Month: May 2017

• SHA256:  d58e284f53366f2545816878942dafc3a0a14a1ab5d7abaeaf028d3ac80acfd8
• File Size:  384,070 bytes
• Config Source: GitHub

05-30-2017 – Kovter config (defanged):

• cp1::115[.]141[.]144[.]155:80>196[.]18[.]220[.]197:80>111[.]181[.]22[.]130:80>241[.]191[.]106[.]196:80>101[.]232[.]174[.]116:80>27[.]165[.]58[.]104:80>115218[.]212[.]4:80>23[.]199[.]135[.]243:80>171[.]98[.]66[.]193:80>87[.]179[.]163[.]192:8080>246[.]38[.]96[.]164:80>188[.]191[.]63[.]246:80>134[.]105[.]3[.]91:80>120[.]114[.]52[.]254:80>192[.]170[.]199[.]3:80>171[.]89[.]31[.]78:80>150[.]68[.]63[.]246:80>178[.]168[.]24[.]168:53856>158[.]18[.]210[.]249:8080>74[.]107[.]177[.]73:80>114[.]242[.]151[.]116:8080>66[.]205[.]125[.]144:80>19[.]212[.]37[.]10:8080>253[.]187[.]101[.]22:443>53[.]180[.]117[.]7:80>243[.]81[.]24[.]164:443>231[.]23[.]140[.]126:80>234[.]192[.]88[.]104:80>62[.]123[.]36[.]99:80>224[.]97[.]64[.]69:80>163[.]121[.]42[.]25:80>214[.]12[.]208[.]238:80>106[.]213[.]198[.]246:443>81[.]225[.]20[.]169:80>100[.]230[.]196[.]136:80>72[.]105[.]170[.]136:80>32[.]43[.]40[.]74:443>167[.]32[.]78[.]120:80>253[.]226[.]227[.]196:80>55[.]22[.]186[.]75:8080>4[.]175[.]165[.]200:443>238[.]16[.]160[.]152:80>78[.]184[.]194[.]117:80>6[.]29[.]34[.]83:80>47[.]81[.]119[.]19:80>89[.]42[.]251[.]164:443>190[.]147[.]231[.]186:20631>190[.]14[.]254[.]34:80>59[.]180[.]151[.]107:443>191[.]242[.]204[.]19:80>78[.]135[.]99[.]179:8080>108[.]83[.]139[.]121:50409>96[.]86[.]187[.]121:8080>191[.]102[.]111[.]166:80>190[.]183[.]222[.]157:443>80[.]82[.]69[.]181:443>80[.]74[.]43[.]10:80>233[.]14[.]68[.]142:80>123[.]125[.]229[.]28:8080>125[.]106[.]204[.]63:80>206[.]68[.]251[.]239:8080>144[.]31[.]232[.]8:80>253[.]87[.]122[.]41:80>16[.]18[.]110[.]83:80>68[.]206[.]29[.]41:443>166[.]84[.]253[.]228:27645>203[.]41[.]47[.]186:80>190[.]216[.]168[.]197:443>166[.]29[.]132[.]206:80>147[.]223[.]235[.]230:80>47[.]181[.]156[.]88:80>204[.]53[.]242[.]202:443>38[.]149[.]12[.]84:8080>203[.]19[.]41[.]116:80>50[.]27[.]244[.]182:8080>73[.]200[.]93[.]47:37764>140[.]228[.]227[.]227:80>176[.]225[.]118[.]123:80>155[.]17[.]207[.]239:443>155[.]2[.]137[.]15:80>186[.]41[.]206[.]113:8080>65[.]185[.]217[.]157:80>42[.]204[.]6[.]14:25257>182[.]238[.]197[.]49:80>97[.]65[.]129[.]80:443>28[.]82[.]42[.]43:443>228[.]84[.]250[.]85:80>59[.]15[.]63[.]216:80>2[.]195[.]102[.]15:35099>28[.]253[.]215[.]77:80>56[.]141[.]49[.]136:443>77[.]217[.]88[.]119:80>61[.]202[.]1[.]145:80>60[.]159[.]111[.]21:80>207[.]23[.]89[.]54:80>107[.]82[.]35[.]66:80>210[.]122[.]43[.]3:443>89[.]79[.]219[.]177:80>225[.]237[.]145[.]225:443>193[.]30[.]31[.]48:80>180[.]255[.]73[.]13:80>111[.]119[.]134[.]146:80>36[.]100[.]51[.]79:443>52[.]168[.]182[.]15:80>125[.]240[.]72[.]14:80>198[.]206[.]239[.]228:8080>152[.]253[.]107[.]165:25334>218[.]28[.]185[.]108:80>221[.]208[.]7[.]44:8080>59[.]212[.]237[.]74:80>107[.]58[.]118[.]121:80>60[.]72[.]251[.]33:80>30[.]184[.]68[.]137:80>119[.]99[.]121[.]48:80>78[.]13[.]158[.]85:8080>