Skip to main content

Emotet C2 Network IOC August 2018 Week 4 Campaign

Article by Vishal Thakur



IPPortCOUNTRYREGIONCITYTIME ZONE
50.33.142.65United StatesTexasDallasCST
173.63.125.138United StatesNew JerseyEST
67.175.118.157United StatesSouth CarolinaTamasseeEST
47.186.71.56CanadaOntarioOttawaEST
71.12.111.50443United StatesGeorgiaMoultrieEST
100.16.243.115443United StatesVirginiaAshburnEST
80.89.191.118United Arab EmiratesDubaiGMT+4
104.219.132.28United StatesOklahomaOklahoma CityCST
23.25.247.205443United StatesMassachusettsCambridgeEST
118.244.214.210443Korea, Republic OfSeoulGMT+9
212.129.56.179443Russian FederationMoscowGMT+3
47.16.187.1968090CanadaOntarioOttawaEST
97.68.6.1558090United StatesNew JerseyBedminsterEST
71.174.9.241United StatesFloridaBrandonEST
14.1.39.3443ChinaGuangzhouGMT+8
199.119.78.38443United StatesMissouriSpringfieldCST
71.8.233.2467080United StatesDelawareSeafordEST
108.191.59.73United StatesDistrict Of ColumbiaWashingtonEST
75.134.186.4150000United StatesTexasPlanoCST
194.150.118.8443HungaryBudapestGMT+1
146.185.170.2228080United StatesWisconsinRacineCST
76.184.189.139United StatesVirginiaHerndonEST
174.22.174.8990United StatesNew MexicoFarmingtonMST
47.49.12.988090ChinaHangzhouGMT+8
46.105.131.87SpainPontevedraVigoGMT+1
46.105.131.698080SpainPontevedraVigoGMT+1
95.141.175.240443NetherlandsDiemenGMT+1
216.162.104.12350000United StatesMassachusettsBurlingtonEST
94.205.172.987080RomaniaPloiestiGMT+2
222.214.218.1924143ChinaBeijingGMT+8
205.144.212.191United StatesVirginiaAshburnEST
211.115.111.19443AustraliaNew South WalesSydneyGMT+10
78.47.182.428080FranceSaint-denisGMT+1
121.221.143.348080ChinaBaotouGMT+8
157.7.164.238080ThailandGMT+7
86.98.19.67443FranceRennesGMT+1
70.184.197.174United StatesNew JerseyCedar KnollsEST
199.119.78.9443United StatesMissouriSpringfieldCST
187.250.146.185990BrazilGMT-3
71.42.101.146United StatesCaliforniaSeal BeachPST
174.113.155.237United StatesNew MexicoRio RanchoMST
189.194.251.1148080BrazilGMT-3
108.170.54.1718080United StatesCaliforniaIndioPST
149.62.173.247United StatesConnecticutBloomfieldEST
174.106.101.588080United StatesIdahoNampaMST
70.182.9.95443United StatesSouth CarolinaGreenvilleEST
173.175.154.68United StatesNevadaHendersonPST
70.124.45.152443CanadaOntarioBrockvilleEST
216.21.168.27United StatesFloridaOrlandoEST
67.53.103.202United StatesColoradoDenverMST
172.114.12.1868080
72.46.213.222443United StatesNew JerseyBedminsterEST
199.0.205.131443United States
209.182.122.217United StatesOhioColumbusEST
27.50.89.2098080ChinaHebeiGMT+8
50.244.180.57990United StatesArizonaScottsdaleMST
194.88.246.242443Iran, Islamic Republic OfTehranGMT+3.50
70.31.145.050000CanadaBritish ColumbiaVancouverPST
68.97.124.748090United StatesTexasRichardsonCST
71.244.60.2314143United StatesVirginiaStaffordEST
105.226.22.180KenyaGMT+3
71.222.28.66United StatesColoradoAuroraMST
68.132.248.98443United StatesMarylandFrederickEST
142.255.116.2158090United StatesNew YorkNew YorkEST
92.99.75.41443JordanGMT+2
50.27.155.347080CanadaBritish ColumbiaVancouverPST
201.229.10.109BrazilGMT-3
38.29.209.76United StatesDistrict Of ColumbiaWashingtonEST
72.64.155.122United StatesCaliforniaSan JosePST
209.89.46.153United StatesNew JerseyParsippanyEST

