A quick look at the current emotet encoding

I have went thru several samples today of this type of encoding but todays sample will be from ExecuteMalware @executemalware located here and the Twitter reference is here.

Here we can see that only 3 of the urls are displayed.

Anyrun-1

Emotet usually has 5 urls so where are they.

When we check the system they are now dropping a .jse file instead of powershell

Going thru my samples we find that they used this style before here is 1 reference from Twitter here.

If we are in a hurry we can get the script from anyrun.

We click on the winword.exe and see this.

Anyrun-2

Then click on the more info to see this.

Anyrun-3

Find and click on the jse file to see this. There could be several files to scroll thru before you see the jse file.

anyrun-4

Although this file is labeled as a .jse file it is not “Java Script Encoded” as it should be with that extension.

From previous research on the JSE and VBE encoding if the script engine does not find the header values for the encoding then it will attempt to run it as a normal script.

The script is unformatted to start with so lets pretty it up and take a look at the parts we need.

The way this works it it will take the array at the top and rotate  the array so many positions and build a new array. In the Screenshot we see the value that it will use highlighted.

Script-1

This has looked pretty much the same in every version of this I have worked with.

The difference is sometime they will also “\x” hex encode everything to make it more difficult to tell what it is doing.

The next thing we need to look for is the index and function that will be replaced when the script is run.

Script-2

If we just see the function name and an index value then the array will usually just get base64 decoded. Then from the new array that was built it will use this index in the array to do the replacement.

In this case there are 2 values, and from experience I know this is a RC4 key for decoding the base64 – RC4 encoded values.

Here is the decode function to verify if it is using ( % 0x100 )  Mod  or a AND  in the decoding

Script-3

If we scroll down they were nice enough to give us 3 of the urls plain.

Script-4

So in order to extract the last 2 urls you need to.

1: Reorder the array  using the provided value.
2: Get a list of Indexes and the key values.
3: use a for each loop of some kind and base64 decode  -> Rc4 decode for that index value and output this to a decoded Indexed list.
4: Locate and extract the last 2 Urls.

Using my tools lets see how this works.

First of all, the function name for decoding  is just “b(“. They are usually like “_x4E349(” or something similar.

So lets rename this to make sure my simple tool does not get the wrong thing.

Script-5

That is simple enough to make sure I don’t get something else with a small case b.

Script-6

Now we have a list with the index number and the key value.

Script-7

This tool here will do the reorder just before it try’s to decode each value.

Now we can get the last 2 urls from the file.

Now that we have the decoded list if you are real motivated you can now do the replacements and get a better understand of what the script is doing.

One of the old tricks that used to be used was to keep scripts from running, change the program that was associated with the script extension.

Do the the limited use of JSE or VBE file extension it “may” be safe to set the default program for these extensions to notepad.

This should stop these from running and also alert the user that something is not right.

That’s it for this one.

If you have any question you can get me on Twitter at @Ledtech3.

About pcsxcetrasupport3

My part time Business, I mainly do system building and system repair. Over the last several years I have been building system utility's in vb script , HTA applications and VB.Net to be able to better find the information I need to better understand the systems problems in order to get the systems repaired and back to my customers quicker.
This entry was posted in Malware, Programming, security and tagged , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s