A DEEP DIVE INTO NEW 64 BIT EMOTET MODULES Emotet will increase exercise, strikes to 64 Bit! | Ping Tech

roughly A DEEP DIVE INTO NEW 64 BIT EMOTET MODULES Emotet will increase exercise, strikes to 64 Bit! will cowl the newest and most present steerage simply concerning the world. go browsing slowly so that you comprehend skillfully and appropriately. will buildup your data expertly and reliably


Emotet is normally delivered through SPAM campaigns that include doc recordsdata. This self-propagating Trojan is a downloader malware that normally downloads and executes further payloads. Round January 2021, Emotet operations have been reportedly shut down. Nevertheless, it confirmed its guise once more in late 2021. In latest months, Emotet appears to have switched to 64-bit. This weblog will concentrate on discussing the brand new variant and its variations from earlier beauty variations.

ANALYSIS (Newest variant) and Variations with earlier variations:

Let’s talk about the newest variant of Emotet which has MD5 da045fce83afdcb9920a0a38b279d33d. Right here, we are able to simply discover that the primary export operate is getting used.

Fig: 1 DLL export capabilities (64 bit newest)

The next picture exhibits a compiled Delphi file with excessive entropy within the useful resource part with encrypted knowledge.

Fig: 2 Encrypted useful resource knowledge

Beneath is a picture containing knowledge saved in variables. These values ​​are copied onto the stack.

Fig.3 Encrypted knowledge saved as variables

This knowledge is decrypted into shell code in nearly mapped reminiscence, as proven within the picture under:

Fig: 4 decryption loop

Cracked shell code

Fig: 5 Cracked shell code

This shellcode hundreds the DLL and APIs for later use.

Fig: 6 shellcode hundreds the DLL and APIs

The encrypted knowledge within the useful resource part is now decrypted and varieties a PE file. Beneath is the decryption loop associated to it.

Fig: 7 Decryption loop

Beneath is the decrypted inner file

Fig: 8 Inside File Decrypted

This decrypted inner file is moved to a different nearly mapped reminiscence with no PE header. This reminiscence is nearly protected.

Fig: 9 File with out PE header

Let’s now discover the inner DLL. This has solely an export operate.

Fig: 10 inner DLLs

This Dll is executed by calling the Loader 1 DllSt. export, which not directly calls the inner Dlls 1St. export operate.

Fig: 11 Dlls 1St. export operate.

Right here we witness that the highlighted assertion [rsp+20] factors to the primary inner DLL export, proven within the determine above (RVA Operate of CFF)

This DLL makes use of Management Circulate flattening and API hashing to make reverse engineering tough.

On this method, code is flattened with a number of statements positioned inside a loop inside a single swap assertion that controls the movement of this system.

Fig: 12 Management Circulate Flattening Method

Creates the copy of the loader dll (MD5:da045fce83afdcb9920a0a38b279d33d) with a random identify in %Appdata% inside a randomly named folder after which runs from that location.

By setting a breakpoint on jmp raxwe might get all of the C2 and the APIs, that are decrypted runtime (current encoded contained in the file) utilized in all communication.

These new Emotet samples use Bcrypt crypto capabilities, that are a part of bcrypt.dll. Earlier variants used advapi32.dll crypt capabilities.

The malware collects data resembling laptop identify, quantity ID, model data, execution path, and so on., and sends it to C2. This transmitted knowledge is encrypted by means of the ECC (Elliptic Curve Cryptography) algorithm. Within the above samples, RSA was used.

By wanting on the key, we establish that this pattern belongs to Epoch5, which has a standard key for encryption throughout all samples. Allow us to now see the encryption course of and C2 communication:

  1. BCryptFinalizeKeyPair: ECC key pair is finalized
  2. BCryptExportKey: the generated key’s exported to the reminiscence blob
  3. BCryptSecretAgreement: The AES key’s generated primarily based on the key settlement between the malware and C2
  4. BCryptDeriveKey: Derive a key from the key settlement worth utilizing SHA256 as KDF
  5. BCryptGetProperty: retrieve a property for a CNG object
  6. BCryptImportKey: To import the reminiscence blob key
  7. BCryptCloseAlgorithmProvider: shut algorithm supplier identifier
  8. BCryptDestroySecret: The key is destroyed generated from BCryptSecretAgreement

Fig: 13 ECDH Public Key

Summarizing the steps:

  1. The general public key EDCH (ECK1 curve) is decrypted and used to encrypt the info despatched, and ECDSA (ECS1 curve) is used for knowledge verification
  2. A secret settlement is generated between the malware and C2. This settlement worth is created from the private and non-private key of ECDH
  3. The AES key’s derived from a secret settlement worth utilizing SHA 256 because the KDF
  4. Now the message to be despatched is constructed and a hash worth is generated.
  5. The hash worth, together with the message, is encrypted utilizing AES256
  6. Information consisting of the ECK1 public key, AES knowledge, and random bytes is base64 encoded and despatched.

Fig: 14

Listing C2 decrypted:

103[.]8[.]26[.]17

134[.]122[.]119[.]23

103[.]133[.]214[.]242

93[.]104[.]209[.]107

37[.]44[.]244[.]177

196[.]44[.]98[.]190

116[.]124[.]128[.]206

88[.]217[.]172[.]165

62[.]171[.]178[.]147

185[.]148[.]168[.]220

103[.]85[.]95[.]4

195[.]77[.]239[.]39

159[.]69[.]237[.]188

190[.]90[.]233[.]66

85[.]214[.]67[.]203

217[.]182[.]143[.]207

203[.]153[.]216[.]46

103[.]42[.]58[.]120

59[.]148[.]253[.]194

68[.]183[.]91[.]111

110[.]235[.]83[.]107

54[.]38[.]242[.]185

85[.]25[.]120[.]4. 5

37[.]59[.]209[.]141

54[.]37[.]106[.]167

103[.]41[.]204[.]169

66[.]42[.]57[.]149

175[.]126[.]176[.]79

54[.]37[.]228[.]122

87[.]106[.]97[.]83

4. 5[.]71[.]195[.]104

195[.]154[.]146[.]35

139[.]196[.]72[.]155

36[.]67[.]23[.]59

5[.]56[.]132[.]177

202[.]134[.]4[.]210

78[.]46[.]73[.]125

202[.]29[.]239[.]162

210[.]57[.]209[.]142

118[.]98[.]72[.]86

207[.]148[.]81[.]119

68[.]183[.]93[.]250

103[.]56[.]149[.]105

178[.]62[.]112[.]199

54[.]38[.]143[.]246

51[.]68[.]141[.]164

104[.]248[.]225[.]227

78[.]47[.]204[.]80

202[.]28[.]3. 4[.]99

188[.]225[.]32[.]231

194[.]9[.]172[.]107

IOC

da045fce83afdcb9920a0a38b279d33d

Detections

Trojan.Emotet.S28135758

Conclusion:

Emotet has now developed and develop into extra highly effective after his return. Amongst different issues, it modified from 32-bit to 64-bit, used CFF along side API hashing, and adjusted its encryption mechanism from RSA to ECC. It additionally used the Crypt APIs from bcrypt.dll, whereas beforehand it used ADVAPI.DLL. It is among the high malware that results in extra further malware.

Tejaswini Sandapolla

Tejaswini Sandapolla