Malicious Document Analysis: Emotet Case II

We continue to investigate the Emotet case file and implement our DFIR capabilities on other file formats.

It is recommended that you read the previous one before continuing with this article:

Malicious Document Analysis: Emotet Case I

So let’s continue examining the evidence we have.

Our target proof and file is a .bin this time: 3537ad7979bdcd294c534ed3fa174b34_Uwp2XxU2yzt21weDcM2.bin

Let’s take a brief look at the file scope. Identify file.

output

We have PE32 executable (DLL) (GUI) Intel 80386, for MS Windows.

Extract detailed metadata: exiftool 3537ad7979bdcd294c534ed3fa174b34_Uwp2XxU2yzt21weDcM2.bin

output

We started to explore the working mechanism of this .bin file.

The target MD hash value of the file is 3537ad7979bdcd294c534ed3fa174b34

Let’s check how this is signed by the community: malwoverview.py -b 1 -B 3537ad7979bdcd294c534ed3fa174b34

output

We couldn’t get any results on Shell. Let’s search online.

output

As you guessed, it is a file signed as malicious by many vendors.

We obtained another hash value 1b65600b49360f09e49fc647946e0155c9c033d8fdd5d3f5b5ba6a0df9ddcafa

Note this.

Now we will use capa tool: capa 3537ad7979bdcd294c534ed3fa174b34_Uwp2XxU2yzt21weDcM2.bin

output

output

output

output

Here we have obtained some characteristic approaches of the mechanism.

General Information:

• MD5: 3537ad7979bdcd294c534ed3fa174b34
• SHA1: 81fc323066208c9ef00b09016495c668a33b0e95
• SHA256: 1b65600b49360f09e49fc647946e0155c9c033d8fdd5d3f5b5ba6a0df9ddcafa
• Operating System: Windows
• Format: Portable Executable (PE)
• Architecture: i386 (32-bit)

There are also ATT&CK Techniques points.

• Defense Evasion:Obfuscated Files or Information (T1027): Indicates the file uses some form of obfuscation to evade detection.
• Execution:Shared Modules (T1129): The file may utilize shared modules to execute code.

In this way, you can find out how this malicious file infiltrates systems.

Look at MBC (Malware Behavior Catalog) behaviors:

Anti-Behavioral Analysis:

• Debugger Detection::Software Breakpoints (B0001.025): The file checks for the presence of debuggers, likely to thwart analysis efforts.

Data:

• Compression Library (C0060): Indicates the use of a compression library (such as ZLIB).
• Encode Data::XOR (C0026.002): The file uses XOR encoding, which is a common technique to obfuscate data.

Defense Evasion:

• Hijack Execution Flow::Import Address Table (IAT) Hooking (F0015.003): The file manipulates the IAT to redirect execution flow.
• Obfuscated Files or Information::Encoding-Standard Algorithm (E1027.m02): Uses standard encoding algorithms for obfuscation.

Memory:

• Allocate Memory (C0007): The file allocates memory dynamically, potentially for code injection.

It also has a wide range of capabilities.

Debugger Detection:

• Check for Software Breakpoints: Indicates anti-debugging techniques to detect if the code is being debugged.

Data Manipulation:

• Encode Data Using XOR: Three matches suggest extensive use of XOR encoding to obfuscate data.

Memory Manipulation:

• Allocate RWX Memory: Two matches indicate the allocation of memory with read, write, and execute permissions, often used for code injection.

Runtime Linking:

• Link Function at Runtime on Windows: The file dynamically links functions at runtime, which can help evade static analysis.
• Rebuild Import Table: Reconstructs the IAT, another technique for evading detection and analysis.

Static Linking:

• Linked Against ZLIB: Indicates the use of the ZLIB compression library.

PE Parsing:

• Parse PE Header: Two matches suggest the file reads its own PE header, which can be part of obfuscation or anti-analysis techniques.

Now extracts readable strings from the binary to identify any URLs, IP addresses, file paths, or other indicators: strings 3537ad7979bdcd294c534ed3fa174b34_Uwp2XxU2yzt21weDcM2.bin > strings_bin_file.txt

output

Let’s see what we have.

output

output

output

output

output

output

We have shared some of the outputs, this produces a rather long result. There are many questionable points.

Let’s get a detailed and clean result with the peframe tool: peframe 3537ad7979bdcd294c534ed3fa174b34_Uwp2XxU2yzt21weDcM2.bin

output

output

output

output

As you can see, this attack mechanism has been planned in detail in many contexts.

• IsDebuggerPresent, GetLastError, RaiseException, TerminateProcess, UnhandledExceptionFilter, IsProcessorFeaturePresent: These functions are often used to detect and evade debuggers.
• The use of XOR and file operations suggests the malware may attempt to obfuscate data and interact with the filesystem.
• CRC32: Indicates the use of CRC32 checksums, likely for integrity checks.
• .text and .reloc sections show high entropy, which suggests obfuscation or packing.
• Imports from KERNEL32.dll: Common Windows API calls for process and memory management.
• Export Function: DllRegisterServer indicates this binary might be a DLL.

