Now we have been seeing this in the news everywherere, lets first understand what is Emotet and its behavior in detail.
Emotet is one of the most advanced, very modular banking Trojan dropper. It can function as a downloader of other banking Trojans or as a ransomeware downloader in some cases.
As per US-CERT Emotet continues to be among the most costly and destructive malware affecting state, local, tribal, and territorial (SLTT) governments, and the private and public sectors. And Emotet infections have cost SLTT governments up to $1 million per incident to remediate.
Ref. https://www.us-cert.gov/ncas/alerts/TA18-201A
So we decided to test a sample in our Lab and see whether FSA (Forensic State Analysis) based malware threat hunting can detect this.
Live Malware Sample Testing Process
We have created a clean windows 7 system for testing this in our lab and run a scan using Infocyte threat hunting platform. You can see the system as clean and no threat is detected by Infocyte Forensic State Analysis (FSA) tool.
Now lets run a live sample (Macro Enabled Word) of Emotet in the system.
As usual, it asks for enabling the Macro - (And as usual, users fall for it every single time, don't they? :-))
Once we run macro we can quickly see winword.exe starts cmd.exe and it launches powershell.exe.
Upon looking at the powershell process arguments we can see it runs a obfuscated script. It tries to contact few domains one by one to download the payload from the internet. We have extracted all the domains for this variant below.
http://kids-education-support.com/aLEzfTe
http://lakewoods.net/mVMGKkcLY
http://mireikee.beget.tech/tvYT071w
http://www.reparaties-ipad.nl/pJjcudU8Kn
Once it downloads the file script renames it to 477.exe and keeps in temp ($env:temp) folder and runs it from there.
Now we can check this from procmon, Once we enable Macro, immediately we can see it starts cmd.exe
In the next step it starts powershell.exe
At this point powershell.exe starts networks connection to http://kids-education-support.com to download the payload and creates 477.exe and drops in the temp folder and runs 477.exe from there.
Then 477.exe creates subsculture.exe and drops in C:\windows\system32
And then it creates a service with startupmode: Auto,Account: System,Name:subsculture and quits itself.
Services.exe starts the service and launches subsculture.exe and connects to command and control (190.55.123.250)
We are stopping the analysis at this point and move on to Infocyte. Now the malware has been run completely and it installs a persistence mechanism using windows services. If you look at the endpoint we have subsculture.exe process running in memory and a service created for persistence. Lets do a infocyte scan and see the results.
Infocyte immediately flags the endpoint as compromised and detects 3 objects as compromised. We can see One Process, 1 Memory and 1 autostart object is compromised. Under process tab, Infocyte detects subsculture.exe as BAD with a score 10.
Under memory TAB infocyte unmaps a memory injection in subsculture.exe and marks it as BAD
Under accounts infocyte gves a threat score of COMPROMISED for the account system. (Since the service is running as system)
And in Autostarts infocyte also detects the malware auto start service as BAD.
Would like to know more or need assistance with this malware, please feel free to reach out to us.
--
Contributed By,
Raeez Abdullah
Principal Consulting Engineer
CodeGreen Systems
