2023-04-21 13:25:09 +00:00
{
2023-12-14 14:30:15 +00:00
"Event" : {
"analysis" : "2" ,
"date" : "2017-05-26" ,
"extends_uuid" : "" ,
"info" : "OSINT - Analysis of Emotet v4" ,
"publish_timestamp" : "1495804482" ,
"published" : true ,
"threat_level_id" : "3" ,
"timestamp" : "1495804476" ,
"uuid" : "59282239-845c-495d-b3db-4ebb950d210f" ,
"Orgc" : {
"name" : "CIRCL" ,
"uuid" : "55f6ea5e-2c60-40e5-964f-47a8950d210f"
} ,
"Tag" : [
{
"colour" : "#ffffff" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "tlp:white" ,
"relationship_type" : ""
} ,
{
"colour" : "#500064" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "ms-caro-malware:malware-type=\"Trojan\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#0088cc" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "misp-galaxy:tool=\"Emotet\"" ,
"relationship_type" : ""
}
] ,
"Attribute" : [
{
"category" : "External analysis" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1495802964" ,
"to_ids" : false ,
"type" : "link" ,
"uuid" : "59282258-d130-4a21-864e-4712950d210f" ,
"value" : "https://www.cert.pl/en/news/single/analysis-of-emotet-v4/" ,
"Tag" : [
{
"colour" : "#00223b" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "osint:source-type=\"blog-post\"" ,
"relationship_type" : ""
}
]
} ,
{
"category" : "External analysis" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1495802965" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "59282381-e64c-46c9-88a9-40ff950d210f" ,
"value" : "Emotet is a modular Trojan horse, which was firstly noticed in June 2014 by Trend Micro. This malware is related to other types like Geodo, Bugat or Dridex, which are attributed by researches to the same family.\r\n\r\nEmotet was discovered as an advanced banker \u00e2\u20ac\u201c it\u00e2\u20ac\u2122s first campaign targeted clients of German and Austrian banks. Victims\u00e2\u20ac\u2122 bank accounts were infiltrated by a web browser infection which intercept communication between webpage and bank servers. In such scenario, malware hooks specific routines to sniff network activity and steal information. This technique is typical for modern banking malware and is widely known as Man-in-the-Browser attack.\r\n\r\nNext, modified release of Emotet banker (v2) has taken advantage of another technique \u00e2\u20ac\u201c automation of stealing money from hijacked bank accounts using ATSs (Automated Transfer Systems, more informations on page 20 of CERT Polska Report 2013). This technology is also used in other bankers. Good examples are ISFB (Gozi) or Tinba.\r\n\r\nAt the beginning of April 2017, we observed wide malspam campaign in Poland, distributing fraudulent mails. E-mails were imitating delivery notifications from DHL logistics company and contained malicious link, which referred to brand-new, unknown variant of Emotet.\r\n\r\n\r\n\r\nMalware distributed in this campaign differed from previously known versions. Behavior and communication methods were similar, but malware used different encryption and we noticed significant changes in its code. Thus we called this modification version 4." ,
"Tag" : [
{
"colour" : "#00223b" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "osint:source-type=\"blog-post\"" ,
"relationship_type" : ""
}
]
} ,
{
"category" : "Artifacts dropped" ,
"comment" : "C&C public key" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1495802933" ,
"to_ids" : false ,
"type" : "other" ,
"uuid" : "592823a0-1400-4721-8b31-4276950d210f" ,
