Gameel Ali

Gameel Ali

Malware analysis & Reverse engineering

Emotet Malware 0x02

5 minute read

Introduction

In this part, we will play with code in X32dbg debugger to unpack Emotet malware and arrive to original entry point (OEP). So you should read the first part to understand this part.

Sample

MD : CA06ACD3E1CAB1691A7670A5F23BAEF4

Tools

x32 debugger

Jump Instruction

Step01

we will load binary of Emotet malware to 32dbg and press F9 to arrive to EntreyPoint and set break point on Jump ecx instruction and we can see the results in the next figure

Figure01

Step02

From the previous figure, we set break point on Jump ecx instruction. So we can do the next steps.

  • Run the debugger by pressing F9 to execute the code till Jump ecx instruction
  • And press F7 to execute code one step So we can see the steps in the next figure

Figure02

Abnormal Function

By doing the previous steps, we can jump to another function. So we will examine it and get some information about instructions. After examining function we can identify some suspicious instruction in the end of function. So we can see the first instructions of function and suspicious end of the function in the next figure.

From the previous figure, we can see the end of the function and the three suspicious instructions.

mov edx,dword ptr ds:[41C1B4] ---> we will set Bp here 
push edx                      
ret

New Allocation

So, we will do the following steps to see what instructions do.

  • Set BP on the instruction mov edx , dword ptr ds:[41C1B4]
  • Run debugger by pressing F9

Figure3-1

from the previous figure we can see the value of dword ptr ds:[41C1B4]

  • follow the value of dword ptr ds:[41C1B4] in dump to see what is. we can see that this possible unpacked section.
  • press F7
  • and again follow the value of dword ptr ds:[41C1B4]

Figure3-2

from the previous figure we can see that value of dword ptr ds:[41C1B4] allocates a new region of memory from previous VirtualAlloc (if you see it in IDA Pro in the frist part).

Ret Address

push edx     ---> edx = the value of dword ptr ds:[41C1B4]
ret          ---> return address of the new unpacked section

and we can see the resluts in the next figure

Figure04

unpacked section02

from the figure, we can see that function return address to another function. So, we will examine the function to extract the important calls and instruction and we can see the results in the next figure

From the previous figure, we can see first instructions of function, call 22F730 is called many times and the end of the function. So, we should examine call 22F730 to see what does and why it is called many times.

Stack Strings

part01

When examining call 22F830 we can identify obfuscation technique called stack string to hide the malicious strings or malicious APIs and handle the operation of reverse engineering and i will work in the frist part of function and we can see the resluts in the next figure

From the previous figure, we can see that malware author obfuscate LoadLibraryEx API to trick you and use it to load the module like kernal32.dll or ntdll.dll.

Part02

we will see the second part of stack strings in the next figure

from the previous figure, we can see that malware author obfuscate kernal32.dll and push LoadLibraryEx and kernal32.dll as parameters to call 22FE10 and we can execute the code and understand it to arrive to call 22FF70 and press F7 to check it and we can see the results in the next figure

Figure08

Call with VirtualAlloc

when we enter in the function by pressing F7 and execute the code till Call ebx we can identify that malware call VirtualAlloc API to allocate region of memory and unpack itself on this region

Figure09

form the previous figure, we can see that malware call VirtualAlloc and we can see the parameters that API take them

LPVOID VirtualAlloc(
  LPVOID lpAddress,
  SIZE_T dwSize,
  DWORD  flAllocationType,
  DWORD  flProtect
);
  • lpAddress :- The starting address of the region to allocate
  • dwSize :- The size of the region
  • flAllocationType :- The type of memory allocation and region of memory take permission (read, write, execute)
  • flProtect :- The memory protection for the region of pages to be allocated So we will press F7 to t execute the API (VirtualAlloc) and follow the EAX register in the dump and we can see that the VirtualAlloc success to allocate memory region in memory

Figure10

After some instructions, we can see that call 22FBC0 write the unpacked malware in the region of memory and we can see the resluts in the next figure

Figure11

Copy Sections

We will continue to execute code by pressing F8 and we face loop which is used to copy the section in the memory region like as .text , .rdata , .data and .reloc.

Figure13

we will set and we will execute code till return of function and we can we the resluts in the next figure.

Figure14

OEP

And press F8 to reach OEP and we finish unpacking malware, wait me to dump unpacked malware and extract it and we can see the resluts in the next figure

Figure15

And press F8 to reach OEP and we finish unpacking malware, wait me to dump unpacked malware and extract it.