213[.]143[.]14[.]195:80>60[.]46[.]19[.]177:8080>31[.]236[.]237[.]26:443>52[.]56[.]197119:80>35[.]238[.]35[.]156:443>240[.]233[.]42[.]143:80>99[.]101[.]205[.]112:80>167[.]171[.]86[.]185:80>251[.]216[.]73[.]233:80>29[.]42[.]27[.]148:33314>130[.]13[.]216[.]160:29549>202[.]140[.]1[.]45:50350>156[.]25[.]117[.]71:52187>47[.]163[.]106[.]7:80>248[.]65[.]112[.]35:32961>5[.]12[.]152[.]135:80>113[.]39[.]21[.]52:80>52[.]29[.]146[.]2:45167>170[.]118[.]255[.]24:443>163[.]129[.]171[.]142:443>164[.]206[.]68[.]198:8080>73[.]210[.]194[.]207:80>245[.]254[.]102[.]229:27968>154[.]2[.]50[.]155:443>219[.]18[.]186[.]243:443>93[.]116[.]98[.]235:443>7[.]186[.]140[.]204:80>212[.]158[.]166[.]163:8080
• ::cp1cptm::30
• ::cptmkey::a7887cc809cf0d4df17fc5dafd03e4e7
• ::keypass::65537::14406956202432696895736687188870795120627810060521362506850484529030787594235120234766403835925237875846638182799042644968600828041687576473785309015583662674951850437472487005879034960457006816565767874695988027974576743932237265685020252660393389625334454679973629213573098262335995899485490056715516541958306441081242373821925283273321477043778370261979951264345823069930049370001653689660526979663070957005463434715672722806350258573076246621922111133674162280380209038690713958217862705956100034284655680232375254753873913420277723177446168453669813713305530603681181107716902002186628301583597468419118033906489
• ::passdebug::0
• ::debugelg::1
• ::elgdl_sl::0
• ::dl_slb_dll::0
• ::b_dllnonul::hxxp://185[.]117[.]72[.]90/upload2[.]php
• ::nonuldnet32::hxxp://download[.]microsoft[.]com/download/0/8/c/08c19fa4-4c4f-4ffb-9d6c-150906578c9e/NetFx20SP1_x86[.]exe
• ::dnet32dnet64::hxxp://download.microsoft.com/download/9/8/6/98610406-c2b7-45a4-bdc3-9db1b1c5f7e2/NetFx20SP1_x64[.]exe
• ::dnet64pshellxp::hxxp://download[.]microsoft[.]com/download/E/C/E/ECE99583-2003-455D-B681-68DB610B44A4/WindowsXP-KB968930-x86-ENG[.]exe
• ::pshellxppshellvistax32::hxxp://download[.]microsoft[.]com/download/A/7/5/A75BC017-63CE-47D6-8FA4-AFB5C21BAC54/Windows6[.]0-KB968930x86[.]msu
• ::pshellvistax32pshellvistax64::hxxp://download[.]microsoft[.]com/download/3/C/8/3C8CF51E-1D9D-4DAAAAEA-5C48D1CD055C/Windows6[.]0-KB968930-x64[.]msu
• ::pshellvistax64pshell2k3x32::hxxp://download[.]microsoft[.]com/download/1/1/7/117FB25C-BB2D-41E1-B01E-0FEB0BC72C30/WindowsServer2003-KB968930-x86-ENG[.]exe
• ::pshell2k3x32pshell2k3x64:hxxp://download[.]microsoft[.]com/download/B/D/9/BD9BB1FF-6609-4B10-9334-6D0C58066AA7/WindowsServer2003-KB968930-x64-ENG[.]exe
• ::pshell2k3x64cl_fv::24
• ::cl_fvfl_fu::hxxps://fpdownload[.]macromedia[.]com/get/flashplayer/current/licensing/win/install_flash_player_24_active_x[.]exe
• ::fl_fumainanti::DD1D:1:DD1DDD2D:1:DD2DDD3D:1:DD3DDD4D:1:DD4DDD5D:0:DD5DDD6D:1:DD6DDD7D:1:DD7DDD8D:1:DD8DDD9D:1:DD9DDD10D:1:DD10DDD11D:0:DD11DDD12D:1:DD12DDD13D:1:DD13DDD14D:1:DD14DDD15D:1:DD15DDD16D:1:DD16DDD17D:0:DD17Dal:hxxp://185[.]117[.]72[.]90/upload[.]php:al::mainanti

