Introduction URLhaus is a great resource to check for malicious URLs associated with malware. I use it frequently to get a URL for a Word doc related to Emotet so I can generate a full chain of events for an Emotet infection. The flow chart for an Emotet infection looks like this:
I generated an Emotet infection on Monday 2020-01-27. This diary reviews traffic and malware associated with the infection. Of note, you might see the terms epoch 1, epoch 2, or epoch 3 associated with information about Emotet. Each "epoch" identifies a botnet distributing Emotet. Epochs 1, 2, and 3 each have their own infrastructure, so Windows executable files and Word documents associated with Emotet should fall under one of these three epochs. You might also see the term gtag associated with Trickbot. This is a tag used by Trickbot to identify the campaign distributing this family of malware. Currently, gtags starting with mor identify Trickbot distributed through an Emotet infection. On Monday 2020-01-27, we saw gtag mor84 for this Trickbot campaign. On Tuesday 2020-01-28, we should see gtag mor85. Infection traffic I saw infection traffic typical of Emotet and Trickbot infections. For anyone who keeps tabs on Emotet, this should no suprise. Indicators of compromise (IOCs) The following are indicators from the Emotet and Trickbot infection I generated on Monday 2020-01-27: HTTP request for the initial Word doc:
HTTPS traffic for Emotet binary after enabling Word macro:
Emotet post-infection traffic:
Trickbot post-infection traffic:
Malware info: SHA256 hash: c963c83bc1fa7d5378c453463ce990d85858b7f96c08e9012a7ad72ea063f31e
SHA256 hash: 006d5fda899149df4cc5d6d1b1ae52e9fcc4ade7541c1dd4391e0429d843b4d5
SHA256 hash: dd20506b3c65472d58ccc0a018cb67c65fab6718023fd4b16e148e64e69e5740
Final words Overall no surprises here, but a reminder of this activity is useful for people who don't normally investigate Emotet or Trickbot infections. An up-to-date Windows host with the latest version of Microsoft Office should not succumb to these sorts of infections. To infect a vulnerable computer, people would have to click through various warnings, and they would also need to bypass many of the default security settings in recent versions of Windows 10. A pcap of the infection traffic and the associated malware can be found here. --- Brad Duncan |
Brad 394 Posts ISC Handler Jan 28th 2020 |
Thread locked Subscribe |
Jan 28th 2020 1 year ago |
At least for ikosher.co[.]il one should note:
user@machine 09:13:04 ~> host ikosher.co.il ikosher.co[.]il has address 104.28.6[.]44 ikosher.co[.]il has address 104.28.7[.]44 ikosher.co[.]il has IPv6 address 2606:4700:3036::681c[:]62c ikosher.co[.]il has IPv6 address 2606:4700:3036::681c[:]72c |
Anonymous |
Quote |
Jan 28th 2020 1 year ago |
Sign Up for Free or Log In to start participating in the conversation!