#
Emotet Dropper
#
Overview
This folder contains files used to generate an emotet dropper.
The dropper works as follows:
Word document invokes VBA code via AutoOpen
AutoOpen macro downloads "adb.vbs" to %AppData% over 192.168.0.4:8080 / HTTP.
AutoOpen macro executes adb.vbs with cscript.
adb.vbs downloads a second-stage dropper; the dropper is heavily obfuscated.
The second stage VBS code executes base64 encoded PowerShell code.
The PowerShell code downloads EmotetClientDLL.dll over 192.168.0.4:443 / HTTPS and writes to disk at %AppData%\adb.dll
The PowerShell code executes adb.dll via rundll32.exe and Control_RunDLL function
#
Quick Start
Upload ChristmasCard.docx
to your intended target.
Open ChristmasCard.docx
- it should download/execute the Emotet DLL, and send C2 connections to 192.168.0.4:80 / HTTP.
#
Usage
- Run this script on Windows to generate an obfuscated VBS payload:
.\generate_emotet_dropper.ps1
- Copy obfuscated_emotet_dropper.vbs to the control server at this path:
wizard_spider/Resources/control_server/files/
Now create a new word document
In the word document, go to
View
>Macros
>Record Macro
> create a new Macro namedAutoOpen
and store it the document"Hit
OK
and stop the recording underMacros
Go to
View
>View Macros
> Select and editAutoOpen
macroPaste the source code from
vba_macro_code.vbs
into the macroUpload the word document to the intended target.
The payload should fire automatically after opening the document.
#
Dependencies
Install Python3, pip, and PyYaml on your Windows system
pip install pyyaml
Make sure your attack platform has cloned the Wizard Spider repo and has the control_server folder.