2019-02-04 Emotet Notes

1. All Word documents used the blue document template (same as used for XML documents last week).
2. However, the documents are now actual Word documents (we saw them change back from XML last Friday).
3. In Word, I could not edit the macros - I got a MsgBox named "Project Locked" with the text: "project is unviewable"
4. I can edit them with LibreOffice, though.
5. The command text is now being stored in a textbox on a UserForm .
6. There is very little obfuscation being used today.
7. Basically, you just have to remove the string "0-1427288548-2036816420" and you're left with the full command string.
8. The threat actors are using a "," instead of a "@" to split the URLs in the Powershell cmdlet.
9.  
10. Word Document File Hashes
11. 317dc1f953270002b2f5a18defd88b97
12. 530639fe9060a2199b0d23e11df3509a
13. 571ae3bd0edacc518f3614fd20d529f3
14. edcd5e893ca1f097ff671e0226507026
15.  
16. Payload URLs
17. http://afshari.yazdvip.ir/wp-admin/VsgZpwNmzcAkI_zx
18. http://bay4bay.pl/vHVG8NNw7vKlbR_T6ugHFgU8
19. http://bitkiselzayiflamailaci.com/JJfY1hQimJW
20. http://docksey.com/DpHBOIye11aSt_URbWd
21. http://estacaogourmetrs.com.br/WZQNvgEhdko3
22. http://kewagamangdentalclinic.co.bw/9itJUnRGTnK_5WKJryG
23. http://mupsever.ru/Gnq1HQqJnjUlw2
24. http://restauranthub.co.uk/kfr6hGSJtB_8F0
25. http://tocsm.ru/qhoEiJLwyNt
26. http://www.swisscasinoonline.net/5KfFnVqCDl