Domain analysis

WebClient from dropper module tried to download content from that sites:

http://www.pieceofpassion.net/0xrnl3/a27xm99fgd_on7xp-31134189/
http://www.marketfxelite.com/wp-admin/unnJtCHk/
https://tananfood.com/wp-includes/yoclwyWE/
http://raisabook.com/wp-content/NjBtuxBzkD/
http://biswalfoodcircle.com/vcobhlons/kaf6j_71wzkgvqso-8/

But during the second detonation it turned out that under presented URIs there was no content. Servers responded with 404 code. I used URLhaus and I found out that all sites were taken down.

I also used Wayback Machine to check if I would be able to restore content of these sites. Interestingly enough, certain parts of each site weren’t archived.

At this point it became obvious that infrastructure is “dead”. I searched the web for information about these domains and URIs and most of results indicated a link to the emotet.

Examples: click, click and click.

Table of content:

1. Environment configuration
2. Initial analysis
3. Macro analysis
4. Dropper analysis
5. Detonation
6. Domain analysis
7. Detonation ver. 2
8. Summary