Emotet obfuscation detection ideas to consider

[Omodaka9375]

These are some of the techniques used in Emotet PowerShell to obfuscate the code to make the analysis difficult.

1. Using ` or ^ (escape character) in front of a character with no change in the result when starting PowerShell from cmd.exe:

   • $YYU."DoWnlOadFIle"($asfc."ToStriNg"(), $SDC);

2. Using iex alias to invoke the PowerShell command:

   • $env:comSpeC[4,26,25]-JoIn'') --> iex

   • “PowerShell ${ENV:comspeC}[4,26,25]-join’ ‘ item (env:Opg).value)”

3. Strings are concatenate using ‘+’ to reduce readability:

   • '6 http'+':'+'//'+'a'+'lian'+'.'+'d'+'e'+'/'+'4wBY'+'ki/@'

4. Strings encoded with ascii e.g [chaR]34:

   • Replacing garbage character -repLACE '0mI',[chaR]96

5. File downloader or string downloader in macro

Detection point: ` , ^ or + for concatination Detection point: env:comspec[4,26,25] Detection point: -rep /rep Detection point: DowloadFile, DownloadScript calls or http/s string in args

[Neo23x0]

We'll implement these things using YARA in the future from v1 onwards.