Emotet Dropper Analysis

From Colin Hardy
Jump to: navigation, search

TL;DR


Here I take a sample MD5: 9755fff22bc46227c09ab16a85ff5023 from VirusTotal and show you how to de-obfuscate the JavaScript in order for you to see how it drops a malicious executable to disk. The bad-guys have done a decent job in making the code messy and difficult to step-through, but with some simple code patching you can output the contents of the encoded data to your console and show exactly the calls that are made to write the file to the victim's machine. Once that's done, the beauty about a dropper is you have the malicious exe the bad guys are distributing so you can perform static and behavioural analysis on that to extract even more indicators of compromise.

Video