The Complete story of EMOTET

Most prominent Malware of 2018

White Paper

www.quickheal.com
TABLE OF CONTENTS
Abstract: 01
1. Introduction: 01
1.1 What is Emotet? 01
1.2 What makes it a more complex distributor? 01
2. Background: 02
2.1 Infection Vector: 02
2.2 Why Emotet is targeting PHP based websites? 02
3. Server-Side Infection: 03
3.1 How Emotet is compromising websites and using it as a threat distributor? 03
3.2 How malware are evading Detections on webservers: 03
3.2.1 Initial Infection Scripts: 04
A. Edit.php: 04
B. Remote.php: 05
C. Settings.php: 05
D. Minify.php: 05
E. Wpsetting.php: 06
F. new_license.php: 06
3.2.2 Emotet Script files 06
A. .bt: 07
B. .67179322b768a6c97af866b5561a06aabf878f15: 07
C. .htaccess: 07
D. index.php: 07
3.3 Modus operandi: 08
4. Execution at the client side 09
4.1 Initial vector on Client side: 09
4.1.1 Detailed analysis of Document file: 09
4.1.2 Detailed Analysis of JavaScript File: 10
4.1.3 Emotet From Pdf File: - 11
4.1.4 Emotet Doc as XML: 11
4.2 Emotet Payload Analysis: 12
4.2.1 Emotet File Name generation Algorithm: 13
4.3 Emotet In Memory Modules: 16
4.3.1 Credentials stealer Module: 16
4.3.2 Network Spreader Module (16kb): 16
4.3.3 Emotet’s Email Harvesting Module (288kb): 18
4.3.4 Emotet’s Spam Module (1339kb): 19
4.3.5 Emotet’s Connection-Verifier (221kb): 19
5. Conclusion: 21
Abstract
In 2018, we saw a surge in Emotet activity. Emotet started as a banking trojan but this paper will shed light on how
it has also become a “threat distributor”. We will also discuss server-side and client-side activity and how it
spreads. Its self-propagation makes it more challenging for security vendors to detect it statically. We will explain
how the URLs in the spam emails, malware hosted on these URLs are constantly changing and the use of brute
forcing for lateral movement.

1. Introduction:
1.1 What is Emotet?
Emotet malware campaign has existed since 2014. It comes frequently in intervals with different techniques and
variants to deliver malware on a victim. We see attackers using complex techniques to evade detection. It has
evolved from a standalone banking trojan to complex threat distributor. At the start of 2017, we had seen the
Emotet campaign spreading through malspam email with attached PDF and JS file. In 2018, it is spreading through
MS Office Word documents with a heavily obfuscated macro inside it. The mail also consists a URL which
downloads the MS Office (Word, Excel) documents. US-CERT had issued an alert highlighting how Emotet is a
serious threat.

1.2 What makes it a more complex distributor?

The malware shows persistent infection and is very aggressive in terms of changing the URLs and the payloads
delivered by them at regular intervals making it difficult for static detection. We also saw credential theft of the
network, email account credentials and passwords stored in web browsers. It attempts to spread internally
throughout the network via brute force attacks using stolen credentials. It hijacks the email ids by scraping names
and email addresses from the victim's Outlook account and then using the account to send out more malspam,
essentially turning victims into spammers.
As emotet and its modules are changed on hourly/daily basis, so we suspect that attacker are using modern
technology to change and deliver the components like Machine Learning (ML) etc.

01
2. Background
2.1.Infection Vector:

Get access Link to doc from

compromised sites Mail with
malicious link

Attacker Server Submit data Compromised website

se
on
sp Emotet doc
re
as Get request to
ad
ylo compromised site
Pa

Ofbuscated Macro

C&C Emotet Malware Powershell

La
ter
al
Mo
ve
me
nt

Admin$

SMB Pipe Services.exe

Executes malware
Spam mail Email harvester Password stealing Victim Victim
& scraper
Fig. 1 Emotet Complete Life Cycle

The campaign is divided into two stages.

1: Attack on the website.
2: Attack on the victim’s machine.
These compromised websites were used for hosting the latest malware. These malwares are downloaded as a
document and then as an executable of Emotet in the later stage of spreading the malware.

