Planet Red

Emotet Malware Analysis

A video recorded in the ANY.RUN malware hunting service displays the execution process of Emotet, allowing to examine the behavior of this malware in a lot of detail.

emotet execution process tree

Figure 1: Displays the processes list generated by the ANY.RUN malware hunting service

text report of the Emotet analysis

Figure 2: Even more information about the execution of Emotet can be found in customizable text reports generated by ANY.RUN

Emotet execution process

Considering that the primary way in which the Emotet trojan is distributed is malicious email spam campaigns, the first step in the chain of infection involves tricking the potential victim into opening an attached Microsoft Office file using social engineering. After the file has been opened and macros enabled, there is no need for additional user actions. Downloaded files contain malicious VBA code which runs after a document has been opened. One of the possible options of the infection process is when the VBA code utilizes WMI to launch a Powershell script which downloads the payload – a malicious executable file from the webserver. Notably, the Powershell script is encoded. Emotet makes steps to maintain a presence in the infected system – it copies itself into %AppData% subfolders and changes the autorun value in the registry. Through all infection process, the malware sends information to and from a server. As the last execution step, Emotet waits for commands from C2 servers.

Prevention of Emotet attacks

To minimize the risk of Emotet virus infection and potential destruction if such infection does occur, users are advised to follow a set of standard best practices, such as not downloading files from suspicious emails and keeping an updated version of antivirus on the machine at all times.

For organizations, it is advised to restrict inbound SMB communication between client systems in order to prevent Emotet from spreading from one machine to another within the local network, provide security training for personnel and instruct employees about the danger of mail spam as well as take all possible precautions to filter out potentially malicious emails at firewall.

How does Emotet spread?

The main distribution method of Emotet malware is malicious email campaigns. The trojan uses it’s address book stealer module to pull the contacts from the email account of its victim and send itself to found contacts from the hijacked account.

Bearing in mind that potential victims are receiving an email from somebody they know and trust, Emotet has a very high chance of a successful attack. The received email usually contains a link to a malicious URL that downloads the malware when clicked. However, email spam is not the only distribution Method that this malware utilizes. It may also take advantage of certain Windows vulnerabilities, thus the malware can make it’s way into a machine completely “silently”, without the user ever knowing about it.

How to collect Emotet’s IOCs using ANY.RUN?

For your detailed Emotet malware analysis ANY.RUN’s “Fake Net” feature will be very useful. It intercepts HTTP requests and returns 404 error, forcing malware to reveal its C2 links.

To turn it on in “Advanced mode” of the “New task” window check the box next to the “Fake net” in the “Network” section.

fake net emotet

Figure 3: Run Emotet sample with turn on “Fake net” feature

Emotet malware is one of the most sophisticated and destructive trojans that are currently active. Since its first introduction all the way back in 2014, the malware has underground a substantial evolution gaining a lot of anti-evasion features, obtaining worm-like functionality and even changing the main focus from information-stealing to installing other trojans onto infected machines. Thanks to the ability to spread to adjacent systems, Emotet can easily infect all machines in a single network, making dealing with the consequences of an attack a true nightmare. The situation is further worsened by the fact that the malware is equipped with a series of anti-evasion tricks that make analyzing it quite difficult. As a result, the process of developing countermeasures is much more complicated in comparison to more simple and straightforward trojans.