Monday, 09 May 2022 06:50:00 (UTC/GMT)
This video covers a life cycle of an Emotet infection, including initial infection, command-and-control traffic,
and spambot activity sending emails with malicious spreadsheet attachments to infect new victims.
The video cannot be played in your browser.
The video was recorded in a
Windows Sandbox in order to avoid accidentally infecting my Windows PC with malware.
Palo Alto's Unit 42 sent out a
tweet with screenshots and IOCs from an Emotet infection in early March.
A follow-up tweet by Brad Duncan linked to a PCAP file containing
network traffic from the infection on Malware-Traffic-Analysis.net.
Image: Screenshot of original infection email
from Unit 42
Attachment MD5: 825e8ea8a9936eb9459344b941df741a
The PCAP from Malware-Traffic-Analysis.net shows that the Excel spreadsheet attachment caused the download of a DLL file
classified as Emotet.
CapLoader transcript of Emotet download
Just seconds after the Emotet DLL download completes the victim machine starts
communicating with an IP address
classified as a botnet command-and-control server.
Image: Emotet C2 sessions in
C2 IP: 220.127.116.11
C2 IP: 18.104.22.168
C2 IP: 22.214.171.124
The victim PC eventually started sending out spam emails.
The spam bot used TLS encryption when possible, either through SMTPS (implicit TLS) or with help of STARTTLS (explicit TLS).
Image: Emotet spambot JA3 hash in
SMTPS JA3: 37cdab6ff1bd1c195bacb776c5213bf2
STARTTLS JA3: 37cdab6ff1bd1c195bacb776c5213bf2
Below is a spam email sent from the victim PC without TLS encryption.
The attached zip file contains a
malicious Excel spreadsheet,
which is designed to infect new victims with Emotet.
Image: Spam email extracted from Emotet PCAP with
.zip Attachment MD5: 5df1c719f5458035f6be2a071ea831db
.xlsm Attachment MD5: 79cb3df6c0b7ed6431db76f990c68b5b
Network Forensics Training
If you want to learn additional techniques for analyzing network traffic, then take a look at our upcoming
network forensic trainings.
Posted by Erik Hjelmvik on Monday, 09 May 2022 06:50:00 (UTC/GMT)