During this scenario, we will work with EMOTET malware. You can watch our video version of this Hacks Weekly episode to see the whole process of infecting the endpoint with this malware.
Our first step is searching for all processes that EMOTET malware can execute. In the bottom right corner of the AnyRun software, you can find a section Processes. There you can see that the EMOTET document was opened by MS Word. You can also confirm it by watching the embedded video. What is more, you can see that the PowerShell process was started, as well as something called easywindow.exe, flagged as EMOTET.
We can check what is inside the command that was triggered. In this case we can open the PowerShell window and I click on More Info. If you scroll a little bit to the bottom you can find the Command line, where you can see that there is a powershell -enco (for encoding). Here you have Base64 string that was actually run. We can copy that string and open a website base64decode.org, where we can paste it and select the AUTO-DETECY mode and, next, go DECODE. Here you can see the decoded command that was run with PowerShell.
If you feel comfortable with advanced PowerShell scripts, you can also analyze step by step what has happened here as we can find here the URLs and some other commands.
Next, we will go to another task within the AnyRun demo. We will try to find out more on the HTTP request that the malware was sending. We’ll need to focus on the one particular process. This will be the Process ID 3560 – easywindow.exe that was flagged as EMOTET. Let’s click again on More info.
In the Events section, we can find an option to view HTTP requests. Open it. Here you can see that our malware was communicating with 4 IPs. We can see its URL and the type of each request.
In our video episode, you can see that there was four POST request but it didn’t get any response. You can check those IPs in different software. It is all up to you.
The next step is checking the host name where the process was sending mentioned HTTP requests. What we can do is open a different process, in this case, it will be the PowerShell process. We’ll also click on More info and we will see the HTTP request here. As you can see in the video, we found a domain name blockchainjoblist.com. In this case, it was a GET request and we got a response 200: OK. Also, you can see that the executable was downloaded.
We can also see whether or not any files were modified by running this malware. You should go back and select 284.exe process and go to More info. In the Events section, you can see that we have 1 modified file. Let’s click on it and here you can see what was the executable.
In this case, it was the easywindow.exe. We have seen it earlier, but this time we can confirm it for sure. We also have the MD5 hash ready to be search at other software. If we go back, we can also check what was the username that has run the specific process. In this case, it was admin. We can see also the SID.
Thanks to our investigation, it turned our that every process was running from the admin account. However, in other cases, the accounts can differ within the whole infection process.
In this week Hacks Weekly video we have learned how to utilize the AnyRun software to detonate malware samples and analyze their behaviour. It is a great way to perform dynamic malware analysis when you don’t have your own malware detonation environment ready but need to quickly find out about the details of a particular file.