• 9bb033dc2815798cd2c8b1a496c319a190a29ca59ea1053ab0b6fcf809630036
• 33441312c20fbeccffceb522e626aa47366a966c48be537d82d4ecc60858d14c
• 3d41a652e368875bdf55653dc4c43237f4b0eb70c028fe43454be02309cfc11b
• ff25f74c91530371232bb7f5350d14252499de9a748a5e76d4b40959e64cfd30
• 8102bda902667eabb34ebaf84f6ff15fb01804811c4b5bc4d6ac1a3871ea985a
• ae8ef4600413adc25b32d202a8e2a4042650c234cde969251861b9ea2b2391f9
• f5b8507645d9a2b672515bc990d149566e6272802c339219c2bd9e0ee19a1b88
• 38a7f6b64f72c9202489b7e028a65f19cf0ff7008de7330e9f6154223e7dda78
• df277353e4ec5d69a24b570f31fbc2376f35e6e18457d1985f556efee633456c

Emotet creates an identical process as “CREATE_SUSPENDED,” injects itself into it via WriteProcessMemory, launches the new ResumeThread and kills the main process.

Dynamic Analysis: Emotet Trojan
+ Utilizes dynamic API loading via GetProcAddress
+ Implements self-kill routine via CreateThread with WriteProcessMemory
+ Creates multiple suspended threads and writes malware into them using WriteProcessMemory
+ Creates persistency as a QuotaSms[.]exe lnk file in Startup directory
+ Copies itself into %APPDATA%
+ Queries SSL :443 server and get assigned a peer at :8080

0027s > AnalyzeProcess pid:5600 C:\Documents and Settings\Administrator\Desktop\emotet[.]exe
0059s >  WriteProcessMemory
File: emotet[.]exe
Size: 216576 Bytes
MD5: BCCF2BBA9CD34B2FFFA13BFAA9DD73D0

Type: Ransomware
Variant: Cerber
Malware Source: 521089667da9de525381eb23c780ad8b3d6e64d9c95a71f10d8f6d4f2af1f561
Config Source: GitHub

p.p1 {margin: 0.0px 0.0px 0.0px 0.0px; font: 12.0px Helvetica; min-height: 14.0px} p.p2 {margin: 0.0px 0.0px 0.0px 0.0px; font: 12.0px Helvetica} p.p1 {margin: 0.0px 0.0px 0.0px 0.0px; font: 12.0px Helvetica; min-height: 14.0px} p.p2 {margin: 0.0px 0.0px 0.0px 0.0px; font: 12.0px Helvetica}