2.2 Why Emotet is targeting PHP based websites?

Approximately 70%-80% of the websites are developed using PHP. Even content management systems like Joomla,
WordPress run on PHP. PHP being a server-side scripting language executes code on the server and gives HTML
as a response. If the attacker succeeds to execute malicious code on (PHP) server then he can get admin access of
the server. To execute malicious code on the server, vulnerabilities are targeted. Like in WordPress and Joomla
plugins many vulnerabilities are found which can be exploited. Some of them are “Arbitrary File Upload
Vulnerability”, “Direct access to XMLRPC.php for brute-force attacks”, “Remote privilege escalation vulnerability”,
“Cross-site scripting” and “Information disclosure vulnerability”. During the analysis, we inspected that it uses latest
vulnerabilities from exploit-db and rapid7. Usually these vulnerabilities are not patched by the website owners as
updating to latest plugins might affect their website themes. Also, some people only deactivate these themes but
don’t delete them from ftp account. Such vulnerable plugins or themes can also be exploited. That’s why these
websites are easily targeted which can be used as free and undetectable infrastructure to harvest different
malware.

02
3. Server Side Infection
3.1. How Emotet is compromising websites and used it as a threat distributor?
When a user accesses the URL from browser, it goes as a “Get” request to the server. The server reads URL and
executes PHP / server-side page associated with the current request.
e.g. When user accesses “hxxp://www.Abc.com/login”, on server-side webserver checks login.php page. If it is
present, then executes code on the server and sends HTML as response. Generally, we can’t read PHP code directly
as its access is restricted by the server. To plant a backdoor script on PHP based websites/server, the attacker needs
to upload the backdoor script on PHP server using any of the above-mentioned vulnerabilities. Then the attacker
needs to send a request for that resource (backdoor script) which will execute on PHP server and give unlimited
access to web server.
Emotet is collaborated with different groups like “roi777” targeting PHP websites by uploading the backdoor script to
vulnerable websites. The attacker may use vulnerability scanners like Wpscan, Owasp-zap, Joomla scanner, Shodan
and Nmap to find vulnerabilities in the websites.
Common vulnerable Themes & Plugins:
1. Sketch.1.0.2 this theme which is distributed as freeware. Its 404.php page contains code for Webshell.
2. wp-db-ajax-made this is fake plugin added by botnet. It also contains webshell wp-ajax.php
3. revslider

3.2.How malware are evading Detections on webservers:

To evade detection attacker is using php language features. php is server-side scripting with many features such as
declaration of variable is not required, strings can be used as functions. Main features to evade detection are follows:
1. Strings can be written as hex values for example “abc” = “\0x61\0x62\0x63”
2. Strings can be used as function
“shell_exec” = shell_exec = “\x73\x68\x65\x6C\x6C\x5F\x65\x78\x65\x63”
3. Variables without values have null value means abc$v is same as abc. $v is not considered in this case.
This features of php are extensively used for evading signature-based detection as well as for network traffic
E.g.:
<?php
$m= “\x73\x68\x65\x6C\x6C\x5F\x65\x78\x65\x63”;
$v = $m('ls');
echo $v;
?>
In the above example, shell_exec is PHP function to execute shell commands. In PHP, “shell_exec” and shell_exec
have the same meaning and any of the strings can be used as a function call. We can write this function name in hex
like “\x73\x68\x65\x6C\x6C\x5F\x65\x78\x65\x63” which is nothing but shell_exec. This way, multiple commands
are executed on web server bypassing antivirus and evading php script detection.
Attacker execute code on server using post requests. To bypass network level filtering, it sends data as base64
encrypted with gzinflate compression. So, webservers are not able to detect these requests as malicious. On server
attacker keeps script to receive code via post request and execute using eval function of php.
On investigation, we found that these compromised websites are used as malware hosting platform or infrastructure
by an attacker which can be used to deliver any malware like Emotet, Miner etc. As discussed above, the count of
PHP websites all over the world is very high, in the same way count of compromised websites is also high.
In the Emotet campaign, we found multiple such scripts, which are executed as per attacker’s command. Attacker
has kept 129-byte script on server which receives post request and executes code. Attacker is sending base64
encrypted script via post request on server it is executed and stores Emotet payload scripts in folder. Below malicious
scripts are used for taking remote access or backdoor access on the compromised server. Normally scripts are
found at the below location wp-admin\wpclient.
03
3.2.1. Initial Infection Scripts

Edit.php
remote.php
settings.php
minify.php
wpsetting.php
new_license.php
index2127.php

Fig. 2 Script used for taking access

In some cases, we found that above scripts are located in the root folder of the website or wp-includes, also they
edited 404.php of themes which contains the same code as mentioned in the below script. Also, in some cases same
scripts are stored with different names. Let’s go through some of the important scripts.

