1/14 January 6, 2022 Unpacking Emotet malware part 01 muha2xmad.github.io/unpacking/emotet-part-1/ https://muha2xmad.github.io/unpacking/emotet-part-1/ 2/14 Muhammad Hasan Ali Malware Analysis learner 3 minute read As-salamu Alaykum Introduction Emotet is a Trojan that spreads through spam emails. The infection may arrive either via malicious script, macro-enabled document files, or malicious link. 1 Download the sample: Here MD5: CA06ACD3E1CAB1691A7670A5F23BAEF4 Virustotal VT we can see that the malware is detected by 57 out of 68 as a trojan. Figure(1): In Details section VT Details 1- Different names of the sample Figure(2): 2- Header info https://www.darkreading.com/edge-articles/emotet-101-how-the-ransomware-works----and-why-it-s-so-darn-effective https://app.any.run/tasks/f907a5b5-689a-472d-a2f7-1a2c4899fc96/ https://www.virustotal.com/gui/search/CA06ACD3E1CAB1691A7670A5F23BAEF4 https://www.virustotal.com/gui/file/3a9494f66babc7deb43f65f9f28c44bd9bd4b3237031d80314ae7eb3526a4d8f/details 3/14 Figure(3): Shows compilation Timestamp which can be changed. and Shows number of sections DiE open DiE to get more info about the sample Figure(4): As we see that info about file type, Entry point, and sections. It will help us in our analysis Entropy: press over “Entropy” as in the previous figure(4) 4/14 Figure(5): Shows that it has high entropy in .text section which is an indicator to be packed PEstudio analysis Indicators section: Figure(6): *Level 1 is most malicious and bigger numbers “3” are less malicious. Shows different malicious indicators that help us in the analysis. Sections section: 5/14 Figure(7): The previous figure shows: 1- .text section is packed 2- .text section contains the entry point for the executable. This means that, in addition to holding the compressed data, .text section also contains the stub code responsible for unpacking. 2 *The section which is responsible for unpacking can vary as in UPX packing 3- .text section is executable 4- .data section is writable Strings section: press over blacklist to list them https://malware.news/t/the-basics-of-packed-malware-manually-unpacking-upx-executables/35961 6/14 Figure(8): Strings are good indicators to know what this malware is trying to do on the system IDA analysis To analyze the assemble code to know how to unpack and where to start the debugging Open it in IDA: It shows that is low number of functions which another indicator that is packed 7/14 Figure(9): Press over “start” which located in the function as in the previous figure to get started 8/14 Figure(10): Because Emotet malware uses a customized packer. we can try to unpack it through dynamic analysis. Through dynamic analysis the malware does the unpacking process. The process will need to allocate memory for the next stage. So it’s a good assumption that we will see a call to VirtualAlloc. We need to search which function has VirtualAlloc call. 3 If you searched you will find that call sub_417D50 is the unpacking routine https://distributedcompute.com/2020/02/20/unpacking-emotet/ 9/14 Figure(11): This our unpacking function: sub_417D50 10/14 Figure(12): Abnormal epilogue First we need to clear what normal prologue and epilogue are? The procedure prologue and epilogue are standard initialization sequences that compilers generate for almost all of their functions. 11/14 Figure(13): What is NOT normal here is epilogue in the last figure: Figure(14): You don’t push anything before ret this called abnormal. normal epilogue is to pop EBP before ret . Here it will return ecx because it executes the last instruction- top of the stack-. And the real return is from this function loc_417D9A because this is 2nd top of the stack. We need to know what is happening in this function? 12/14 Figure(15): In the last figure we see the coming: VirtualAlloc is moved to ECX , then ECX is moved to dword_41C218 , then dword_41C218 is moved to ECX then push ECX and then ret And the real return is from this function loc_417D9A So we need to know the address of this function to set a Breakpoint in x64dbg by pressing space . Figure(16): We know that code is packed. We search for abnormal jumps: 13/14 jmp or call Instructions to registers Jmp to strange memory addresses (long jump) Why searching for abnormal jumps? the address to the location of where data is being unpacked to is stored in a register (such as ecx ), and that memory address is often in an entirely different section. I will write an article about “indicators of packed file”. InshAllah If we return to start function and search you will find it. Here we see our abnormal jmp ecx : Figure(17): Press space to get its address: 00417F1F . Figure(18): How to Unpack in the next part. InshAllah Edit: part 02 Article quote المنازل العلیا لا تُنال إلاّ بالبلاء References https://muha2xmad.github.io/unpacking/emotet-part-2/ 14/14 Inspired by: https://malgamy.github.io/malware-analysis/Emotet-Malware-0x01/ 1- https://www.darkreading.com/edge-articles/emotet-101-how-the-ransomware-works—- and-why-it-s-so-darn-effective 2- https://malware.news/t/the-basics-of-packed-malware-manually-unpacking-upx- executables/35961 3- https://distributedcompute.com/2020/02/20/unpacking-emotet/ https://malgamy.github.io/malware-analysis/Emotet-Malware-0x01/ https://www.darkreading.com/edge-articles/emotet-101-how-the-ransomware-works----and-why-it-s-so-darn-effective https://malware.news/t/the-basics-of-packed-malware-manually-unpacking-upx-executables/35961 https://distributedcompute.com/2020/02/20/unpacking-emotet/