├── .gitignore
├── NOTICE
├── LICENSE
├── CONTRIBUTING.md
├── CODE_OF_CONDUCT.md
├── README.md
├── emotet-loader.vcxproj
└── emotet-loader.cpp
/.gitignore:
--------------------------------------------------------------------------------
1 | # Ignore everything in this directory
2 | .user
3 | .obj
4 | .log
5 | .pdb
6 | .exe
7 | .idb
8 | .ilk
9 | .tlog
10 | .lastbuildstate
11 | .recipe
12 | # Except this file
13 | !.gitignore
14 |
--------------------------------------------------------------------------------
/NOTICE:
--------------------------------------------------------------------------------
1 | Copyright 2022 VMware, Inc.
2 |
3 | This product is licensed to you under the BSD 2 clause (the "License"). You may not use this product except in compliance with the License.
4 |
5 | This product may include a number of subcomponents with separate copyright notices and license terms. Your use of these subcomponents is subject to the terms and conditions of the subcomponent's license, as noted in the LICENSE file.
--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
1 | Redistribution and use in source and binary forms, with or without
2 | modification, are permitted provided that the following conditions are
3 | met:
4 |
5 | 1. Redistributions of source code must retain the above copyright
6 | notice, this list of conditions and the following disclaimer.
7 |
8 | 2. Redistributions in binary form must reproduce the above
9 | copyright notice, this list of conditions and the following
10 | disclaimer in the documentation and/or other materials provided
11 | with the distribution.
12 |
13 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
14 | "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
15 | LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
16 | A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
17 | HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
18 | SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
19 | LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
20 | DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
21 | THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
22 | (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
23 | OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
--------------------------------------------------------------------------------
/CONTRIBUTING.md:
--------------------------------------------------------------------------------
1 | # Contributing to emotet-loader
2 |
3 | We welcome contributions from the community and first want to thank you for taking the time to contribute!
4 |
5 | Please familiarize yourself with the [Code of Conduct](https://github.com/vmware/.github/blob/main/CODE_OF_CONDUCT.md) before contributing.
6 |
7 | Before you start working with emotet-loader, please read our [Developer Certificate of Origin](https://cla.vmware.com/dco). All contributions to this repository must be signed as described on that page. Your signature certifies that you wrote the patch or have the right to pass it on as an open-source patch.
8 |
9 | ## Ways to contribute
10 |
11 | We welcome many different types of contributions and not all of them need a Pull request. Contributions may include:
12 |
13 | * New features and proposals
14 | * Documentation
15 | * Bug fixes
16 | * Issue Triage
17 | * Answering questions and giving feedback
18 | * Helping to onboard new contributors
19 | * Other related activities
20 |
21 | ## Getting started
22 |
23 | How to build the project:
24 | 1. Download Visual Studio (the Community Edition is free to use): https://visualstudio.microsoft.com/downloads/
25 | 2. Open emotet-loader.vcxproj in Visual Studio.
26 | 3. Go to menu Build -> Build Solution or press Ctrl+Shift+B.
27 | 4. The resulting emotet-loader64.exe will appear in x64\Debug or x64\Release folder.
28 |
29 | ## Contribution Flow
30 |
31 | This is a rough outline of what a contributor's workflow looks like:
32 |
33 | * Make a fork of the repository within your GitHub account
34 | * Create a topic branch in your fork from where you want to base your work
35 | * Make commits of logical units
36 | * Make sure your commit messages are with the proper format, quality and descriptiveness (see below)
37 | * Push your changes to the topic branch in your fork
38 | * Create a pull request containing that commit
39 |
40 | We follow the GitHub workflow and you can find more details on the [GitHub flow documentation](https://docs.github.com/en/get-started/quickstart/github-flow).
41 |
42 | ### Pull Request Checklist
43 |
44 | Before submitting your pull request, we advise you to use the following:
45 |
46 | 1. Check if your code changes will pass both code linting checks and unit tests.
47 | 2. Ensure your commit messages are descriptive. We follow the conventions on [How to Write a Git Commit Message](http://chris.beams.io/posts/git-commit/). Be sure to include any related GitHub issue references in the commit message. See [GFM syntax](https://guides.github.com/features/mastering-markdown/#GitHub-flavored-markdown) for referencing issues and commits.
48 | 3. Check the commits and commits messages and ensure they are free from typos.
49 |
50 | ## Reporting Bugs and Creating Issues
51 |
52 | For specifics on what to include in your report, please follow the guidelines in the issue and pull request templates when available.
53 |
54 | ## Ask for Help
55 |
56 | The best way to reach us with a question when contributing is to ask on:
57 |
58 | * threat-intelligence-team[at]groups.vmware.com
59 |
--------------------------------------------------------------------------------
/CODE_OF_CONDUCT.md:
--------------------------------------------------------------------------------
1 | # Contributor Covenant Code of Conduct
2 |
3 | ## Our Pledge
4 |
5 | We as members, contributors, and leaders pledge to make participation in emotet-loader project and our
6 | community a harassment-free experience for everyone, regardless of age, body
7 | size, visible or invisible disability, ethnicity, sex characteristics, gender
8 | identity and expression, level of experience, education, socio-economic status,
9 | nationality, personal appearance, race, religion, or sexual identity
10 | and orientation.
11 |
12 | We pledge to act and interact in ways that contribute to an open, welcoming,
13 | diverse, inclusive, and healthy community.
