EMOTET malware is one of
the prevalent banking Trojan now a days. It was known to be a loader of other
malware, delivered through spam e-mail, can download and execute other
malicious modules to spread in the network.
So out of curiosity I did
some analysis to the said malware. The sample was packed to hide its
code. When the malware is executed it will allocate a memory space for two .exe
files. The first one is the anti sandbox module and the other .exe contains the
actual malware payload
 |
| Fig 1. simple EMOTET code execution |
Anti-sandbox tricks:
As
explained by other malware blog
it has a capability to check sandbox by checking its username, computer-name and
existence of some test files from a test machine. The following string are stated below.
USERNAME & COMPUTERNAME:
TEQUILABOOMBOOM
Wilbert
admin
SystemIT
KLONE_X64-PC
BEA-CHI
John Doe
Running
module filename must not contain of the following string.
sample
mlwr_smpl
artifact.exe
Find the
existence of the following files to check sandbox/test machine.
C:\email.doc
C:\email.htm
C:\123\email.doc
C:\123\email.docx
C:\a\foobar.bmp
C:\a\foobar.doc
C:\a\foobar.gif
IOC and malware behavior:
This
sample still using the callback capability of the CreateTimerQueueTimer. The
callback function will be executed every (0x3E8) 1000 milliseconds.
 |
Fig 2.
emotet payload callback function.
|
The
callback function contain several functions that are timely executed base on
the generated tick count once the callback function was triggered again.
Those
functions are responsible for creating malware service as autostart registry,
creating CryptHashkey for encrypting some data, enumerate all running process
in the infected machine including some system info like OS version and last
connecting to its C&C server and sending the encrypted data it parse to the
machine.
 |
| fig 3.creating service of itself |
 |
Fig.3 Generate hash key
|
 |
Fig.4 information
|
 |
| Fig 5 running process to the infected machine |
 |
Fig.6
enumerate running process
|
It will
also drop a copy of itself.
During
normal execution it will drop a copy of itself in:
%appdata%\Local\Microsoft\Windows\<randomname>.exe
With
admin privilege it will drop its either of the 2 path:
c:\windows\system32\<randomname>.exe
c:\windows\syswow64\<randomname>.exe
And the
known C&C server <IP address, port> table of EMOTET malware.
 |
Fig 7.
the C&C server table
|
C&C
server with its port:
69[.]43[.]168[.]196[.]443
217[.]13[.]106[.]246[.]8080
194[.]88[.]246[.]242[.]443
217[.]13[.]106[.]249[.]8080
60[.]32[.]214[.]242[.]8080
167[.]114[.]98[.]61[.]8080
77[.]220[.]64[.]48[.]8080
41[.]72[.]140[.]141[.]8080
190[.]3[.]183[.]19[.]443
45[.]73[.]17[.]164[.]8080
124[.]109[.]2[.]75[.]8080
195[.]16[.]207[.]220[.]8080
217[.]13[.]106[.]16[.]8080
217[.]13[.]106[.]231[.]8080
 |
| simple python script to convert the IP address |
OTHER IOC:
Aside
from its C&C server table, EMOTET malware also have a encrypted string look
up table that it used in generating random file name of its drop copy of
itself.
 |
Fig 8.
the encrypted string table
|
 |
Fig 9.
decryption routine of string table
|
 |
Fig 10.
decrypted string look-up table
|
It
disable the tracing records for each routing protocol that are common in Remote
Access service (RAS) by adding the following registry:
Aside
from creating service it will also add regrun as an autorun registry upon boot
up of the machine.
 | ||||||
Fig 10.
creates regrun key
If the
connection was failed it will create a spoof connection to wpad.dat link to
hide the network traffic it made.
File: wlanwin.exe1
|
