Cyberdefenders EMOTET malware write up
In this write up we will solve EMOTET room for malware practice. We need Volatility tool and memory dump. For install the Volatillity, chech https://github.com/volatilityfoundation/volatility page. Let’s dive the case!
1- What profile should you use for this memory sample?
imageinfo command is saving our life in this question.
Answer : Win7SP1x64_24000
2- What is the KDBG virtual address of the memory sample?
We can find answer to same command.
Answer : 0xf80002bef120 (without L)
3- There is a malicious process running, but it’s hidden. What’s its name?
For hidden process we can use psxview command
And we can see the answer directly
Answer : vds_ps.exe
4- What is the physical offset of the malicious process?
In the Previous Reply we can see also physical offset of the malicious process
5- What is the full path (including executable name) of the hidden executable?
We can use --offset= command when try to show hidden process details.
And this command give us a answer path:
6- Which malware is this?
We can export files from memdump with procdump command.
The executable.2448.exe exported from the memdump.
We can display Emotet malware when we upload the Virustotal.
7- The malicious process had two PEs injected into its memory. What’s the size in bytes of the Vad that contains the largest injected PE? Answer in hex, like: 0xABC
After then this command we will clamscan for this vads.
injected PE’s normally have the Protection Flag: PAGE_EXECUTE_READWRITE
Answer will shown on your terminal.
8- This process was unlinked from the ActiveProcessLinks list. Follow its forward link. Which process does it lead to? Answer with its name and extension
We just answered the next process from within our previously captured pslist
Use vaddump to retrieve the physical offset : 0x000000007d336950
But we’re in the object header, so need to move a number of bytes backwards
WinXP — Win7 cbDataOffsetPoolHdr = 0x5c
need to move backwards addition 0x4 — for the POOLTAG to lineup correctly
- Convert the long: 1416573010 to hex
- endianess is wrong so 546F3052 becomes 52306f54
- then convert to ASCII
10- What is the physical address of the hidden executable’s pooltag? (HINT: use volshell)
- Physical + 4
- 0x7D3368F0 +0x4