# [QuickNote] Emotet epoch4 & epoch5 tactics **[kienmanowar.wordpress.com/2022/01/23/quicknote-emotet-epoch4-epoch5-tactics/](https://kienmanowar.wordpress.com/2022/01/23/quicknote-emotet-epoch4-epoch5-tactics/)** January 23, 2022 [This article is based on samples collected by Mr. Brad Duncan through his excellent lab:](https://unit42.paloaltonetworks.com/author/bduncan/) [2022-01-20 (THURSDAY) – EMOTET EPOCH 4 AND EPOCH 5 INFECTIONS](https://www.malware-traffic-analysis.net/2022/01/20/index.html) **Emotet epoch4:** The time of the initial infection in the pcap file ( 2022-01-20-Emotet-epoch4-infection``` with-spambot-activity.pcap ) is around 2022-01-20 19:37 UTC, when the victim ``` clicks on the link in the spam mail, they will access the address ``` mangaloresoundandlights[.]com : ``` If the access is successful, the victim will be asked to download an Excel file similar to the image below (this file will have a random name after each access. As in Mr. Brad Duncan’s _summary, the file he downloaded has file name:_ `12772684608453.xls ):` ----- Analyzing the downloaded xls file, this file uses XLM macro, when the victim opens and allows macro for executing, it will call `mshta.exe to load the` `fe2.html` file at the address ``` hxxp://0xb907d607 : ``` [The host contains a hexadecimal representation of the IP address. Using CyberChef, I can](https://gchq.github.io/CyberChef/) converted the hexadecimal numbers to retrieve the real IP address: `185[.]7[.]214[.]7` The pcap file has result similar to the following: The above html file contains javascript, so `mshta.exe will execute this script:` ----- Javascript when executed will spawn Powershell process to download the `fe2.png file at` the same address. Based on the powershell command, it can be seen that the `png` file will also be a powershell script. Looking at the pcap file: Compare the content between the file provided by Mr. Brad Duncan and the file I downloaded: Based on the content of the png file, it can be seen that this powershell script will iterate all the list of urls and try download payload and save it under the name ``` "C:\Users\Public\Documents\ssd.dll" . If the download is successful, it will call rundll32.exe to execute ssd.dll . ``` I tried downloading the Dll from one of the urls in the `fe2.png file:` In the pcap file, the result is similar to the following: ----- From the Dll file provided by Mr. Brad Duncan as well as the Dll file that I downloaded, it is easy to unpack the [emotet core Dll:](https://www.virustotal.com/gui/file/931cf2ec23e034d8677c61e6be19ca79591a49c8a664d256f465a2d1e8331bd1) With Emotet’s core Dll unpacked, I can find and extract C2 configuration information as well as the keys used to encrypt traffic and verify data: [The results obtained are similar to the analysis at https://tria.ge/220121-wxp5xaafb2. As](https://tria.ge/220121-wxp5xaafb2) described by Mr. Brad Duncan, 33 minutes after the initial infection, the victim was turned into a spam-bot after being infected by the malware. **Emotet epoch5:** The time of the initial infection in the pcap file ( 2022-01-20-Emotet-epoch5-infection``` with-spambot-activity.pcap ) is around 2022-01-20 17:46 UTC, when the victim ``` clicks on the link in the spam mail, they will access the address `mt.yoshimax[.]net :` ----- At the time of blogging, this address is no longer accessible. Therefore, I will use the files that Mr. Brad Duncan provided for further analysis: Analyze excel file: `2022-01-20-Emotet-epoch5-Excel-file.bin . Similar to the above` epoch4, its macro code is as follows: The javascript in the file `2022-01-20-Emotet-epoch5-fe1.html.txt when executed will` spawn powershell process to download the png file (also a powershell script): The content of the file `fe1.png is as follows:` ----- Like above, this script also browses the urls to download the dll file and saves it as `sdc.dll . Then, call` `rundll32.exe` to execute the sdc.dll file saved at the path ``` "C:\Users\Public\Documents\ssd.dll" . ``` [Easily unpack to get Emotet core Dll:](https://www.virustotal.com/gui/file/03d9ed197cbb92759e7660668a99b11a7b4db66176f9a858cd233fc9148205bd/detection) ----- With Emotet’s core Dll unpacked, I can extract C2 configuration information as well as the keys used to encrypt traffic and verify data: [The results obtained are similar to the analysis at https://tria.ge/220123-j3vw5afeel. As](https://tria.ge/220123-j3vw5afeel) described by Mr. Brad Duncan, 26 minutes after the initial infection, the victim was turned into a spam-bot after being infected by the malware. **_Other notes:_** ----- I also observed another Emotet spam campaigns using octal representations of IP addresses, [the malicious Excel file also uses XML macro to run the malware once the](https://www.virustotal.com/gui/file/c376ffe4c231464c947bc77a323936d8eb64d85bcd1ddcd33bcc161dae53ef15/detection) document is opened and enabled by victim. With the help of [CyberChef we can decode this IP address:](https://gchq.github.io/CyberChef/) **Refs:** Regards, **m4n0w4r** [View at Medium.com](https://medium.com/threat-intel/emotet-dangerous-malware-keeps-on-evolving-ac84aadbb8de) -----