A.Edit.php:
This script is used by emotet group to create and execute function with post request content. This script is highly
encoded, and size of encoded script is 129 bytes so, no one notices this script easily. On one of the infected website
from our honeypot, we logged post request and found that they send base64 encoded script on post request. The
received script contains code of main emotet payload. It creates folder and keeps index.php and web.config file. On
our website emotet payload was updated by:
151.80.142.33 - France (Europe)
198.199.88.162 - America
5.9.150.122 – Germany (Europe)

Fig. 3 Decrypted Edit.php to receive code

Fig. 4 Encrypted Post request from attackers

04
 Fig. 5 Decrypted Post request

B.Remote.php:
Previously this script was kept as ini_mod_filezipr.php which was related to “PHP doorway backdoor” campaign.
These scripts send “HTTP” and “curl” request to “fped8.org/doorways/settings_v2.php” and “update.php”.
Before December 2018 we observed this script on emotet compromised websites which also has ability to add php
file or modify themes. Attackers activate functions as per “get” and “post” request parameter. We found that
remote.php has the ability to download and execute PHP script which it gets from the HTTP request. If we try to
directly access remote.php then it sends a response as “true” or redirects to another domain. It checks for content
management systems (CMS) by detecting '/wp-blog-header.php' for WordPress and '/includes/framework.php' for
Joomla. Then according to a type of PHP site, it edits theme template for that it has defined a function named edittext
() which accepts _themesfile_data, _extlinksfilename, and _other_data which it adds to the themes of a website.
It downloads and stores data in cache folder named as temp*ClientID*. It fetches one encoded PHP script, IP address
list of host server which sends a request to fped8.org. On our investigation, we found that this IP address list is
similar to the list of IP address present in Emotet folder on the compromised website. This helped us to relate Emotet
campaign with “doorways to PHP backdoor” campaign. Also, it contains a function to delete directory full_del_dir ().

C. Settings.php:
This file is the main component for an intruder. We found that when we open this page, we get the input box for
password and submit button. When we analyzed its PHP code, we found that this page is obfuscated multiple times.
We deobfuscated this file using base64_decode and str_rot13. Then again there were many base64 encrypted strings
in the array. When we decoded that we found that this script is wso webshell. To make it undetectable, they used
multiple time base64 encoding and other php function like str_rot13.This file is also webshell same as minify.php with
different encoding. More details about it is covered in minify.php.

D. Minify.php:
When we send user request, we get input box for password. Minify.php, index2127.php, simple.php5, 404.php and
Settings.php both files are the same. After decryption we found that it is nothing but a webshell. Similar webshell are
also available on “hxxps://webshell.co/” Both the files i.e. minify.php and setting.php are encrypted by different
encryption algorithms and decrypted on execution. To evade detection on the server side, both the script files are
highly encrypted. This script is webshell which consists of different utilities which helps the attacker to gain access of
the complete system without any user id passord.
Tools available in this script:
1. Filemanager
2. SQL Browser
3. Console
4. Php Shell to execute php code. (Eval())
5. Brute force tools for dictionary attack
6. Network script to create socket connection.
05
 Fig. 6 Web shell on compromised site (Filemanager)

Once this script is uploaded on the webserver, attacker can easily install other scripts and also gain ftp access by
using File Manager. On investigation, we found that this script is also added as 404 page in active theme of the
infected site to achieve persistency. But as these scripts have self-deletion ability on one click, attacker can delete all
these scripts. On never php website they used updated wso web shell with name ab.php and default password i.e.
“admin”. This script also has ability to provide reverse shell and get root password for webserver. Till now scripts
which we found have password in md5 as “f152ff3d0236535f1a5feb9272731e47”.

E. Wpsetting.php:
This is very basic but important script uploaded by attacker. This script only has code to upload file and store it in
same folder where script is present. It accepts file with post request and parameter ‘filename’ and ‘test’. where value
for test is fixed ‘hello’. As this script looks as normal script to handle post request even if other scripts get deleted
these are not detected by antiviruses or webmasters and by sending post request to this script anyone can upload
any php script or file to compromised site even after infected site is cleaned. To achieve this, we only require html
code with multipart form where action is address of wpsettings page and fields are filename and test. In recent days
we found that script is kept with different name such as “wp-qjwjmv.php”.

