Emotet Maldoc Analysis – Embedded DLL and CertUtil for Base64 Decoding

On 11/10/2020, AnyRun posted an Emotet maldoc that utilized CertUtil to decode a DLL payload that was used for unpacking and running the Emotet trojan. This is a deviation from normal use of obfuscated base64 PowerShell command as well as embedding the DLL into the maldoc instead of retrieving from a compromised host. This video provides analysis of the document using both static and dynamic techniques, as well as a walk-through of the macro code. The original Tweet from AnyRun can be found at: https://twitter.com/anyrun_app/status/1326157565840023553 Analysis of an Emotet document that uses PowerShell from earlier this year can be found…

Read more

Reverse Engineering with Ghidra – Calling Conventions

I’ve posted a short video that takes a look at three prevalent calling conventions: C Declaration, standard call and fast call. I will show you how to compile sample programs from source, load them in Ghidra and analyze the disassembly/decompiler output to observe the differences in the calling conventions. The source code for the sample program can be found on my Github:https://github.com/jstrosch/learning-reverse-engineering/tree/master/Calling%20Conventions

Read more

Maldoc uses template injection for macro execution

I recently came across a handful of malicious office documents (maldocs) whose network traffic struck me as a slightly odd. As you can see in the screenshot below, there are several HTTP requests to the hxxp://moveis-schuster-com.[ga] domain and some of these requests appear to be for a DOTM file. A DOTM file is a macro-enabled office template file, so I dug in a bit more. As is typical in my workflow, I first inspected the document using oledump – no macros. This is no surprise as the HTTP traffic would indicate that the macros come later. My next step was…

Read more

Maldoc uses RC4 to hide PowerShell script, retrieves payload from DNS TXT record

Malware authors are constantly coming up with new and clever techniques to help avoid detection. In this maldoc, the authors employed several techniques to help complicate analysis and even evade sandboxes. The document begins with an image that instructs the user to enable content, which will cause the macros to execute. However, instead of immediately executing macro code, the document goes on further to prompt the user to click an “Unlock File” button and enter a password to decrypt the protected file. This is when the malicious behavior begins and the authors implemented RC4 to decrypt a PowerShell script. The…

Read more