# Emotet Analysis Part 1: Unpacking **pl-v.github.io/plv/posts/Emotet-unpacking/** Player-V April 2, 2022 Player-V on Apr 22022-04-02T15:26:00+08:00 Updated Apr 102022-04-10T22:41:15+08:00 3 min read ## Introduction [That’s will be my first post in the blog, i will make a series of posts about Emotet.](https://www.malwarebytes.com/emotet) [Emotet is a Trojan that is primarily spread through spam emails (malspam), we’re going to](https://www.malwarebytes.com/emotet) digg deep in the anlysis of this Trojan, the first part is about unpacking the malware then we will try to analyse the different modules and techniques used by the malware to compromise a machine, so fire up your virtual machine and let’s start. ## Triage The first thing i always do before opening a sample in `IDA or` `Xdbg is opening the binary` first in a hex editor, in my case i will use [CFF Explorer, so opening the sample in CFF](https://ntcore.com/?page_id=388) explorer shows that we’re dealing with 32 bit binary. ----- Let’s check import section, the malware use only one library which is `Kernel32 that’s the` first sign which indicate that we’re dealing with packed binary. Two intersting API functions are used: [1. VirtualAlloc](https://docs.microsoft.com/en-us/windows/win32/api/memoryapi/nf-memoryapi-virtualalloc) [2. VirtualProtect](https://docs.microsoft.com/en-us/windows/win32/api/memoryapi/nf-memoryapi-virtualprotect) The [VirtualAlloc function allocate memory while the VirtualProtect function changes the](https://docs.microsoft.com/en-us/windows/win32/api/memoryapi/nf-memoryapi-virtualalloc) protection on a region of committed pages in the virtual address space, most of time those two functions are used by malware during the unpacking process. To make sure that our [sample is packed Let’s open the binary on Die(Detect-It-Easy).](https://github.com/horsicq/Detect-It-Easy) ----- The status bar says that it’s 91% packed and `.text section has a high entropy, that’s a` strong indication that the malware is packed and we should unpack it for further analysis. ## IDA Now that we’re sure that our sample is packed, let’s open it in `IDA and try to find the` function which is responsible for unpacking. Click on `Imports to reveal all the functions used by the binary.` Search for [VirtualAlloc and double click on it.](https://docs.microsoft.com/en-us/windows/win32/api/memoryapi/nf-memoryapi-virtualalloc) ----- [VirtualAlloc function is used two times by the same function](https://docs.microsoft.com/en-us/windows/win32/api/memoryapi/nf-memoryapi-virtualalloc) `sub_1001AFF0, double click` on `sub_1001AFF0 and scroll down we notice that the first function called after VirtualAlloc` is `sub_10022C40, so maybe we’ve found our unpacking function. to make sure let’s open` it on `Xdbg and figure out.` ## Unpacking Open your `X32dbg and paste and paste your sample to it.` [Place a breakpoint on VirtualAlloc and hit run.](https://docs.microsoft.com/en-us/windows/win32/api/memoryapi/nf-memoryapi-virtualalloc) ``` Xdbg will keep running untill it hit the breakpoint, after click two times on Execute till run . ``` ----- Check the `EAX register it contain the return adress address of the allocated memory by` [VirtualAlloc, right click on that value and click on](https://docs.microsoft.com/en-us/windows/win32/api/memoryapi/nf-memoryapi-virtualalloc) `Follow in Dump .` [As we said earlier that the function after VirtualAlloc is responsible for unpacking, step over](https://docs.microsoft.com/en-us/windows/win32/api/memoryapi/nf-memoryapi-virtualalloc) it and keep your eyes on the dump window at the bottom. ----- After executing `sub_10022C40 function we can finally see our unpacked malware, dump it` and save it somewhere in your machine. ----- Right click on dump windows and `Follow in memory map .` ----- Another right click on the address of the unpacked binary then `Dump memory to file .` ----- Now that we have our sample unpacked and ready for analysis let’s open it in `X32dbg .` It seems that our unpacked binary is missed and it should be fixed. ## Fixing To fix the unpacked binary there are several methods to do that, we will use `LordPE to` automate the fixing, so all we should do is to open LordPe and click on options, then uncheck `Wipe Relocation and` `Rebuild ImportTable options, finally click on` ----- Drag your unpacked sample to `LordPe and it will be fixed automatically.` Finally open your fixed binary in `X32dbg and notice that it’s more readble right now.` ----- ## Reference [1. New Emotet 11/2021 - Reverse Engineering VBA Obfuscation + Unpacking](https://www.reverse-engineer.net/view/courses/training/329541-new-emotet-11-2021-reverse-engineering-vba-obfuscation-unpacking-emotet) [2. How to Unpack Malware with x64dbg](https://www.varonis.com/blog/x64dbg-unpack-malware) -----