{"id":91068,"date":"2022-10-18T12:15:52","date_gmt":"2022-10-18T06:45:52","guid":{"rendered":"https:\/\/blogs.quickheal.com\/?p=91068"},"modified":"2023-06-17T16:46:09","modified_gmt":"2023-06-17T11:16:09","slug":"a-deep-dive-into-new-64-bit-emotet-modules","status":"publish","type":"post","link":"https:\/\/www.quickheal.com\/blogs\/a-deep-dive-into-new-64-bit-emotet-modules\/","title":{"rendered":"A DEEP DIVE INTO NEW 64 BIT EMOTET MODULES"},"content":{"rendered":"

Emotet<\/a> is usually delivered by SPAM campaigns containing document files. This self-propagating Trojan is a downloader malware that typically downloads and executes additional payloads. Around Jan 2021, Emotet\u2019s operations were reportedly shut down. However, it has shown its appearance again by the end of 2021. In recent months, Emotet seems to have shifted to 64 bit. This blog will focus on analyzing the new variant and its differences from the previous cosmetic versions.<\/p>\n

ANALYSIS (Latest variant) and Differences from previous versions<\/strong>:<\/strong><\/h3>\n

Let us analyse the latest variant of Emotet having MD5 da045fce83afdcb9920a0a38b279d33d. Here, we can easily find that the first export function is being used.<\/p>\n

\"\"<\/p>\n

\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 Fig: 1 DLL export functions (64bit latest)<\/em><\/strong><\/p>\n

The below image shows a Delphi compiled file having high entropy in the resource section having encrypted data.<\/p>\n

\"\"<\/p>\n

\u00a0 \u00a0 \u00a0Fig: 2 Resource encrypted data<\/em><\/strong><\/p>\n

Given below is an image containing data stored in variables. These values are copied onto the stack.<\/p>\n

\"\"<\/p>\n

Fig: 3<\/em><\/strong> Encrypted Data stored as variables<\/em><\/strong><\/p>\n

This data is decrypted into shell code in the virtually allocated memory, as shown in the image below:<\/p>\n

\"\"<\/p>\n

Fig: 4<\/em><\/strong> Decryption loop<\/strong><\/em><\/p>\n

Decrypted shell code<\/strong><\/h3>\n

\"\"<\/p>\n

Fig: 5 Decrypted shell code<\/em><\/strong><\/p>\n

This shellcode loads the DLL and APIs to be used further.<\/p>\n

\"\"<\/p>\n

Fig: 6 shellcode loads the DLL and APIs<\/em><\/strong><\/p>\n

The encrypted data in the resource section is now decrypted and forms a PE file. Given below is the decryption loop<\/a> related to the same.<\/p>\n

\"\"<\/p>\n

Fig:<\/em><\/strong> 7 Decryption loop<\/em><\/strong><\/p>\n

Given below is the decrypted inner file<\/p>\n

\"\"<\/p>\n

Fig:<\/em><\/strong> 8 Decrypted inner file<\/em><\/strong><\/p>\n

This decrypted inner file is moved to another virtually allocated memory without PE Header. This memory is virtually protected.<\/p>\n

\"\"<\/p>\n

\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0Fig: 9 File without PE header<\/strong><\/em><\/p>\n

Let us now explore the inner DLL. This has only one export function.<\/p>\n

\"\"<\/p>\n

\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0Fig:<\/em><\/strong> 10 Inner DLL\u00a0<\/em><\/strong><\/p>\n

This Dll is executed by calling the loader Dll\u2019s 1st<\/sup> export, which indirectly calls the inner Dlls 1st <\/sup>export function.<\/p>\n

\"\"<\/p>\n

Fig: 11 Dlls 1st <\/sup>export function.<\/em><\/strong><\/p>\n

Here we witness that the highlighted statement [rsp+20] points to Inner DLL’s 1st export, showed in the above figure (Function RVA from CFF)<\/p>\n

This DLL uses Control Flow flattening and API hashing to make reverse engineering difficult.<\/p>\n