F. new_license.php:
On some of the compromised server we found new_license.php. This PHP script contains multipart HTML form
without any client and server-side validation. An attacker can upload any PHP (payload or backdoor) on the server, on
this page we get a link to the uploaded script. This type of script is used to upload any file and execute malicious
code on webserver.

3.2.2 Emotet Script files

We found that Emotet drop 5 files in Randomly generated name folder. The list of files is given below:
.67179322b768a6c97af866b5561a06aabf878f15
.bt
.htaccess
index.php
web.config

06
 Fig. 7 Emotet scripts from the compromised site

A. .bt:
This is a hidden file containing host URL list IP list from this file and “PHP backdoor files” is the same. And much
Emotet infected domains contain this file and file mentioned above. That’s why we think that both these campaigns
did a tie-up to distribute the malware. From January 2019 emotet is not maintaining this IP list.

B. .67179322b768a6c97af866b5561a06aabf878f15:
The name of this file is generated by sha1 of directory name which contains emotet files. Below function is used to
get sha1 of directory: - sha1(basename(dirname(__FILE__)))
This is a json file which is updated on each request whenever Emotet is downloaded from the given infected site.
{"4":1031,"5":1255,"2":31,"3":14}
Here 1031 is count of the Emotet downloads from current infected site.

C. .htaccess:
It is used to provide access to files, also to restrict access to certain files. This file gives a permission to index.php.
Following is a list of permission
DirectoryIndex index.php
<Files index.php>
order allow,deny
allow from all
</Files>

D. index.php:
This contains main Emotet payload. As storing exe on website can be detected easily and also updating such exe is
problematic. So emotet uses php script in which exe or doc is stored in encrypted form. In the phishing email, the
above folder containing index.php links is provided to the victim. Whenever a user clicks the link, the decrypted
Emotet malware (doc/Exe) is sent as a response.
This index.php is also heavily encrypted. After decoding we found that Emotet uses class and private variable to store
the main payload in an encoded form. There is a function called “execute” which decodes and sends the payload to
the user. It uses header function of PHP to send a response.
In header, it sends data like “'Expires: Tue, 01 Jan 1970 00:00:00 GMT'”,” Cache-Control: no-store, no-cache,
must-revalidate, max-age=0'”. It mentions content type of file as “application/octet-stream”,
'Content-Transfer-Encoding: binary'. After successfully sending file as a response it writes new count of download to
json file “sha1(directoryname)”.
To decrypt this script, it first decrypts API name by using pack function as shown in the above pic. Then it uses
decrypted function (Gzinflate, base64_decode) to decrypt remaining PHP script.

07
 Fig. 8 Decrypted Index.php.

3.3 Modus operandi:

Attacker selects vulnerable websites by searching vulnerable plugins using google. Most vulnerable plugins are
“revslider”, ”wooshop” and “Total-donations”(CVE-2019-6703). In some cases, people upload infected themes like
“sketch”. Once target is found they upload scripts like “wpsettings.php” to the sites. By using this script, they add wso
webshell. Once webshell is installed, they can get root password by using which they can take “ssh rdp session”. We
found that emotet is collaborating with different campaign to spread its malware to infected sites. Campaigns like
“Php doorways backdoor” which are famous for distributing miners and different malware is also their choice. In
emotet case they keep edit.php on webserver, this script receives post request and execute script. This script
contains payload which it stores in writable folder. Also, we found some scripts which finds writable folder and create
php file there by reading database, where database credentials are retrieved over post requests.
some paths where webshell can be found on infected sites:
/wp-content/themes/sketch/404.php
/wp-content/index.php
/wp-admin/index2127.php
/wp-includes/pomo/index2127.php
/wp-includes/SimplePie/Content/Type/simple.php5

08
4. Execution at the client side

The spreading mechanism of this campaign is a phishing email. It uses subject lines like ‘Invoice’, ‘Delivery details’,
‘Shipment details’, ‘Payment details’ and so on to trick the victim into opening the email. In 2019 there are spam mail
in amazon delivery template with genuine links as well as link to emotet doc file. Such emails have compromised
URLs that will download a doc, xls, pdf or JavaScript file from compromised websites. Another way might be directly
attaching a doc, xls, pdf or JavaScript file inside the email or sometimes attaching a compressed file with a malicious
file.

