Gary Jones
Gary Jones
Malware AnalysisEmotetObfuscationWPADDynamic AnalysisCybersecurity

Emotet Variant: Malware Reverse Engineering Report 3

Emotet Variant: Malware Reverse Engineering Report 3
0 views
3 min read
#Malware Analysis#Emotet#Obfuscation#WPAD#Dynamic Analysis#Cybersecurity
Table Of Content

Obfuscated Dynamic-Link Library (DLL): Malware Reverse Engineering Report 3

Situation:

This practical assignment focused on analyzing sample3.dll, a heavily obfuscated dynamic-link library (DLL). The goal was to uncover its functionality, identify malware behaviors, and evaluate potential indicators of compromise through static and dynamic analysis techniques.

Obstacles:

  1. Heavy Obfuscation:
    • The .rsrc section displayed high entropy, and obfuscated functions hindered straightforward analysis.
  2. Anti-Debugging Mechanisms:
    • The malware utilized IsDebuggerPresent to detect debugging environments.
  3. Complex Import Behavior:
    • Functions such as GetProcAddress dynamically resolved library functions, complicating analysis.
  4. Limited Observed Persistence:
    • The malware’s persistence relied on subtle registry changes and mutants.

Actions Taken:

  1. Static Analysis:
    • Used PeStudio to identify imports, obfuscated strings, and blacklisted functions related to keylogging (SetWindowsHookEx), registry manipulation, and file operations.
    • Examined obfuscation patterns in FUN_10001985 and FUN_10005367, highlighting probable encryption mechanisms.
    • Leveraged VirusTotal and Intezer Analyze to classify the malware as an Emotet variant.
  2. Dynamic Analysis:
    • Executed the DLL in Windows 7 using regsvr32.exe and analyzed its behavior with x32dbg.
    • Identified network connections to suspicious IP addresses and domains using Wireshark and FakeDNS.
    • Tracked registry changes affecting WPAD configurations, enabling potential man-in-the-middle attacks.
    • Observed mutants, such as ZonesCacheCounterMutex, ensuring limited persistence mechanisms.
  3. Indicators of Compromise (IoCs):
    • Created YARA rules for detection based on unique attributes like the долн resource and mutexes.

Results:

  1. Malware Characteristics Identified:
    • Classified as an Emotet variant, capable of:
      • Downloading additional payloads (e.g., TrickBot).
      • Modifying WPAD configurations for man-in-the-middle attacks.
      • Establishing persistence using mutants.
  2. Network Activity Observed:
    • The malware contacted numerous IP addresses and domains, many linked to known Emotet trackers.
  3. Host-Based IoCs:
    • Registry changes targeting WPAD configurations and unique mutex names such as ZonesCacheCounterMutex.

Tool Purpose Overview:

PeStudio:

  • Highlighted imports, obfuscation methods, and suspicious strings.

x32dbg:

  • Enabled step-by-step debugging to trace obfuscated code and identify anti-debugging techniques.

Ghidra:

  • Decompiled and mapped complex functions like FUN_10001985 for further analysis.

Wireshark & FakeDNS:

  • Monitored network activity, revealing connections to Command and Control (C&C) servers.

RegShot:

  • Captured registry changes linked to WPAD and other configurations.

Recommendations:

  1. Mitigate WPAD Exploits:
    • Monitor and restrict unauthorized changes to WPAD settings.
  2. Enhance Debugging Capabilities:
    • Use advanced anti-obfuscation tools to counteract techniques like IsDebuggerPresent.
  3. Strengthen Network Monitoring:
    • Block known malicious domains and IP addresses associated with Emotet.
  4. Apply Endpoint Detection and Response (EDR):
    • Detect and respond to behaviors like mutex creation and registry changes.

View PDF Document