Skip to main content

Emotet C2 Network IOC September 2018 Week 1 Campaign


IPPortCountryStateCity
184.191.59.24United StatesTexasPadre Island Ntl Seashor
98.5.202.134United StatesWashingtonBainbridge Island
174.64.65.21United StatesKansasPark
62.75.143.128SwitzerlandGeneve
199.119.78.38443United StatesMissouriSpringfield
95.141.175.240443NetherlandsDiemen
130.180.10.18United StatesVirginiaVirginia Beach
85.100.125.179443GermanyNordrhein-westfalenHuerth
118.244.214.210Korea, Republic OfSeoul
63.141.2.1168443United StatesVirginiaAshburn
157.7.164.23Thailand
81.151.15.1098443SpainBarcelonaBarcelona
199.119.78.23United StatesMissouriSpringfield
216.74.200.97United StatesSouth CarolinaRock Hill
190.86.177.1577080ArgentinaBuenos Aires
85.246.79.84SpainMadridMadrid
211.115.111.19443AustraliaNew South WalesSydney
106.187.52.135ChinaTianjin
105.184.68.1108080Egypt
84.200.106.1208080TurkeyIstanbul
199.119.78.9443United StatesMissouriSpringfield
69.198.17.7CanadaBritish ColumbiaSurrey
78.47.182.428080FranceSaint-denis
104.220.90.107United States
207.112.18.150United StatesIowaAgency
85.104.57.45Russian FederationMoscow
106.68.9.337080JapanTokyo-toTokyo
138.201.197.13CanadaOntarioToronto
222.214.218.1924143ChinaBeijing
81.215.200.158FranceCesson
98.5.202.134United StatesWashingtonBainbridge Island
146.185.170.222United StatesWisconsinRacine
70.168.211.61United StatesSouth CarolinaGreenville
98.5.202.134United StatesWashingtonBainbridge Island
64.68.15.56990United StatesCalifornia
148.74.143.194United StatesConnecticutRidgefield
108.52.190.19United StatesGeorgiaAtlanta
75.76.172.226United StatesNew JerseyBedminster

Comments

Popular posts from this blog

Major update: Emotet C2i Apr 2019

Emotet has updated the C2 comms in the latest release, going for URIs instead of IPs (root). Here’s a complete list of the current campaign: Emotet C2i: http://51.255.50.164:8080/window/child/ringin/ http://109.104.79.48:8080/cookies/tlb/ http://92.48.118.27:8080/rtm/pnp/ http://197.248.67.226:8080/enabled/forced/ http://181.170.93.38:8080/teapot/balloon/ http://69.163.33.82:8080/glitch/scripts/arizona/ http://192.155.90.90:7080/prov/odbc/arizona/ http://43.229.62.186:8080/teapot/ http://72.47.248.48:8080/sess/cone/ http://209.159.244.240:443/publish/vermont/tlb/ http://197.248.67.226:8080/codec/between/tlb/ http://176.58.93.123:8080/splash/ http://72.47.248.48:8080/sess/glitch/entries/ http://181.170.93.38:8080/schema/free/ http://69.163.33.82:8080/badge/symbols/results/ http://109.73.52.242:8080/results/prov/ http://68.191.37.107/iplk/vermont/sym/merge/ http://154.120.228.126:8080/xian/enabled/sym/merge/ http://136.49.87.106/usbccid/taskbar/enabled/ http://5.9.128.163:8080/json

Grinju Downloader: Anti-analysis (on steroids) | Part 2

  This malware takes anti-analysis and stealth techniques to a new level We took a look at this malware in the Part 1 of this publication. Now let’s carry on with the analysis and dig deeper into the various anti-analysis and stealth-exec features of this malware in Part2. Malpedia Inventory: https://malpedia.caad.fkie.fraunhofer.de/details/vbs.grinju Secondary Macro Code First of all, here’s the entire code that is dumped in the sheet once all the macro functions have been completed. Take a look at these lines and try to figure out what they are meant to do. Then we’ll take a look at the most important of these briefly before moving on to the next section. =CLOSE(FALSE) =FORMULA(LEN(APP.MAXIMIZE())+-459,Sheet1!R18690C129) =FORMULA(LEN(GET.WINDOW(7))+-131,Sheet1!R18691C129) =FORMULA(LEN(GET.WINDOW(20))+-893,Sheet1!R18692C129) =FORMULA(LEN(GET.WINDOW(23)=3)+433,Sheet1!R18693C129) =FORMULA(LEN(GET.WORKSPACE(31))+864,Sheet1!R18694C129) =FORMULA(LEN(GET.WORKSPACE(13)>770)+707,Sheet1!R18

Grinju Downloader: Anti-analysis (on steroids) | Part 1

  This malware takes anti-analysis and stealth techniques to a new level Malpedia Inventory: https://malpedia.caad.fkie.fraunhofer.de/details/vbs.grinju I’ve come across some great anti-analysis code in malware over the years. This one takes the top spot. On that note, let’s get into it, this is a long one! Since this malware employs a very complex structure, I’ve decided to divide the analysis into different sections. I’ll try to keep it as simple as possible but having said that, it really is a very complicated project. Hence, publishing in parts. TLDR: This is a very well-thought and equally well-written malware. There’s no VBA that you can analyse. The values and formulas that are used are spread across the worksheets to thousands of rows. The functions, among other things, are used to close the file, corrupt it and also delete the dropped scripts to make analysis extremely hard. In fact, you cannot analyse this malware without altering the code it self. Along the way, you’ll also