4.1 Initial vector on Client side:

1. Doc
2. Js
3. Xls
4. Pdf
5. Lateral Spreading in network

Fig. 9 Phishing Mail

4.1.1 Detailed analysis of Document file:

The malspam attachment is usually a Microsoft
Word or Excel document embedded with VBA
macros, which if executed will download Emotet.
A malicious office document embedded with
macro, on clicking on Enable Editing a macro code
will be activated. We have taken one sample. It has
a macro inside, such as “s1045119”, a code has
Sub autoOpen() function which executes the
macros. The AutoOpen macro is a special macro
that is executed when the document is opened.
In the below snippet, Interaction. Shell is called for
processing of command given through variables
which are being passed to it. Variable TextBox() Fig. 10 The instruction which calls a PowerShell script
contains the malicious code. Once this instruction
is executed, the command line code is executed
which launches a PowerShell script.

09
The TextBox() variable contains the below command line code which is obfuscated and later launches PowerShell
script.
Below is the complete command line code which is present in the textbox() variable. It is obfuscated and launches a
PowerShell script. Arguments are decimal encoded to evade detection.

Fig. 11 Encoded command to call PowerShell

We get final PowerShell command as shown in the below figure. This script is executed at the client end and Emotet
malware is downloaded and executed.

Fig. 12 PowerShell command

Process follow diagram which shows the initial infection vector of Emotet is a malicious Office document containing
an obfuscated macro that runs a PowerShell script to download the payload.

4.1.2. Detailed Analysis of JavaScript File:

On client-side infection JavaScript is also used as Infection vector. As many antivirus companies block infection by
behavior-based policies. that’s why most of the time doc file executing PowerShell which downloads malware is
common behavior pattern. So emotet also targets JavaScript engine like Wscript. Wscript and Cscript engine can
compile and execute script files with extension “.Js”, ”.vbs” and “.wsf”. In our case we got ”.js” file which contains
many variables assigned with random strings. Then they used substr function. which selects string from suppose 3
rd position to 7 position. Lastly, they used string concatenation and substr together to get PowerShell script.

Fig. 13 JavaScript to decrypt string and Execute PowerShell.

10
To execute this code, they used Wscript shell which can execute commands or exe. In this way decoded string is
executed using Wscript shell. So Wscript executes PowerShell and this PowerShell then download payload from
compromised website and execute payload. To evade behavior and signature-based detection malware author uses
these tricks. Mainly to prevent detection from AMSI they used base64 encoding with compression or in JavaScript
uses substr like genuine functions. Also, emotet JavaScript file shows error message on client side after successful
execution of PowerShell command.

Fig. 14 Error Message after successful Execution of .js

So, flow of execution is as follows:

Email -> .js file -> Wscript.exe -> Executes PowerShell -> Download & Executes Emotet.

4.1.3.Emotet From Pdf File:

Pdf files are also distributed using mail. These are simplest attacking vector where link to doc is added as action in
pdf file, which when clicked downloads doc containing macro. Rest of the things are same as doc.

Fig. 15 Emotet Through Pdf

4.1.4.Emotet Doc as XML:
Recently emotet started using xml-based file containing macros. Extension of this file is doc.so. When executed with
Microsoft word it executes it as doc and runs macro present in xml file, which decodes base 64 encoded content and
starts executing PowerShell. As files are xml, people who are tracking emotet URL to get new samples don’t detect
this file as for Linux these files are simply xml files containing information.

11
 Fig. 16 Emotet XML based macro

4.2.Emotet Payload Analysis:

The downloaded payload “{Random_name}.exe” is then executed from %temp% or %public% location. After that, it
creates a copy of itself in %Appdata%. In this case, we found the payload name as “emitsendand.exe”. This file again
spawned a new instance of its own and showed its activity.

The downloaded payload has a pre-defined list of words. By using a combination of 2 words from this list it creates
the name of 2nd self-copy and executes from respective locations. If the system is 32-bit, then it executes its
self-copy from “C:\Windows\System32” folder or “%appdata%samename/samename.exe” else if it is 64-bit then the
location is “C:\Windows\SysWOW64”. It carries a list in a 0x162 size character array and divides it with one constant
that in this case is volumeserial id with length i.e. 0x162. Then it moves the pointer to that location and checks for
semicolon i.e. ‘0x2C’ if it does not find semicolon then it moves backward. To select word, it uses negation of
volumeserial id divided by length of list in place of volume serial id.

