Q&A How well are you protected against Emotet?

[McMcbrad]

@McMcbrad
Could I get a sample? I would like to test it against Dr.Web.

Hi, please make sure you install Oracle Java platform, as today I will be exploiting that. I want to make it a bit more difficult for security solutions.

https://www.java.com/en/download/

There is a high probability of failure, so please only test the sample in virtual environment. The malware that will be downloaded doesn't detect virtual machines and steals credentials stored in browsers.

Once you've downloaded that, please let me know. I'll generate a fresh sample.

Due to the quick reaction times I’ve observed from Microsoft Defender and Avast/AVG, I recommend that all samples are tested within few hours after being generated. Keeping them around for too long might produce unrealistic results.

 

[Nordman]

Once you've downloaded that, please let me know. I'll generate a fresh sample.

Done.

 

[Nordman]

Oh, Hi There.bat

@McMcbrad, thanks very much for providing the samples.

 

[McMcbrad]

After talking to Avast team about the whole attack scenario, this is what happens now.

Static scan detects nothing.

Upon execution, the chain is being held. Shortly after, behavioural blocker kicks in with 2 detections and terminates the process even before CMD could invoke PowerShell. Before, it was stopping them with the Web Blocker.

 

[Zartarra]

Hello @McMcbrad
Can I get also a sample? I would like to test it with Sophos home premium.

Thanks.

 

[Nagisa]

@McMcbrad Could I get the sample too?

 

[Andrew3000]

I'll join too. Can I receive the sample too?

 

[marcopaone]

Can I receive it too? thx

 

[YuanJiawj]

Can i have it too? Thanks in advance

Edge with Microsoft Defender SmartScreen do the job.

Thank you for the sample.

 

[Andrew3000]

Qihoo 360 total security seems to block it after running it

 

[McMcbrad]

Qihoo 360 total security seems to block it after running it
View attachment 249282

It downloads 4 pieces of malware, which I've deliberately decided to keep on the desktop. What about the other 3?

 

[Andrew3000]

It downloads 4 pieces of malware, which I've deliberately decided to keep on the desktop. What about the other 3?

Only this file dropped and removed

 

[McMcbrad]

Only this file dropped and removed
View attachment 249283

This means that removal correlated the threat to the PowerShell process and terminated it. Good job from 360.

 

[marcopaone]

AVG not well here.
Someone with F-Secure could provide any news?

 

[McMcbrad]

AVG not well here.
Someone with F-Secure could provide any news?

It terminated the attack in the early stage, before CMD can call PowerShell. This is still a good job.
In addition, the effective web blocking blacklists my fake domains minutes after I download anything.

 

[Nordman]

Made retest of Dr.Web. Missed malware3.exe.

 

[Zartarra]

The result for Sophos Home Premium:

I turned of the realtime protection and downloaded the file again. After the download I started a manual scan. The result: