{"id":12398,"date":"2018-05-25T08:10:06","date_gmt":"2018-05-25T16:10:06","guid":{"rendered":"https:\/\/www.palada.net\/index.php\/2018\/05\/25\/news-6167\/"},"modified":"2018-05-25T08:10:06","modified_gmt":"2018-05-25T16:10:06","slug":"news-6167","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2018\/05\/25\/news-6167\/","title":{"rendered":"Malware analysis: decoding Emotet, part 1"},"content":{"rendered":"

Credit to Author: Vishal Thakur| Date: Fri, 25 May 2018 15:00:00 +0000<\/strong><\/p>\n

Emotet Banking Trojan malware has been around for quite some time now. As such, infosec researchers have made several attempts to develop tools to de-obfuscate and even decrypt the AES-encrypted code belonging to this malware.<\/p>\n

The problem with these tools is that they target active versions of the malware. They run into problems when the authors of the malware change the code. The change could be anything from slight variations to the code structure to drastic changes such as moving from a VBA project to PowerShell scripting.\u00a0Usually, even a minor code variation breaks the tools.<\/p>\n

The main goal of this article is to help readers understand the structure and flow of Emotet in detail, so that code variations do not pose challenges to analysts who are trying to decode it in the future. We will also take a deep dive into some important parts of the code itself in order to understand the execution in a detailed, step-by-step process.<\/p>\n

In the first part of this two-part analysis, we look at the VBA code, where you’ll learn how to recognize and discard “dead” code thrown in to complicate the analysis process. We also look at techniques that can be used to extract the obfuscated commands, and how the code executes.<\/p>\n

Emotet overview<\/h3>\n

For the purpose of our analysis, we’re taking a look at this sample<\/a>:<\/p>\n

File: PAYMENT 225EWF.doc<\/p>\n

MD5: e8e468710c0a4f0906305c435a761902<\/p>\n

SHA-256: 707fedfeadbfa4248cfc6711b5a0b98e1684cd37a6e0544e9b7bde4b86096963<\/p>\n

The current version of the Emotet downloader uses PowerShell to execute final commands.\u00a0The infection vector is a traditional email phishing campaign. The phish would contain a link that the victim is supposed to click on, which in turn would start the download of the malware. The malware is usually a Word document, which prompts the victim to enable macros. Once the macros are enabled, the VBA executes in the background, and the payload is downloaded and executed on the victim\u2019s computer.<\/p>\n

VBA code<\/h3>\n

Let\u2019s take a quick look at how we can access the VBA code from the infected Microsoft Word document. In order to enable the Developer view in Word, go to File and select “Options.” In Options, click on “Customize Ribbon.” Enable the “Developer” option and hit OK.<\/p>\n

This should now get you a “Developer” item in the top menu bar. Once you click on “Developer,” you\u2019ll see the option “Visual Basic.”<\/p>\n

Click on Visual Basic and you\u2019ll be presented with the entire project in a separate window. We can now start analyzing the code.<\/p>\n

Alternatively, we can use an automated way of extracting this Powershell script by running the document in a VM and checking the parameters with which the Powershell was deployed, i.e. with the help of ProcessExplorer. Also, sandboxes such as Hybrid Analysis<\/a> extract it automatically.\u00a0<\/span><\/p>\n

Code execution<\/h4>\n

Once the “content” is enabled (macros)<\/a>, the execution starts.<\/p>\n

\"\"<\/p>\n

The VBA code comes as part of the malicious MS Office document. As soon as the macros are enabled, the code executes in the background.<\/p>\n

As an attempt at obfuscating the code, the developers have included a lot of text that is not used. Only part of the entire code is usable, and it is quite well hidden.<\/p>\n

A faster way to get straight into the code is to start at the macro code that is called for execution of the initial commands. In the case of the sample analyzed here, it is the Sub AutoOpen(). We start by following this sub procedure.<\/p>\n

\"\"<\/p>\n

We will now discard all the useless code that has been included in the sub to complicate analysis.<\/p>\n

\"\"<\/p>\n

We can see at the end of the sub procedure, the Application.run method is called:<\/p>\n

\"\"<\/p>\n

To execute the method shown above, we can see that the method calls on a sub and a function.<\/p>\n

First, we take a look at sub ndUzTzJ<\/strong>.<\/p>\n

This sub again has some useless text that is just there to add complexity for the purposes of analysis. We will focus on usable code only.<\/p>\n

This is what the sub should look like after we\u2019ve discarded the useless code:<\/p>\n

\"\"<\/p>\n

vbHide will be assigned a value of 0, which means the window is hidden and focus is passed to the hidden window.<\/p>\n

DsPBkKtzcIwF – generates the command.<\/p>\n

ndUzTzJ – calls WScript.Shell to execute the command.<\/p>\n

Let\u2019s take a look at a section of the Function DsPBkKtzcIwF():<\/p>\n

\"\"<\/p>\n

\"\"<\/p>\n

\"\"<\/p>\n

In the code snippet above, we can see a few notable things:<\/p>\n

Variables are being used to store assigned values. The values will then be passed to a different function, yy222222222222222y(), for processing. Once processed, the values are then assigned to different variables again and these variables will be used to construct the encrypted code that will be passed onto the system for decryption using PowerShell.<\/p>\n

Deep dive<\/h3>\n

Let\u2019s take a deep dive here and closely analyze the code:<\/p>\n

JMArl = “zahajUZomiAjVADEAMAA4ADMdpokrTZ”<\/p>\n

Variable JMArl is assigned the value of \u201czahajUZomiAjVADEAMAA4ADMdpokrTZ\u201d<\/p>\n

szFqp = sRWNiPRldXLv = 21790 + 2115454 * PhcMjZjwl – CLng(8712932) \/ (zunFnTXk – Sqr(1328634 * Oct(7463260) – 1977628 – 4976151) * (294265 \/ XiFEWH))<\/p>\n

vLkhkiRclJ = GcDcX = 3122978 + 1398811 * JTkURPW – CLng(9593915) \/ (krXPEiFIa – Sqr(1266549 * Oct(1775652) – 8314095 – 5625841) * (8872696 \/ mNsSkdPD))<\/p>\n

This code is not usable\u2014we will discard it.<\/p>\n

sEVQo = IjKrpJC + yy222222222222222y(JMArl, 14, 11)<\/p>\n

This is where most of the action takes place. The variable sEVQo is assigned the value of the output of \u201cIjKrpJC + yy222222222222222y(JMArl, 14, 11)\u201d<\/p>\n

\u201cIjKrpJC\u201d doesnt serve any purpose, we will discard it.<\/p>\n

yy222222222222222y() is the function being called. Let\u2019s take a look at the function itself:<\/p>\n

\"\"<\/p>\n

Now, let\u2019s get rid of all the garbage code from the function and then have another look at it:<\/p>\n

\"\"<\/p>\n

The function calls on the Mid function, which processes the data for further use.<\/p>\n

Mid function<\/h4>\n

hPoMiTjfoDT is the TEXT; twOYMDvfbGk is the START_POSITION; VSTcawBYGW is the NUMBER_OF_CHARACTERS<\/p>\n

Now that we understand how the code flow has been structured, let\u2019s take a look at how the program executes.<\/p>\n

Here\u2019s the variable sEVQo\u00a0 before it has been assigned any value:<\/p>\n

\"\"<\/p>\n

sEVQo now calls on yy222222222222222y(). We can see that the value \u201c14\u201d has been passed on to the function variable \u201ctwOYMDvfbGk\u201d:<\/p>\n

sEVQo = IjKrpJC + yy222222222222222y(JMArl, 14, 11)<\/p>\n

\"\"<\/p>\n

Moving on, we can see the value \u201c11\u201d has been passed on to the function variable \u201cVSTcawBYGW\u201d:<\/p>\n

sEVQo = IjKrpJC + yy222222222222222y(JMArl, 14, 11)<\/p>\n

\"\"<\/p>\n

Finally, the text string will be passed on to the variable mbPRLWAjZ, which is EMPTY at first:<\/p>\n

\"\"<\/p>\n

\"\"<\/p>\n

Now, this data will be processed using the Mid function, as described above.<\/p>\n

Let\u2019s take a look at how that unfolds:<\/p>\n

mbPRLWAjZ= zahajUZomiAjVADEAMAA4ADMdpokrTZ<\/p>\n

twOYMDvfbGk= 14<\/p>\n

VSTcawBYGW= 11<\/p>\n

Mid(hPoMiTjfoDT, twOYMDvfbGk, VSTcawBYGW):<\/p>\n

Mid(\u201czahajUZomiAjVADEAMAA4ADMdpokrTZ\u201d, 14, 11)<\/p>\n

It should translate to:<\/p>\n

ADEAMAA4AD <\/strong><\/p>\n

\"\"<\/p>\n

\u00a0<\/strong>Now let\u2019s take a look at the function in execution again:<\/p>\n

\"\"<\/p>\n

And it will be passed back to the calling variable:<\/p>\n

\"\"<\/p>\n

And now the value for the variable sEVQo has been assigned to ADEAMAA4AD.\u00a0<\/strong>That was a look at one of the many variables that were used in this function.<\/p>\n

To see how it all flows into the end result for this value, we can take a look at the final assignment of the variable:<\/p>\n

\"\"<\/p>\n

The value assigned to DsPBkKtzcIwF after the above line of code is executed is the command that will be executed by sub ndUzTzJ:<\/p>\n

\"\"<\/p>\n

We can now print the output to screen (using MsgBox) to have a quick look or to the immediate window (using Debug.Print) for a complete result.<\/p>\n

\"\"<\/p>\n

\"\"<\/p>\n

Here\u2019s the part of the command from above that invokes PowerShell:<\/p>\n

\"\"<\/p>\n

Which should translate (look at the highlighted text) to:<\/p>\n

\"\"<\/p>\n

That was a look at how to get the final command with the encrypted data out of the VBA code. In part two of this series, we’ll decrypt this data to extract the stage two payload URLs from it.<\/p>\n

The post Malware analysis: decoding Emotet, part 1<\/a> appeared first on Malwarebytes Labs<\/a>.<\/p>\n

https:\/\/blog.malwarebytes.com\/feed\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

Credit to Author: Vishal Thakur| Date: Fri, 25 May 2018 15:00:00 +0000<\/strong><\/p>\n\n\n\n
<\/a><\/td>\n<\/tr>\n
In the first part of this two-part analysis of Emotet, we look at the VBA code, where you’ll learn how to recognize and discard “dead” code thrown in to complicate the analysis process.<\/p>\n

Categories: <\/p>\n