In this way, it selects words and concats them. Till now we found 5 unique list of names. If the program is executed
as admin it adds service entry else, it will add run entry of malware for persistence.

Fig. 17 List of file names

12
The following is the list of names stored in this file. By the combination of any two words filename is created.

4.2.1.Emotet File Name generation Algorithm:

VolumeSerial = GetVolumeSerialInformationA();
pcString = “Comma separated strings”
iRemainder = dwVoumeSerialNum % iLength;
newVolumeSerialNum = ~(dwVoumeSerialNum / iLength);
pcString = dwVoumeSerialNum % iLength + *StringNameCopy;
SelectedWord1 = (--pcString) till ‘,’comma is found.
dwVoumeSerialNum = newVolumeSerialNum;
Repeat loop for one more time.
Concatenate two words.
The first instance of the dropped file contains the huge encrypted data. This data will get decrypted at runtime and
decrypt two other PE file in the memory which can be used by the parent file for further process.
After this, the parent process checks whether the process is spawned by itself or not. If not, then it creates one mutex
and closes the parent process and runs as an individual.
The spawned process will list out all the running processes and store it in a memory. After that, it starts enumerating
each process.
By using the CreateToolhelp32Snapshot function, it takes the snapshot of each process and thread, heaps and
modules used by these processes. It uses combination of ProcessFirst and ProcessNext for enumerating running
processes.
After taking the details of each running process, malware starts encrypting the data and sends it to the malicious
server in POST request. It encrypts the data using an RSA public key, which is present inside the file, then sends the
encrypted data to the C&C server. Request body is passed in the Cookie header.
Before sending the data to server, malware do key generation. Firstly, Emotet loads RSA public key, stored in main
module. Then, AES symmetric key is generated using cryptographically secure CryptGenKey function. Finally,
generated key is encrypted using previously loaded RSA public key.
Following are some function used for key generation and encryption of data:

Fig. 18 RSA-AES key creation

13
 Fig. 19 Encryption of request data

For C&C communication it uses Google Protocol Buffer implementation. It uses “proto2” message encoding. Where it
uses following message request protocol.
message regrequest {
required int32 command = 1;
required string botId = 2;
required int32 osVersion = 3;
required int32 checkflag = 4;
required fixed32 crc32 = 5;
required string processList = 6;
}

Fig. 20 Api for sending Request

Where bot id is created using combination of computer name and volume serial number of drive where windows is
installed and crc32 is obtained using RtlComputeCrc32. If crc32 of current binary is not recent on C&C server then it
sends updated binary as response. For each request to the C&C payload again creates running processes list. If list
contains VirtualBox or debugger related processes then C&C blocks bot id.

14
 Fig. 21 Emotet C&C Request

In Fig. 21 we can see the request which emotet sends to the C&C server, actually this is protocol buffer structure
which was mentioned earlier. ”IEWIN7-3C9E0900” is the bot id of system, which collects system version. The last
word is crc32 value of emotet payload which it uses to identify if payload is modified or latest version i.e. synced with
server’s latest payload version or not. Then at last it appends process list. Further it encrypts this whole request with
AES encryption and AES key with RSA public key which is present in payload and private key of RSA is present at
server end.
Now a day’s emotet is using random url patterns created from word list, by using similar algorithm as emotet naming
logic for dropped copy. This is done to identify emulators run by security researchers. If url pattern is not present,
then it blocks that Ip and bot id. Eg. It sends request to url like hxxp://103.201.150.209:80/cone/. Also, it accepts only
post requests.
When we sent updated crc32 as request we got 6 modules as response for Indian IP. Emotet has server-side
validation which checks geolocation of client and delivers malware according to IP location. For blocking it only
blocks bot id which is unique for each customer. To execute Modules, it contains 4 switch cases, in response it
contains blob where case id for each module is also sent.
To Execute Modules following 4 ways are used:
1. Write File to Temp and execute (arguments)
2. Write File to Temp and execute (Trickbot)
3. Download File and execute (URL is received which is then downloaded and executed)
4. Load into memory as thread (dll-modules)

The request packet can be represented as follows:

Encrypted 128-bit AES key SHA1 hash of plaintext Request body, AES-128-CBC
used for request encryption request body encrypted