Comments

Popular posts from this blog

Major update: Emotet C2i Apr 2019

Emotet has updated the C2 comms in the latest release, going for URIs instead of IPs (root). Here’s a complete list of the current campaign: Emotet C2i: http://51.255.50.164:8080/window/child/ringin/ http://109.104.79.48:8080/cookies/tlb/ http://92.48.118.27:8080/rtm/pnp/ http://197.248.67.226:8080/enabled/forced/ http://181.170.93.38:8080/teapot/balloon/ http://69.163.33.82:8080/glitch/scripts/arizona/ http://192.155.90.90:7080/prov/odbc/arizona/ http://43.229.62.186:8080/teapot/ http://72.47.248.48:8080/sess/cone/ http://209.159.244.240:443/publish/vermont/tlb/ http://197.248.67.226:8080/codec/between/tlb/ http://176.58.93.123:8080/splash/ http://72.47.248.48:8080/sess/glitch/entries/ http://181.170.93.38:8080/schema/free/ http://69.163.33.82:8080/badge/symbols/results/ http://109.73.52.242:8080/results/prov/ http://68.191.37.107/iplk/vermont/sym/merge/ http://154.120.228.126:8080/xian/enabled/sym/merge/ http://136.49.87.106/usbccid/taskbar/enabled/ http://5.9.128.163:8080/json

Grinju Downloader: Anti-analysis (on steroids) | Part 2

  This malware takes anti-analysis and stealth techniques to a new level We took a look at this malware in the Part 1 of this publication. Now let’s carry on with the analysis and dig deeper into the various anti-analysis and stealth-exec features of this malware in Part2. Malpedia Inventory: https://malpedia.caad.fkie.fraunhofer.de/details/vbs.grinju Secondary Macro Code First of all, here’s the entire code that is dumped in the sheet once all the macro functions have been completed. Take a look at these lines and try to figure out what they are meant to do. Then we’ll take a look at the most important of these briefly before moving on to the next section. =CLOSE(FALSE) =FORMULA(LEN(APP.MAXIMIZE())+-459,Sheet1!R18690C129) =FORMULA(LEN(GET.WINDOW(7))+-131,Sheet1!R18691C129) =FORMULA(LEN(GET.WINDOW(20))+-893,Sheet1!R18692C129) =FORMULA(LEN(GET.WINDOW(23)=3)+433,Sheet1!R18693C129) =FORMULA(LEN(GET.WORKSPACE(31))+864,Sheet1!R18694C129) =FORMULA(LEN(GET.WORKSPACE(13)>770)+707,Sheet1!R18

Grinju Downloader: Anti-analysis (on steroids) | Part 1

  This malware takes anti-analysis and stealth techniques to a new level Malpedia Inventory: https://malpedia.caad.fkie.fraunhofer.de/details/vbs.grinju I’ve come across some great anti-analysis code in malware over the years. This one takes the top spot. On that note, let’s get into it, this is a long one! Since this malware employs a very complex structure, I’ve decided to divide the analysis into different sections. I’ll try to keep it as simple as possible but having said that, it really is a very complicated project. Hence, publishing in parts. TLDR: This is a very well-thought and equally well-written malware. There’s no VBA that you can analyse. The values and formulas that are used are spread across the worksheets to thousands of rows. The functions, among other things, are used to close the file, corrupt it and also delete the dropped scripts to make analysis extremely hard. In fact, you cannot analyse this malware without altering the code it self. Along the way, you’ll also