[clamav-users] Anyone have a good script for encrypted zip Emotet files?

G.W. Haywood clamav at jubileegroup.co.uk
Wed Sep 23 15:18:29 UTC 2020 

Hi Eric,

On Wed, 23 Sep 2020, Eric Tykwinski wrote:

> ...
> I'll try and send a few samples again to you.
> ...

All four of your samples matched a case-insensitive 'password', and
they also all matched 'attachment.*\.zip'.  I'd generally recommend
case-insensitive matches for this kind of thing anyway.

So I'd suggest a Yara rule embodying those, something like

$ cat My_Encrypted_Zip.yara
rule My_Encrypted_Zip_Rule // Password-protected zip files
{
         strings:
                 $mymatcha = /password/ nocase ascii
                 $mymatchb = /attachment[\W\w]*zip/ nocase ascii
         condition:
                 $mymatcha and $mymatchb
}

might be a good start.  You might need to refine it of course, and if
your users are in the habit of mailing password-protected files to
each other you could tell them to call it a 'passphrase' instead.

On our clamd server I dropped that file into clamd database directory,
'telnet'ed to clamd and issued a RELOAD command, and used clamdscan to
scan your samples:

8<----------------------------------------------------------------------
$ ls *txt
outgoing_sample.txt sample1.txt sample2.txt sample3.txt
$ clamdscan *.txt
/home/ged/outgoing_sample.txt: Heuristics.Encrypted.Zip FOUND
/home/ged/sample1.txt: YARA.My_Encrypted_Zip_Rule.UNOFFICIAL FOUND
/home/ged/sample2.txt: YARA.My_Encrypted_Zip_Rule.UNOFFICIAL FOUND
/home/ged/sample3.txt: Heuristics.Encrypted.Zip FOUND

----------- SCAN SUMMARY -----------
Infected files: 4
Time: 0.178 sec (0 m 0 s)
Start Date: 2020:09:23 16:04:53
End Date:   2020:09:23 16:04:53
8<----------------------------------------------------------------------

Note that none of this requires any inspection of the malicious file
itself, it's entirely about the metadata.  In this case the fact that
the file is an attachment, and that the text of the covering mail just
happens to have the word 'password' in it.

When I ran the samples past Jotti's scanner, all fifteen of the Virus
scanners which he uses failed to find the content, inevitably, as it's
encrypted.  After decryption, ClamAV found one of them but most of the
others found all four.  Three were in fact recognized as Emotet by one
of the scanners.  Only eight of them found your outgoing one.

Of course to be able to send this mail. I had to delete the .yara file
and reload clamd again :)

HTH

--

73,
Ged.

More information about the clamav-users mailing list