WEBVTT

00:01.090 --> 00:02.670
Hello and welcome.

00:02.680 --> 00:09.550
In this video we are going to unpack and analyze Emotet.

00:09.880 --> 00:15.130
You can go and download Emotet Trojan, unzip it and put it in the folder on your desktop.

00:15.160 --> 00:16.620
Malware core Samples folder.

00:16.630 --> 00:26.410
So the first thing we do is we try to open it with either to statically analyze it, create a new project.

00:28.440 --> 00:30.570
And open the Emotet Trojan.

00:32.190 --> 00:37.080
Click okay and you will see it is quite short.

00:37.830 --> 00:42.880
Very few functions and very short main function.

00:42.930 --> 00:46.170
So this indicates that it is probably packed.

00:48.230 --> 00:51.440
You can also confirm by opening with detected easy.

00:52.520 --> 00:58.220
If you open it, detect it easy, you will see that it is a high entropy.

00:59.490 --> 01:05.460
So you can go to fly under the utilities here.

01:06.290 --> 01:08.630
You open detected.

01:08.630 --> 01:09.200
Easy.

01:13.990 --> 01:21.490
And then use the data to open the Emotet Trojan on your desktop.

01:26.620 --> 01:32.220
And although here it does not show the the status as being packed.

01:32.230 --> 01:34.210
But when you look at the entropy.

01:34.970 --> 01:39.200
You will see it's very high, 89%.

01:39.560 --> 01:41.260
And the status here is back.

01:41.270 --> 01:44.690
So this is confirmation that it is back.

01:46.970 --> 01:50.150
So to try to see how it's unpacking itself.

01:50.780 --> 01:55.550
So one of the cores here is the unpacking routine.

01:57.200 --> 02:02.210
Now, in order to find which one's unpacking routine, you should look for the call, which is called

02:02.210 --> 02:03.830
virtual alloc inside it.

02:04.310 --> 02:09.110
So if you go through each one of these, you will find that this is the one which is called virtual

02:09.110 --> 02:10.040
alloc inside it.

02:10.700 --> 02:11.690
As you can see.

02:12.410 --> 02:20.760
So in this routine, you can see that the virtual Alloc API is being pushed to is being moved to Essex

02:20.930 --> 02:25.780
and then later on Essex is being moved to this DWord.

02:26.270 --> 02:29.240
And then later on this driver is moved back to Essex.

02:30.200 --> 02:32.060
And then it is pushed to the stack here.

02:32.060 --> 02:34.940
So this here is actually virtual lock.

02:36.110 --> 02:40.280
Now, normally you don't push something to the stack before the return.

02:41.150 --> 02:42.260
Normally it's pop.

02:42.470 --> 02:44.690
So this is an abnormal epilogue.

02:47.010 --> 02:49.550
So a prolog has got to keep.

02:50.600 --> 02:54.320
But epilogue should have a pop up.

02:54.770 --> 02:58.970
But if you see a push instead, that means it's an abnormal thing.

02:59.360 --> 03:04.340
So this is a trick used by malware authors to confuse the analysts.

03:04.820 --> 03:13.430
So what is trying to do is that when you push this thing, when it returns, it will execute this instruction

03:13.430 --> 03:14.240
on the stack.

03:14.600 --> 03:15.050
Why?

03:15.080 --> 03:18.980
Because when you return, it always returns to what is on top of the stack.

03:19.010 --> 03:21.770
So this is actually calling virtualalloc.

03:22.310 --> 03:25.550
Another abnormality is another push before it.

03:25.700 --> 03:32.510
So when Virtualalloc returns, it will return to this, which is the second thing on the top of the

03:32.510 --> 03:33.110
stack.

03:33.380 --> 03:35.090
And then it will execute this.

03:35.750 --> 03:37.370
And this thing is actually here.

03:38.800 --> 03:42.070
It is trying to execute this after virtual lock return.

03:42.760 --> 03:47.080
And then once this finishes execute, then this will be the real return.

03:47.380 --> 03:49.150
So this will return.

03:49.300 --> 03:50.380
We return.

03:50.890 --> 03:52.120
Let's press escape now.

03:52.240 --> 03:54.940
It will return to this instruction here.

03:55.660 --> 04:00.100
If you press the spacebar this instruction.

04:00.100 --> 04:03.970
41417EEF

04:04.990 --> 04:05.980
press spacebar again.

04:06.820 --> 04:10.660
Okay, so these are the ones we should be looking at.

04:11.110 --> 04:12.580
We should put a breakpoint here.

04:12.910 --> 04:16.330
And this is probably the unpacking code inside here.

04:17.110 --> 04:20.470
And once the code is unpacked, normally, it will jump to it.

04:20.800 --> 04:22.930
So let's look for an abnormal jump.

04:24.450 --> 04:25.800
This is a normal jump.

04:26.670 --> 04:28.140
A jump which goes nowhere.

04:28.920 --> 04:33.000
All of a sudden jumps to register, which is highly suspicious.

04:33.180 --> 04:37.020
So this is probably the jump to the unpack code.

04:37.740 --> 04:39.600
So we put a breakpoint here.

04:40.140 --> 04:42.780
Let's try to open it in debug.

04:43.110 --> 04:45.420
So let's open debug.

04:46.050 --> 04:46.920
32 bit.

04:49.020 --> 04:56.640
And then when the options here preferences and check system breakpoint and RTS callbacks leaving only

04:56.640 --> 04:57.930
the entry breakpoint check.

04:59.460 --> 05:01.560
Then open your emotet.

05:02.040 --> 05:05.610
Go to the desktop malware Core samples.

05:06.720 --> 05:08.110
Select all files.

05:08.130 --> 05:09.240
Select Emotet.

05:09.480 --> 05:10.050
Open.

05:10.980 --> 05:12.540
Now you are at the entry point.

05:13.020 --> 05:17.310
So now we are going to put a breakpoint on.

05:18.590 --> 05:19.040
Najam.

05:21.330 --> 05:21.960
Here.

05:23.220 --> 05:32.400
So this be just before the entire thing gets run, before the.

05:32.430 --> 05:33.390
Unpack code gets run.

05:33.390 --> 05:39.330
So we put F2 here, put a breakpoint and we are going to go there.

05:40.920 --> 05:44.040
So just run to that breakpoint.

05:44.220 --> 05:44.490
Okay.

05:44.490 --> 05:50.340
So now we have got to jump to E6, so just step over it.

05:51.720 --> 05:53.730
You can press F8 to step over it.

05:54.120 --> 05:59.070
And so we are now at the E6, the instruction at E6.