In this technique, the code is flattened by several instructions placed inside a loop within a single switch statement that controls the program flow.<\/p>\n

\"\"<\/p>\n

\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0Fig:<\/em><\/strong> 12 Control Flow Flattening Technique<\/em><\/strong><\/p>\n

It creates the copy of the loader dll (MD5:da045fce83afdcb9920a0a38b279d33d) with a random name in %Appdata% inside a random named folder and subsequently executes from that location.<\/p>\n

By setting up a breakpoint on\u00a0jmp rax<\/strong>, we could fetch all the C2s and the APIs, which are decrypted runtime (present hardcoded inside the file) used in the entire communication.<\/p>\n

These new Emotet samples use Bcrypt cryptography functions, which are part of bcrypt.dll. The earlier variants used advapi32.dll Crypt functions.<\/p>\n

The malware collects information such as Computer name, Volume ID, Version info, Execution path, etc., and sends it to C2. This data transmitted is encrypted via ECC (Elliptic Curve Cryptography) Algorithm. In the earlier samples, RSA was used.<\/p>\n

Looking at the key, we identified that this sample belongs to Epoch5, which has a common key for encryption in all the samples. Let us now look at the encryption process and C2 Communication:<\/p>\n

    \n
  1. BCryptFinalizeKeyPair<\/strong>: Keypair of ECC is finalized<\/li>\n
  2. BCryptExportKey<\/strong>: Generated key is exported to the memory blob<\/li>\n
  3. BCryptSecretAgreement<\/strong>: AES key is generated based on the Secret agreement between malware and C2<\/li>\n
  4. BCryptDeriveKey<\/strong>: Derives a key from secret agreement value using SHA256 as KDF<\/li>\n
  5. BCryptGetProperty<\/strong>: Retrieves a property for a CNG object<\/li>\n
  6. BCryptImportKey<\/strong>: To import the key from the memory blob<\/li>\n
  7. BCryptCloseAlgorithmProvider<\/strong>: Closes the handle of the Algorithm provider<\/li>\n
  8. BCryptDestroySecret<\/strong>: Secret is destroyed generated from BCryptSecretAgreement
    \n\"\"<\/li>\n<\/ol>\n

    \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 Fig:<\/em><\/strong> 13 ECDH Public key<\/em><\/strong><\/p>\n

    Summarizing the steps: <\/strong><\/h3>\n
      \n
    1. EDCH(ECK1 Curve) public key is decrypted and used for encryption of data sent, and ECDSA(ECS1 curve) is used for data verification<\/li>\n
    2. A secret agreement is generated between malware and C2. This agreement value is created from the Public and private key of ECDH<\/li>\n
    3. AES key is derived from a secret agreement value by using SHA 256 as KDF<\/li>\n
    4. Now the message to be sent is constructed, and a hash value is generated.<\/li>\n
    5. The hash value, along with the message, is then encrypted by AES256<\/li>\n
    6. The data consisting of ECK1 public key, AES data, and random bytes are then base64 encoded and sent.<\/li>\n<\/ol>\n

