A few days ago, this tweet by @w3ndige came across my feed:
FINALLY. Something that isn’t Emotet! Thought I’d take a look at it and see what it looks like under hood. It did not disappoint.
If you’d like to play along, the document can be found here.
After extracting the macros, I noticed that there were more than a typical Emotet document. And two of them were rather large.
A cursory look at the files shows them to be heavily obfuscated. There’s just garbage all over the place.
However, some of those strings kind of look like they are base64 encoded. This means it is worth paying attention to them and see how they’re being used. We can do this by following the variables and seeing where they lead us.
And it ends up in a line with a ‘ShellExecute’? Looks like we definitely want to pay attention to that.
At this point we can go one of two ways. We could open Process Hacker and use that to monitor what happens when we open the document and ‘enable content’. Some new process should start up. Emotet uses WmiPrvSE.exe so I’d be surprised if this one did, too. It could be also be a child process of WINWORD.EXE. Powershell, perhaps? CMD.EXE? Once something pops up we could double-click on that process to see what command line is being run with it.
Or we could open the document and inspect the macros using Microsoft Visual Basic for Applications. We could then set a breakpoint on the line with “Document.Application.ShellExecute”, run the macro and wait for it to stop at the breakpoint. This will allow us to inspect the variables and see how this command is being run. Doing so gives us the output below.
And what do we see? Looks like some base64 encoded fun to me.
lpZlNxkkO.Document.Application.ShellExecute powershell.exe -enco JAB4A...
However, that’s not the whole line of base64. It seems to me that the rest of that line (with all of the StrReverse, nested functions, and a ton of 3’s) will create the remainder of it. Feel free to step through the rest of those nested functions by pressing F8 a couple hundred times.
As I mentioned earlier, you can just enable macros and wait for something to pop up. In this case it is powershell. Just double-click on it and you’ll see the full command line.
The first thing I noticed about that string is that it is about twice as long as your typical encoded Emotet string.
But a little Cyberchef later (‘From Base64’ + ‘Remove null bytes’) and you get this output. As usual, there is a bunch of extra lines of garbage. But we can see that the URL pops out.
The rest of code isn’t overly complicated. But it is beneficial to go through it so we can see how the downloaded executable gets renamed, where it lands, and how it gets executed. Here’s the code all cleaned up. I found the use of regsvr32.exe to be unusual.
Here’s the downloaded executable being run in Any.run (please excuse my lame typing). Any.run calls it Ursnif/Gozi, but @W3ndige believes that it is Dreambot as the configuration uses TOR DLL entries. For a more thorough write-up of Dreambot, I’ll direct you to @W3ndige’s blog where he looks at a sample from 11.13.2019. In my opinion, it is a very well done write-up.
Thanks for reading!