Emotet Banker (SAMPLE 2, Malware)

Emotet Banker (SAMPLE 2, Malware)

Source address: localnet

Destination address: externalnet (see below for full list)

Source port: ephemeral

Destination port: 

• tcp/449
• tcp/443
• tcp/8080
• tcp/80
• tcp/8082
• tcp/7080
• tcp/447
• tcp/8443
• tcp/1900
• tcp/6771

Content: GET /wp-admin/verif.myaccount.send.com/ HTTP/1.1\r\n… (among many, many others)

SAMPLE 2: 2019-03-14-Emotet-with-Trickbot-infection-traffic.pcap

DESCRIPTION

The delivery method for this threat is via spearphishing. It uses a ‘word document’ to target unsuspecting victims.

HTTP/1.1 200 OK

Date: Thu, 14 Mar 2019 20:56:49 GMT

Content-Type: application/msword

Transfer-Encoding: chunked

Connection: keep-alive

Set-Cookie: 5c8ac0117776b=1552597009; expires=Thu, 14-Mar-2019 20:57:49 GMT; Max-Age=60; path=/

Cache-Control: no-cache, must-revalidate

Pragma: no-cache

Last-Modified: Thu, 14 Mar 2019 20:56:49 GMT

Expires: Thu, 14 Mar 2019 20:56:49 GMT

Content-Disposition: attachment; filename="Receipt_201903_927098.doc"

Content-Transfer-Encoding: binary

Server: Nginx

X-Powered-By: VPSSIM

X-Frame-Options: SAMEORIGIN

X-Content-Type-Options: nosniff

X-XSS-Protection: 1; mode=block

GENERAL NOTES

The infected doc sets up a trojan that communicates with a very large array of C2 servers. They are geographically disperse, and obviously target financial victims. This dropper reaches out to several servers, a number of which grab an updated executable that installs a lightly-detected piece of ransomware. Emotet has been around since 2018, but it has grown from simply stealing and exfiltrating passwords to a full-featured, complex ransomware campaign.

MIXMODE ANALYSIS

Emotet has recently updated itself to a full-blown Ransomware campaign. The latest version, currently active, is caught by MM in a number of dimensions.

The executables this version of Emotet are downloading now, and the campaign is still live, are part of a Ransomware campaign. The updated executables are being downloaded from hacked WordPress servers located all over the world.

This version of Emotet uses compromised WordPress websites to host update executable files. This one updates from a WP site located in Quebec, which is almost certainly compromised and not part of the campaign on purpose. In addition to the installation, persistence, and beaconing, MM detects the data exfiltration as well. Several big named security suites fail to detect this campaign, according to VirusTotal.

If we look closely at the logs, we find the username and password of one of the campaign members, located in Jakarta. A member of this gang goes by the handle tim@pookiedookie.com, and his password is P@ssw0rd123$.

Geographic Distribution

Country	Connection Count
Brazil	21648
n/a	12591
United States	4924
France	3445
Romania	2583
Indonesia	1845
Colombia	1601
Hong Kong	1599
Argentina	1231
Latvia	985
United Kingdom	984
Germany	861
Mexico	739
Japan	738
Netherlands	738
Russia	738
Canada	615
Peru	492
Ecuador	246
India	246
Qatar	246
Singapore	246

IP Address Counts

IP Address	Connection Count
179.189.241.254	23284
51.255.50.164	6336
103.119.144.250	4123
82.78.228.57	3971
173.50.48.59	2656
112.120.68.71	1727
173.248.147.186	1320
187.207.188.248	1188
190.146.86.180	1188
10.3.14.1	1070
94.140.125.199	1064
66.209.69.165	793
138.68.139.199	792
144.76.117.247	792
188.68.211.212	792
190.117.206.153	792
219.94.254.93	792
91.205.215.57	792
181.16.4.180	660
181.61.221.146	660
192.155.90.90	660
192.163.199.254	660
50.246.45.249	660
139.59.19.157	528
178.78.64.80	528
186.3.188.74	528
190.146.214.85	528
190.15.198.47	528
35.182.171.82	528
50.19.247.198	399
190.210.3.93	396
45.32.117.41	396
181.29.214.233	264
186.137.133.132	264
23.254.203.51	264
5.9.128.163	264
70.184.97.144	264
70.28.3.120	264
71.11.157.249	264
72.47.248.48	264
89.211.193.18	264