"value" : "-----BEGIN PUBLIC KEY-----\r\nMHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAJ16QBv5Csq0eruFy4BvTcXmmIyeqUb3\r\nvCCc8K/zOYOpL/Ww6FCdUpvPfs+RR/sLBalwtKmT14iRUaNmJdygnAKUIRWR1HNt\r\n0rQRir0pD4QlkXlnZ9lZazTfyMV8BLCatwIDAQAB\r\n-----END PUBLIC KEY-----"
} ,
{
"category" : "Payload delivery" ,
"comment" : "Analysis based on sample" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1495802933" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "592823c5-6a88-4023-aa9e-4b45950d210f" ,
"value" : "c53956c95100c5c0ba342977f8fc44fcad35aabc24ec44cb12bb83eee1ed34fa"
} ,
{
"category" : "Payload delivery" ,
"comment" : "fetched modules (13th April)" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1495802933" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "592823d5-b3bc-4845-a841-4ae5950d210f" ,
"value" : "0497c120248c6f00f1ac37513bd572e5"
} ,
{
"category" : "Payload delivery" ,
"comment" : "fetched modules (13th April)" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1495802933" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "592823d5-63d4-4ae4-ac7c-4c0c950d210f" ,
"value" : "5b2d58b4104309ee9c93b455d39c7314"
} ,
{
"category" : "Payload delivery" ,
"comment" : "fetched modules (13th April)" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1495802933" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "592823d6-83cc-4b3b-adc5-4b2b950d210f" ,
"value" : "722268bad0d3a2e90aa148d52c60943e"
} ,
{
"category" : "Network activity" ,
"comment" : "On port 443 C&C" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1495802933" ,
"to_ids" : true ,
"type" : "url" ,
"uuid" : "592823f7-6938-4073-8b4e-4331950d210f" ,
"value" : "http://87.106.105.76"
} ,
{
"category" : "Network activity" ,
"comment" : "On port 443 C&C" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1495802933" ,
"to_ids" : true ,
"type" : "url" ,
"uuid" : "592823f7-f390-440f-87de-4f93950d210f" ,
"value" : "http://173.255.229.121"
} ,
{
"category" : "Network activity" ,
"comment" : "On port 443 C&C" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1495802933" ,
"to_ids" : true ,
"type" : "url" ,
"uuid" : "592823f7-b7b4-4ca7-8917-4eaa950d210f" ,
"value" : "http://178.79.177.141"
} ,
{
"category" : "Network activity" ,
"comment" : "On port 7080 C&C" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1495802933" ,
"to_ids" : true ,
"type" : "url" ,
"uuid" : "592823f8-72dc-4b2d-b274-4902950d210f" ,
"value" : "http://79.170.95.202"
} ,
{
"category" : "Network activity" ,
"comment" : "On port 8080 C&C" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1495802933" ,
"to_ids" : true ,
"type" : "url" ,
"uuid" : "592823f8-4144-4d11-8f74-4a27950d210f" ,
"value" : "http://206.214.220.79"
} ,
{
"category" : "Network activity" ,
"comment" : "On port 8080 C&C" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1495802933" ,
"to_ids" : true ,
"type" : "url" ,
"uuid" : "592823f9-30a4-4976-8f2f-486d950d210f" ,
"value" : "http://88.198.50.221"
} ,
{
"category" : "Network activity" ,
"comment" : "On port 8080 C&C" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1495802933" ,
"to_ids" : true ,
"type" : "url" ,
"uuid" : "592823f9-8680-4722-90bd-4679950d210f" ,
"value" : "http://5.39.84.48"
} ,
{
"category" : "Network activity" ,
"comment" : "On port 7080 C&C" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1495802933" ,
"to_ids" : true ,
"type" : "url" ,
"uuid" : "592823fa-8980-4ea0-bee6-4f15950d210f" ,
"value" : "http://188.68.58.8"
} ,
{
"category" : "Network activity" ,
