Unpacking Emotet malware part 01
Emotet is a Trojan that spreads through spam emails. The infection may arrive either via malicious script, macro-enabled document files, or malicious link. 1
Download the sample: Here
we can see that the malware is detected by 57 out of 68 as a trojan.
In Details section VT Details
1- Different names of the sample
2- Header info
Shows compilation Timestamp which can be changed. and Shows number of sections
open DiE to get more info about the sample
As we see that info about file type, Entry point, and sections. It will help us in our analysis
press over “Entropy” as in the previous figure(4)
Shows that it has high entropy in .text section which is an indicator to be packed
*Level 1 is most malicious and bigger numbers “3” are less malicious. Shows different malicious indicators that help us in the analysis.
The previous figure shows:
1- .text section is packed
2- .text section contains the entry point for the executable. This means that, in addition to holding the compressed data, .text section also contains the stub code responsible for unpacking. 2
*The section which is responsible for unpacking can vary as in UPX packing
3- .text section is executable
4- .data section is writable
blacklist to list them
Strings are good indicators to know what this malware is trying to do on the system
To analyze the assemble code to know how to unpack and where to start the debugging
Open it in IDA: It shows that is low number of functions which another indicator that is packed
Press over “start” which located in the function as in the previous figure to get started
Because Emotet malware uses a customized packer. we can try to unpack it through dynamic analysis. Through dynamic analysis the malware does the unpacking process. The process will need to allocate memory for the next stage.
So it’s a good assumption that we will see a call to VirtualAlloc. We need to search which function has VirtualAlloc call. 3
If you searched you will find that call
sub_417D50 is the unpacking routine
This our unpacking function:
First we need to clear what normal prologue and epilogue are?
The procedure prologue and epilogue are standard initialization sequences that compilers generate for almost all of their functions.
What is NOT normal here is epilogue in the last figure:
push anything before
ret this called abnormal.
normal epilogue is to
pop EBP before
ret. Here it will return
ecx because it executes the last instruction- top of the stack-.
And the real return is from this function
loc_417D9A because this is 2nd top of the stack.
We need to know what is happening in this function?
In the last figure we see the coming:
VirtualAllocis moved to
ECXis moved to
dword_41C218is moved to
push ECXand then
- And the real return is from this function
So we need to know the address of this function to set a Breakpoint in x64dbg by pressing
We know that code is packed. We search for abnormal jumps:
callInstructions to registers
Jmpto strange memory addresses (long jump)
Why searching for abnormal jumps? the address to the location of where data is being unpacked to is stored in a register (such as
ecx), and that memory address is often in an entirely different section.
I will write an article about “indicators of packed file”. InshAllah
If we return to start function and search you will find it.
Here we see our abnormal
space to get its address:
How to Unpack in the next part. InshAllah
Edit: part 02
المنازل العليا لا تُنال إلّا بالبلاء
Inspired by: https://malgamy.github.io/malware-analysis/Emotet-Malware-0x01/