Fig. 22 Structure of a request send to the server

15
The IP addresses of Emotet’s C&C servers are hardcoded into the bot which sends the POST request to each URL.
Malware communicates with Command & Control.
If a request was successfully received, C&C server returns a list of Emotet modules. Response body contains
encrypted data.
Structure of encrypted response is similar to the request structure. Response is encrypted using the same AES key,
which was passed in request.
The response packet can be represented as follows:

Digital Signature SHA1 hash of Answer Answer body, AES-128-CBC encrypted

Fig. 23 Structure of a response send by the server

The response from C&C server is having digital signature of 0x60 bytes which is verified by the malware before
decrypting the answer. After that 0x14 byte SHA1 hash and after that AES encrypted response is present. After first
0x74 bytes actual response with modules is present. All modules can be sent as single response by C&C in Protobuf
encoded format. Generally, modules which are dll are loaded as Thread and malware is directly executed by dropping
to temp directory. During analysis we got trickbot from united states IP which drops to temp and executes.

4.3 Emotet In Memory Modules:

4.3.1 Credentials stealer Module:
We found two modules, whose purpose is to steal credentials from web browser and mail client.
 Mail PassView (Email Password-Recovery) 1.86 (166kb)
 WebBrowserPassView 1.80 (405kb)
Both modules are embedded in file and encoded using XOR operation as given in Fig. 24 On module start up, module
decodes these two Nirsoft software and is stored in %TEMP%, and then executed with /scomma [temp file name]
parameter, which then dumps all passwords into file contained in %TEMP% folder. Stolen data is sent to C&Cserver
for malware spreading purpose.

Fig. 24 Decryption Loop

4.3.2 Network Spreader Module (16kb):

It is emotet’s own module with 16kb size. This module is the first module which drops after successful C&C
communication. It is loaded as thread and executed in memory. It resolves imports in memory by deobfuscating
strings on stack. Then it uses CreateTimerQueueTimer Function to schedule timer for function with 0x3E8 time for
reactivation, WT_ExecuteLongFunction flag.
It uses genuine api for lateral movement, so it is very difficult to Detect it in IDS/IPS. It Enumerates connections in
network by using WNetEnumResourceW function. This function returns list of shares, network resources in network
in NETRESOURCE structure same as “net view” command. Also, it uses NetUserEnum function to retrieve user
account information from server.

16
 Fig. 25 Service Creation from Lateral Movement

To Transfer file to pc in network it uses above code. Where as to login into other pc it uses WNetAddConnection2W
which accepts username and password for network resource. If null is passed as username and password it uses
local account credential. If local account is domain admin then it can access all resources in network. Once it gets
access, it copies file to Admin$ share, and creates service on remote pc and starts it as service.
Also, it contains code for taking credential of active session or credential stored in memory.

Fig. 26 Getting Session Id

17
 Fig. 27 Creating Process with Given Session id

WTSGetActiveConsoleSessionId function is used for retrieving identifier of console session which is input for
WTSQueryUserToken. This function retrieves session id which is used for CreateProcessAsUser function. So, by
using this function emotet can retrieve credential for logged on session which are present in memory. In this way it
can impersonate any logged-on user and reuse its credential and resource access across the network. This is similar
to NTLM Relay attack. Also, it does brute forcing by using computer name, username collected from above api. Its
combination is used as credential for resources in network.
On client system Admin$ resolves to Windows directory, so this module copies emotet sample to windows directory
with Alphanumeric name of 8 alphabets. On client PC, it is then executed as service which is similar as sc.exe
//targethost start service. So, on client-side parent process is Services.exe. Then for persistency again it creates
unique name and retrieves system folder path by using “SHGetFolderPathW” function and relocates itself to new
location by using “SHFileOperationW”. Then it registers itself as service and starts execution as service. Then again,
this infected system works as bot and starts infecting other systems in network.

4.3.3 Emotet’s Email Harvesting Module (288kb)

When this module is executed, it checks for the presence of registry key HKLM\Software\Clients\Mail\Microsoft
Outlook and then checks value of DLLPathEx i.e. the path to the mapi32.dll module. If it is not found, the module does
not proceed further.
Microsoft has provided a group of APIs called MAPI (Microsoft Outlook Messaging API). These API give an
application access to emails and can be used to steal contact lists.

Fig. 28 Loading MAPI functions

18
Module then creates a temporary file that is used to store the stolen Outlook information and email addresses that
have been collected. It will encrypt the data and send the stolen information to its C&C server. In similar way by using
MAPI api emotet steals a mail body in email scraper module. This stolen mail body is used as template for further
spamming.