"comment" : "On port 7080 C&C" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1495802933" ,
"to_ids" : true ,
"type" : "url" ,
"uuid" : "592823fa-9250-447d-a1ac-44d5950d210f" ,
"value" : "http://162.214.11.56"
} ,
{
"category" : "Network activity" ,
"comment" : "On port 8080 C&C" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1495802933" ,
"to_ids" : true ,
"type" : "url" ,
"uuid" : "592823fa-38b0-4c02-80cd-45ef950d210f" ,
"value" : "http://5.196.73.150"
} ,
{
"category" : "Network activity" ,
"comment" : "On port 7080 C&C" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1495802933" ,
"to_ids" : true ,
"type" : "url" ,
"uuid" : "592823fb-b55c-4f7f-aca5-4edd950d210f" ,
"value" : "http://203.121.145.40"
} ,
{
"category" : "Network activity" ,
"comment" : "On port 7080 C&C" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1495802933" ,
"to_ids" : true ,
"type" : "url" ,
"uuid" : "592823fc-fd98-4a8a-9724-496f950d210f" ,
"value" : "http://46.165.212.76"
} ,
{
"category" : "Payload delivery" ,
"comment" : "Analysis based on sample - Xchecked via VT: c53956c95100c5c0ba342977f8fc44fcad35aabc24ec44cb12bb83eee1ed34fa" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1495802942" ,
"to_ids" : true ,
"type" : "sha1" ,
"uuid" : "5928243e-f388-465a-b65b-447b02de0b81" ,
"value" : "7b353d4f26acd06fdf8abed661f048a02cd1bbcf"
} ,
{
"category" : "Payload delivery" ,
"comment" : "Analysis based on sample - Xchecked via VT: c53956c95100c5c0ba342977f8fc44fcad35aabc24ec44cb12bb83eee1ed34fa" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1495802942" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "5928243e-1490-48d5-a33e-487a02de0b81" ,
"value" : "5b3f0c1b0231e7873b587131b112139f"
} ,
{
"category" : "External analysis" ,
"comment" : "Analysis based on sample - Xchecked via VT: c53956c95100c5c0ba342977f8fc44fcad35aabc24ec44cb12bb83eee1ed34fa" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1495802943" ,
"to_ids" : false ,
"type" : "link" ,
"uuid" : "5928243f-2964-4f17-a96e-470402de0b81" ,
"value" : "https://www.virustotal.com/file/c53956c95100c5c0ba342977f8fc44fcad35aabc24ec44cb12bb83eee1ed34fa/analysis/1494971561/"
} ,
{
"category" : "Payload delivery" ,
"comment" : "fetched modules (13th April) - Xchecked via VT: 722268bad0d3a2e90aa148d52c60943e" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1495802943" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "5928243f-2ebc-40bb-af6b-44d902de0b81" ,
"value" : "fe8c3e060969c3e8842bcbcab161cd0ba477d2614115e2cf46588eed30554a12"
} ,
{
"category" : "Payload delivery" ,
"comment" : "fetched modules (13th April) - Xchecked via VT: 722268bad0d3a2e90aa148d52c60943e" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1495802944" ,
"to_ids" : true ,
"type" : "sha1" ,
"uuid" : "59282440-d650-4fba-bc1c-407f02de0b81" ,
"value" : "498cf1ac35d1c31c6920d5305cc78129c3d18ecf"
} ,
{
"category" : "External analysis" ,
"comment" : "fetched modules (13th April) - Xchecked via VT: 722268bad0d3a2e90aa148d52c60943e" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1495802944" ,
"to_ids" : false ,
"type" : "link" ,
"uuid" : "59282440-a03c-44f6-b704-4b7402de0b81" ,
"value" : "https://www.virustotal.com/file/fe8c3e060969c3e8842bcbcab161cd0ba477d2614115e2cf46588eed30554a12/analysis/1495693771/"
} ,
{
"category" : "Payload delivery" ,
"comment" : "fetched modules (13th April) - Xchecked via VT: 5b2d58b4104309ee9c93b455d39c7314" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1495802945" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "59282441-91c8-46fc-8cda-4e4c02de0b81" ,
