Cyberdefenders EMOTET malware write up

In this write up we will solve EMOTET room for malware practice. We need Volatility tool and memory dump. For install the Volatillity, chech https://github.com/volatilityfoundation/volatility page. Let’s dive the case!

EMOTET malware

1- What profile should you use for this memory sample?

imageinfo command is saving our life in this question.

Answer : Win7SP1x64_24000

2- What is the KDBG virtual address of the memory sample?

We can find answer to same command.

Answer : 0xf80002bef120 (without L)

3- There is a malicious process running, but it’s hidden. What’s its name?

For hidden process we can use psxview command

And we can see the answer directly

Answer : vds_ps.exe

4- What is the physical offset of the malicious process?

In the Previous Reply we can see also physical offset of the malicious process

Answer: 0x000000007d336950

5- What is the full path (including executable name) of the hidden executable?

We can use --offset= command when try to show hidden process details.

And this command give us a answer path:

Answer: C:\Users\john\AppData\Local\api-ms-win-service-management-l2–1–0\vds_ps.exe

6- Which malware is this?

We can export files from memdump with procdump command.

The executable.2448.exe exported from the memdump.

We can display Emotet malware when we upload the Virustotal.

Answer: emotet

7- The malicious process had two PEs injected into its memory. What’s the size in bytes of the Vad that contains the largest injected PE? Answer in hex, like: 0xABC

After then this command we will clamscan for this vads.

injected PE’s normally have the Protection Flag: PAGE_EXECUTE_READWRITE

Answer will shown on your terminal.

Answer: 0x36fff

8- This process was unlinked from the ActiveProcessLinks list. Follow its forward link. Which process does it lead to? Answer with its name and extension

We just answered the next process from within our previously captured pslist

Answer: SearchIndexer.exe

9- Hint:

Use vaddump to retrieve the physical offset : 0x000000007d336950

Volshell Command-Reference

But we’re in the object header, so need to move a number of bytes backwards

WinXP — Win7 cbDataOffsetPoolHdr = 0x5c

need to move backwards addition 0x4 — for the POOLTAG to lineup correctly

0x000000007d336950–0x60

• Convert the long: 1416573010 to hex
• endianess is wrong so 546F3052 becomes 52306f54
• then convert to ASCII

Answer:R0oT

10- What is the physical address of the hidden executable’s pooltag? (HINT: use volshell)

• Physical + 4
• 0x7D3368F0 +0x4

Answer: 0x7D3368F4