9b503851b80a0
|
Dropper Variant
|
|
9ec7bb86bd1322b05069c3bc176239f539ec3366da717a50374286ac4bec6c0b
|
Dropper Variant
|
|
5646000db0f970572677f0f4836802dec08dde3fddc23747a706af94f93a6d64
|
Dropper Variant
|
|
9378de2014527574c78f65d4c1ab313dbcefdfe363f5d9bfbb6c71e5b8dbf1de
|
Dropper Variant
|
|
62b5f3a95a9581064b56bea53c80c68db505ac40974b80983979b8e0a3e67855
|
Dropper Variant
|
#Discussions#ThreatResearch