"value" : "621c0a11ee0100b8fc3190e471ed4936204e897d97394ba9614ec95f1b69c69c"
} ,
{
"category" : "Payload delivery" ,
"comment" : "fetched modules (13th April) - Xchecked via VT: 5b2d58b4104309ee9c93b455d39c7314" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1495802946" ,
"to_ids" : true ,
"type" : "sha1" ,
"uuid" : "59282442-2d44-44c0-808b-4f3a02de0b81" ,
"value" : "59745dfbac015cec3bf66d9c4ad5cc37737adb84"
} ,
{
"category" : "External analysis" ,
"comment" : "fetched modules (13th April) - Xchecked via VT: 5b2d58b4104309ee9c93b455d39c7314" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1495802946" ,
"to_ids" : false ,
"type" : "link" ,
"uuid" : "59282442-eb34-44fd-91b4-422102de0b81" ,
"value" : "https://www.virustotal.com/file/621c0a11ee0100b8fc3190e471ed4936204e897d97394ba9614ec95f1b69c69c/analysis/1493454650/"
} ,
{
"category" : "Payload delivery" ,
"comment" : "fetched modules (13th April) - Xchecked via VT: 0497c120248c6f00f1ac37513bd572e5" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1495802947" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "59282443-fa58-432a-a85b-426202de0b81" ,
"value" : "1eb9c52548870533246932e12843318a95f876fd873bf4dfec7759214d1c2cc9"
} ,
{
"category" : "Payload delivery" ,
"comment" : "fetched modules (13th April) - Xchecked via VT: 0497c120248c6f00f1ac37513bd572e5" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1495802947" ,
"to_ids" : true ,
"type" : "sha1" ,
"uuid" : "59282443-f8b4-4ced-bc34-4eb402de0b81" ,
"value" : "199da8defc4b1cd8513ca9bea76e96571dc6e5e2"
} ,
{
"category" : "External analysis" ,
"comment" : "fetched modules (13th April) - Xchecked via VT: 0497c120248c6f00f1ac37513bd572e5" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1495802947" ,
"to_ids" : false ,
"type" : "link" ,
"uuid" : "59282443-b4d8-4777-a97c-4e0902de0b81" ,
"value" : "https://www.virustotal.com/file/1eb9c52548870533246932e12843318a95f876fd873bf4dfec7759214d1c2cc9/analysis/1493439636/"
} ,
{
"category" : "Artifacts dropped" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1495804412" ,
"to_ids" : true ,
"type" : "yara" ,
"uuid" : "592829fc-1088-4bea-a59d-4eb4950d210f" ,
"value" : "rule emotet4_basic: trojan\r\n{\r\nmeta:\r\nauthor = \"psrok1/mak\"\r\nmodule = \"emotet\"\r\nstrings:\r\n$emotet4_rsa_public = { 8d ?? ?? 5? 8d ?? ?? 5? 6a 00 68 00 80 00 00 ff 35 [4] ff 35 [4] 6a 13 68 01 00 01 00 ff 15 [4] 85 }\r\n$emotet4_cnc_list = { 39 ?? ?5 [4] 0f 44 ?? (FF | A3)}\r\ncondition:\r\nall of them\r\n}"
} ,
{
"category" : "Artifacts dropped" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1495804444" ,
"to_ids" : true ,
"type" : "yara" ,
"uuid" : "59282a1c-e2a8-4c42-99c0-4985950d210f" ,
"value" : "rule emotet4: trojan\r\n{\r\nmeta:\r\nauthor = \"psrok1\"\r\nmodule = \"emotet\"\r\nstrings:\r\n$emotet4_x65599 = { 0f b6 ?? 8d ?? ?? 69 ?? 3f 00 01 00 4? 0? ?? 3? ?? 72 }\r\ncondition:\r\nany of them and emotet4_basic\r\n}"
} ,
{
"category" : "Artifacts dropped" ,
"comment" : "IDS flag not set (false-positive?)" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1495804476" ,
"to_ids" : false ,
"type" : "yara" ,
"uuid" : "59282a3c-eeb8-4231-b073-44b6950d210f" ,
"value" : "rule emotet4_spam : spambot\r\n{\r\nmeta:\r\nauthor=\"mak\"\r\nmodule=\"emotet\"\r\nstrings:\r\n$login=\"LOGIN\" fullword\r\n$startls=\"STARTTLS\" fullword\r\n$mailfrom=\"MAIL FROM:\"\r\ncondition:\r\nall of them and emotet4_basic\r\n}"
}
2023-04-21 13:25:09 +00:00
]
2023-12-14 14:30:15 +00:00
}
2023-04-21 13:25:09 +00:00
}