Let’s use the pecheck tool and obtain information with another method: pecheck 3537ad7979bdcd294c534ed3fa174b34_Uwp2XxU2yzt21weDcM2.bin

This tool can provide slightly more in-depth details. We have shared some outputs below.

output

output

output

output

output

You should analyze in detail every information you obtain here.

Let’s take a look at the GUI using Cutter: cutter 3537ad7979bdcd294c534ed3fa174b34_Uwp2XxU2yzt21weDcM2.bin

output

You see the information we have captured on the shell so far more clearly.

output

output

output

output

output

We won’t go into disassembly analysis in this article, it also requires assembly language knowledge. This is the subject of another article.

We have seen many obfuscation approaches on the strings part.

Let’s look at how to focus on these.

Use: xxd 3537ad7979bdcd294c534ed3fa174b34_Uwp2XxU2yzt21weDcM2.bin

output

Scan the file for embedded files and executable code: binwalk 3537ad7979bdcd294c534ed3fa174b34_Uwp2XxU2yzt21weDcM2.bin

output

Navigate it: _d67193e7b4806640105a117a020ab6b0.xlsm.bin.extracted/

output

Output

When we identified the files here, we captured the EXCEL file.

Now we use xorsearch tool: xorsearch 3537ad7979bdcd294c534ed3fa174b34_Uwp2XxU2yzt21weDcM2.bin http

XOR encoding is a simple method used to obfuscate strings. Typically, XOR decryption involves XORing each byte of the encoded string with a specific key or byte pattern to retrieve the original plaintext. You can decode this XOR encoded string using a script or tool that XORs each byte of the string with a specific key or byte sequence.

With this query we are looking for sections containing “http”.

output

Now search for “cmd”: xorsearch 3537ad7979bdcd294c534ed3fa174b34_Uwp2XxU2yzt21weDcM2.bin cmd

output

Have you seen how much evidence we have?

You can also use this XOR python code:

encoded_string = b'http.wd}httd.wd~htth.wdnhtt\\.wdOhtt4.wduTtt$.wd}Tt'
xor_key = 0x74  # Replace with the XOR key found (in hexadecimal)

decoded_string = ''.join(chr(byte ^ xor_key) for byte in encoded_string)
print(decoded_string)

We’ve identified various XOR, ROT (Rotation), and ADD patterns within the binary file. These patterns can indicate different forms of obfuscation or encoding used in the binary, potentially to hide strings or commands.

• XOR Encoding: XOR (exclusive OR) encoding is a basic form of encryption where each byte of the plaintext is XORed with a specific key value. The key value can vary, and finding these patterns (Found XOR) suggests areas where XOR decoding might reveal meaningful strings or commands.
• ROT (Rotation) Encoding: ROT encoding involves shifting each letter in the plaintext by a certain number of positions down the alphabet. For example, ROT 01 shifts each letter one position forward (‘a’ becomes ‘b’, ‘b’ becomes ‘c’, etc.). Your findings (Found ROT) indicate areas where such rotations might be applied.
• ADD Encoding: ADD encoding typically involves adding a constant value to each byte of the plaintext. This can also be used for obfuscation purposes. Your findings (Found ADD) suggest locations where such additions are detected.

You can also use this XOR python code in decoding operations. Remember, you need a key to decode them.

# Example XOR decoding script
encoded_string = b'cmd&...awcu`cmd&...awb`mm&.auxqdng&....amnb`m!ru`u'
xor_key = 0x01  # Replace with the XOR key found (in hexadecimal)

decoded_string = ''.join(chr(byte ^ xor_key) for byte in encoded_string)
print(decoded_string)

This stage carries some risks, you should make sure that you perform these tests and analyzes in a safe laboratory environment.

First, let’s authorize this malicious .bin file: chmod +x 3537ad7979bdcd294c534ed3fa174b34_Uwp2XxU2yzt21weDcM2.bin

Trace system calls made by the binary: strace ./3537ad7979bdcd294c534ed3fa174b34_Uwp2XxU2yzt21weDcM2.bin

output

The strace output indicates that the binary file 3537ad7979bdcd294c534ed3fa174b34_Uwp2XxU2yzt21weDcM2.bin attempts to perform several actions. Don’t forget to install the requirements here.

• The binary attempts to load several libraries (libpipeline.so.1, libc.so.6) and accesses the dynamic linker cache (/etc/ld.so.cache).
• The binary uses anti-debugging techniques by calling functions like IsDebuggerPresent and UnhandledExceptionFilter.
• The binary accesses several files in the /var/lib/binfmts directory, which is related to the registration of binary format handlers.

Don’t give up on hacking.

Code for good.

^-^