4.3.4 Emotet’s Spam Module (1339kb):

This is the largest emotet module dropped with size of 1Mb 339 kb. This module contains list of C&C Contacting this
C&C it receives list of email id which are target mail id’s for sending email. On daily basis spamming module is
changed and it is dropped to specific locations. In India it is dropped frequently but for United States it is loaded rarely
nowadays. The same has also been confirmed by Cryptolaemus1 group. It also uses template of genuine companies
like Amazon, Vodafone etc. Also, language of these templates are according to country like for Germany clients it
sends mail in German language. This module also uses google protocol buffer for communication with C&C. Indian
infected hosts are mainly used to launch spam campaign. Spam module receives mail id’s and template (stolen from
email clients) containing newly infected website links from spam server’s C&C. Further to these target mail ID’s
(received from server) this module sends spam mails to infect new hosts. To prevent from spamming user can use
two-factor authentication or use browser-based outlook.

4.3.5 Emotet’s Connection-Verifier (221kb):

This module is different than any other module emotet ever used. Mainly it contains functionality for port forwarding.
It is our theory that it can also use this port to access system over public IP, if PC is connected over public IP.

Fig. 29 Emotet Port Forwarding

It Maps port from router to local port which later can also be used as C&C or to take remote access or to spread other
malwares in these systems. Then it sends post request to /whoami.php to one of the module's C2s such as
75.128.208.218:8080. By using this module emotet forwards multiple ports to infected host on router using upnp.
Such infected machines, public ip and forwarded port are used in payload as CnC. So, when newly infected host
connects to this CnC sever, it is actually connecting to previously infected host where port forwarding is done. We call
such CnC as tier 1 servers. This tier1 server gets data from tier2 server. On client side if we nmap this tier1 c&c we
may observe that dvr, ssh, smb, etc. services are running parallel on same public ip. This is because of port
forwarding. We have also observed same ip list but different port as C&C.

19
IOCs:
12F469088E94CF4590E86E887F3FA16A (settings.php)
BFC1AA0B1DBD3881C00B246B1D8F7098 (remote.php)
99E6B0D49F329FF3A1AD1C19FBD2C126 (index.php - emotet)
DC0C0F9E386D23B9CDBD07E7958BE7FB (edit.php)
F018A022DC77DC39F79D76DD5F48F1E5 (pdf)
BCE04CFCE7D8C5719A6966B1F4011B64 (js File)
74F1F8E7A90E0C41B396654C8B39F168 (Document File)
249D8F0E195ADF0EDD10757E532604B3 (Emotet Sample)
1BD3F0E808E34F8547333E10BE692769 (Updated Emotet sample)
E9BA3EFD7AA86C00B3FB098F8E3C0095 (Emotet Mail PassView Module)
72D0DFF29FEB1DE1B9F03D4EAEA0DC24 (Emotet WebBrowser PassView Module)
D0A1773A4FDD548D846310C3DAA56535 (Emotet Network Module for later movement)
40B2747FBCB1A0A9022E511B79ABC54C (Emotet Network Module for later movement)
BDF9DEA8BB4299964C98CF9C60E2C16A (Emotet Network Module for port forwarding)
5E9E1B4354594E0E787C7A03AFA0E677 (Emotet Mail Harvester Module)
D1DC7188955759929EA3DE5A63F7B170 (Emotet Spamming Module)
8C11EC7CB4EC60245E70286453EDC800 (Trickbot)

20
Conclusion
Emotet malware is primarily spreading through via spam mail which has social engineering tricks to phish the user
easily. The infection can be spread either via malicious script, macro-enabled document files, or malicious link. It also
uses template of genuine companies like amazon, vodafone etc. to look like a legitimate email to lure users to click
the malicious files. Also, language of these template are according to country like for Germany clients it sends mail in
German language.
Quick Heal provides multilayered protection against each layer of Emotet campaign.
Security measures to follow.
• Don’t open any link in the mail body sent by an unknown source.
• Don’t download attachments received by an untrusted source.
• Always turn on email protection of your antivirus software.
• Don’t enable ‘macros’ or ‘editing mode’ upon execution of the document.

Subject Matter Experts:

Bajrang Mane, Vallabh Chole, Preksha Saxena, Prakash Galande | Quick Heal Security Labs

References:
http://www.upnp-hacks.org/igd.html
https://developers.google.com/protocol-buffers/docs/encoding

21