Skip to main content

Emotet: What the hell is it?

If you are into malware/malware analysis, I bet you come across this particular one more than anything else. The thing is, most people don’t necessarily know what Emotet actually is. Or at least the details, as to what type of malware it is and what it actually does.
Some of us in the industry have been known to get a bit riled up occasionally when this malware is being publicly discussed, in regards to the technical details of it.
So I’m going to put down a few thoughts (and I anticipate backlash from those who’ve spent more time on this than me :) for obvious reasons) and hopefully that’ll help us keep the emphasis on the more important tasks (fighting malware).
Emotet is a downloader (I can literally feel temperatures rising in the cyberverse already) — ie. it executes on the victim machine and then connects back to a server somewhere in the cloud (literally) and downloads another malicious executable and then executes it. At this point, its job is pretty much done. Seriously, that’s it for old mate Emotet — from this point on, things become murky.
Now….
Traditionally, or historically, whatever you prefer, Emotet has been downloading a malicious payload that goes by the name of Feodo. It also goes by several other names (eg. Geodo) but let’s not get into that just yet. Feodo is what you could call a ‘final’ payload, which executes on the victim machine and then does bad things to it. Let’s leave it there.
Now what has happened in the past is that we have been calling the entire package as ‘Emotet’ — so basically, the downloader and the final payload. Which is ok… It has mostly been the case, so it doesn’t really matters that much if you only really care about defending against the entire malicious package.
The only problem is, what happens when Emotet starts downloading a different malware for final execution? For example, it has very recently been downloading Trickbot. That changes everything. Or the very least, half of the Emotet story. I’ll let you decide at this point what to do with this love triangle when one the main characters decides to ‘diversify’.
Hope I’ve made things clear. Or not.
Basically, it’s a malware that downloads and executes more malware and we’ve been calling the whole package by the same name. For the most part it has worked, it’s not the end of the world.
Also, the downloader bit is the macro-based VBS code, the final payload is a PE.

Comments

Popular posts from this blog

Major update: Emotet C2i Apr 2019

Emotet has updated the C2 comms in the latest release, going for URIs instead of IPs (root). Here’s a complete list of the current campaign: Emotet C2i: http://51.255.50.164:8080/window/child/ringin/ http://109.104.79.48:8080/cookies/tlb/ http://92.48.118.27:8080/rtm/pnp/ http://197.248.67.226:8080/enabled/forced/ http://181.170.93.38:8080/teapot/balloon/ http://69.163.33.82:8080/glitch/scripts/arizona/ http://192.155.90.90:7080/prov/odbc/arizona/ http://43.229.62.186:8080/teapot/ http://72.47.248.48:8080/sess/cone/ http://209.159.244.240:443/publish/vermont/tlb/ http://197.248.67.226:8080/codec/between/tlb/ http://176.58.93.123:8080/splash/ http://72.47.248.48:8080/sess/glitch/entries/ http://181.170.93.38:8080/schema/free/ http://69.163.33.82:8080/badge/symbols/results/ http://109.73.52.242:8080/results/prov/ http://68.191.37.107/iplk/vermont/sym/merge/ http://154.120.228.126:8080/xian/enabled/sym/merge/ http://136.49.87.106/usbccid/taskbar/enabled/ http://5.9.128.163:8080/json

Grinju Downloader: Anti-analysis (on steroids) | Part 2

  This malware takes anti-analysis and stealth techniques to a new level We took a look at this malware in the Part 1 of this publication. Now let’s carry on with the analysis and dig deeper into the various anti-analysis and stealth-exec features of this malware in Part2. Malpedia Inventory: https://malpedia.caad.fkie.fraunhofer.de/details/vbs.grinju Secondary Macro Code First of all, here’s the entire code that is dumped in the sheet once all the macro functions have been completed. Take a look at these lines and try to figure out what they are meant to do. Then we’ll take a look at the most important of these briefly before moving on to the next section. =CLOSE(FALSE) =FORMULA(LEN(APP.MAXIMIZE())+-459,Sheet1!R18690C129) =FORMULA(LEN(GET.WINDOW(7))+-131,Sheet1!R18691C129) =FORMULA(LEN(GET.WINDOW(20))+-893,Sheet1!R18692C129) =FORMULA(LEN(GET.WINDOW(23)=3)+433,Sheet1!R18693C129) =FORMULA(LEN(GET.WORKSPACE(31))+864,Sheet1!R18694C129) =FORMULA(LEN(GET.WORKSPACE(13)>770)+707,Sheet1!R18

Emotet C2 Network IOC August 2018 Week 4 Campaign

Article by  Vishal Thakur IP Port COUNTRY REGION CITY TIME ZONE 50.33.142.65 United States Texas Dallas CST 173.63.125.138 United States New Jersey EST 67.175.118.157 United States South Carolina Tamassee EST 47.186.71.56 Canada Ontario Ottawa EST 71.12.111.50 443 United States Georgia Moultrie EST 100.16.243.115 443 United States Virginia Ashburn EST 80.89.191.118 United Arab Emirates Dubai GMT+4 104.219.132.28 United States Oklahoma Oklahoma City CST 23.25.247.205 443 United States Massachusetts Cambridge EST 118.244.214.210 443 Korea, Republic Of Seoul GMT+9 212.129.56.179 443 Russian Federation Moscow GMT+3 47.16.187.196 8090 Canada Ontario Ottawa EST 97.68.6.155 8090 United States New Jersey Bedminster EST 71.174.9.241 United States Florida Brandon EST 14.1.39.3 443 China Guangzhou GMT+8 199.119.78.38 443 United States Missouri Springfield CST 71.8.233.246 7080 United States Delaware Seaford EST 108.191.59.73 United States District Of Columbia Washingt