      \"\"<\/p>\n

      Fig:<\/em><\/strong> 14<\/em><\/strong><\/p>\n

      \u00a0<\/strong>Decrypted C2 List:<\/strong><\/h3>\n

      103[.]8[.]26[.]17<\/p>\n

      134[.]122[.]119[.]23<\/p>\n

      103[.]133[.]214[.]242<\/p>\n

      93[.]104[.]209[.]107<\/p>\n

      37[.]44[.]244[.]177<\/p>\n

      196[.]44[.]98[.]190<\/p>\n

      116[.]124[.]128[.]206<\/p>\n

      88[.]217[.]172[.]165<\/p>\n

      62[.]171[.]178[.]147<\/p>\n

      185[.]148[.]168[.]220<\/p>\n

      103[.]85[.]95[.]4<\/p>\n

      195[.]77[.]239[.]39<\/p>\n

      159[.]69[.]237[.]188<\/p>\n

      190[.]90[.]233[.]66<\/p>\n

      85[.]214[.]67[.]203<\/p>\n

      217[.]182[.]143[.]207<\/p>\n

      203[.]153[.]216[.]46<\/p>\n

      103[.]42[.]58[.]120<\/p>\n

      59[.]148[.]253[.]194<\/p>\n

      68[.]183[.]91[.]111<\/p>\n

      110[.]235[.]83[.]107<\/p>\n

      54[.]38[.]242[.]185<\/p>\n

      85[.]25[.]120[.]45<\/p>\n

      37[.]59[.]209[.]141<\/p>\n

      54[.]37[.]106[.]167<\/p>\n

      103[.]41[.]204[.]169<\/p>\n

      66[.]42[.]57[.]149<\/p>\n

      175[.]126[.]176[.]79<\/p>\n

      54[.]37[.]228[.]122<\/p>\n

      87[.]106[.]97[.]83<\/p>\n

      45[.]71[.]195[.]104<\/p>\n

      195[.]154[.]146[.]35<\/p>\n

      139[.]196[.]72[.]155<\/p>\n

      36[.]67[.]23[.]59<\/p>\n

      5[.]56[.]132[.]177<\/p>\n

      202[.]134[.]4[.]210<\/p>\n

      78[.]46[.]73[.]125<\/p>\n

      202[.]29[.]239[.]162<\/p>\n

      210[.]57[.]209[.]142<\/p>\n

      118[.]98[.]72[.]86<\/p>\n

      207[.]148[.]81[.]119<\/p>\n

      68[.]183[.]93[.]250<\/p>\n

      103[.]56[.]149[.]105<\/p>\n

      178[.]62[.]112[.]199<\/p>\n

      54[.]38[.]143[.]246<\/p>\n

      51[.]68[.]141[.]164<\/p>\n

      104[.]248[.]225[.]227<\/p>\n

      78[.]47[.]204[.]80<\/p>\n

      202[.]28[.]34[.]99<\/p>\n

      188[.]225[.]32[.]231<\/p>\n

      194[.]9[.]172[.]107<\/p>\n

       <\/p>\n

      IOC<\/strong><\/h3>\n

      da045fce83afdcb9920a0a38b279d33d<\/p>\n

      Detections<\/strong><\/h3>\n

      Trojan.Emotet.S28135758<\/p>\n

       <\/p>\n

      Conclusion:<\/strong><\/h3>\n

      Emotet has now evolved and has become more potent after its comeback. Among other things, it has switched from 32 bit to 64 bit, used CFF along with API hashing, and changed its encryption mechanism<\/a> from RSA to ECC. It has also used Crypt APIs from bcrypt.dll, whereas earlier, it was using ADVAPI.DLL. It is one of the top malware that path to further additional malware.<\/p>\n

       <\/p>\n","protected":false},"excerpt":{"rendered":"

      Emotet is usually delivered by SPAM campaigns containing document files. This self-propagating Trojan is a downloader malware that typically downloads and executes additional payloads. Around Jan 2021, Emotet\u2019s operations were reportedly shut down. However, it has shown its appearance again by the end of 2021. In recent months, Emotet seems to have shifted to 64 […]<\/p>\n","protected":false},"author":85,"featured_media":91104,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1739,1671,24,75,1],"tags":[534,1615,1918,49,80,50],"class_list":["post-91068","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","category-encryption","category-malware","category-microsoft-windows","category-uncategorized","tag-cybersecurity","tag-emotet","tag-infosec","tag-malware","tag-quick-heal","tag-ransomware"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/91068"}],"collection":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/users\/85"}],"replies":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/comments?post=91068"}],"version-history":[{"count":15,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/91068\/revisions"}],"predecessor-version":[{"id":91755,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/91068\/revisions\/91755"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/media\/91104"}],"wp:attachment":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/media?parent=91068"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/categories?post=91068"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/tags?post=91068"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}