14 |
15 | ## Our Standards
16 |
17 | Examples of behavior that contributes to a positive environment for our
18 | community include:
19 |
20 | * Demonstrating empathy and kindness toward other people
21 | * Being respectful of differing opinions, viewpoints, and experiences
22 | * Giving and gracefully accepting constructive feedback
23 | * Accepting responsibility and apologizing to those affected by our mistakes,
24 | and learning from the experience
25 | * Focusing on what is best not just for us as individuals, but for the
26 | overall community
27 |
28 | Examples of unacceptable behavior include:
29 |
30 | * The use of sexualized language or imagery, and sexual attention or
31 | advances of any kind
32 | * Trolling, insulting or derogatory comments, and personal or political attacks
33 | * Public or private harassment
34 | * Publishing others' private information, such as a physical or email
35 | address, without their explicit permission
36 | * Other conduct which could reasonably be considered inappropriate in a
37 | professional setting
38 |
39 | ## Enforcement Responsibilities
40 |
41 | Community leaders are responsible for clarifying and enforcing our standards of
42 | acceptable behavior and will take appropriate and fair corrective action in
43 | response to any behavior that they deem inappropriate, threatening, offensive,
44 | or harmful.
45 |
46 | Community leaders have the right and responsibility to remove, edit, or reject
47 | comments, commits, code, wiki edits, issues, and other contributions that are
48 | not aligned to this Code of Conduct, and will communicate reasons for moderation
49 | decisions when appropriate.
50 |
51 | ## Scope
52 |
53 | This Code of Conduct applies within all community spaces, and also applies when
54 | an individual is officially representing the community in public spaces.
55 | Examples of representing our community include using an official e-mail address,
56 | posting via an official social media account, or acting as an appointed
57 | representative at an online or offline event.
58 |
59 | ## Enforcement
60 |
61 | Instances of abusive, harassing, or otherwise unacceptable behavior may be
62 | reported to the community leaders responsible for enforcement at oss-coc@vmware.com.
63 | All complaints will be reviewed and investigated promptly and fairly.
64 |
65 | All community leaders are obligated to respect the privacy and security of the
66 | reporter of any incident.
67 |
68 | ## Enforcement Guidelines
69 |
70 | Community leaders will follow these Community Impact Guidelines in determining
71 | the consequences for any action they deem in violation of this Code of Conduct:
72 |
73 | ### 1. Correction
74 |
75 | **Community Impact**: Use of inappropriate language or other behavior deemed
76 | unprofessional or unwelcome in the community.
77 |
78 | **Consequence**: A private, written warning from community leaders, providing
79 | clarity around the nature of the violation and an explanation of why the
80 | behavior was inappropriate. A public apology may be requested.
81 |
82 | ### 2. Warning
83 |
84 | **Community Impact**: A violation through a single incident or series
85 | of actions.
86 |
87 | **Consequence**: A warning with consequences for continued behavior. No
88 | interaction with the people involved, including unsolicited interaction with
89 | those enforcing the Code of Conduct, for a specified period of time. This
90 | includes avoiding interactions in community spaces as well as external channels
91 | like social media. Violating these terms may lead to a temporary or
92 | permanent ban.
93 |
94 | ### 3. Temporary Ban
95 |
96 | **Community Impact**: A serious violation of community standards, including
97 | sustained inappropriate behavior.
98 |
99 | **Consequence**: A temporary ban from any sort of interaction or public
100 | communication with the community for a specified period of time. No public or
101 | private interaction with the people involved, including unsolicited interaction
102 | with those enforcing the Code of Conduct, is allowed during this period.
103 | Violating these terms may lead to a permanent ban.
104 |
105 | ### 4. Permanent Ban
106 |
107 | **Community Impact**: Demonstrating a pattern of violation of community
108 | standards, including sustained inappropriate behavior, harassment of an
109 | individual, or aggression toward or disparagement of classes of individuals.
110 |
111 | **Consequence**: A permanent ban from any sort of public interaction within
112 | the community.
113 |
114 | ## Attribution
115 |
116 | This Code of Conduct is adapted from the [Contributor Covenant][homepage],
117 | version 2.0, available at
118 | https://www.contributor-covenant.org/version/2/0/code_of_conduct.html.
119 |
120 | Community Impact Guidelines were inspired by [Mozilla's code of conduct
121 | enforcement ladder](https://github.com/mozilla/diversity).
122 |
123 | [homepage]: https://www.contributor-covenant.org
124 |
125 | For answers to common questions about this code of conduct, see the FAQ at
126 | https://www.contributor-covenant.org/faq. Translations are available at
127 | https://www.contributor-covenant.org/translations.
128 |
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | ## Overview
2 |
3 | **emotet-loader** is a small but practical tool to successfully execute Emotet modules in isolation. It allocates the required data structures, invokes the custom entry point, while allowing customization of the execution environment. It easily allows dynamic analysis without depending on the core module potentially infecting the system, thereby enabling security research tasks such as debugging, IoC extraction, or analysis of the resulting network activity (critical when analyzing Emotet modules that are able to propagate laterally). To further simplify analysis at scale, emotet-loader offers an option to embed the module and the loader together into a standalone executable, making it the perfect candidate for automated submissions to standard sandboxes.
4 |
5 | ## What is Emotet?
6 |
7 | Emotet is one of the most prominent multi-component threats in recent years. Besides the core component, which is often attached to a spam email or downloaded from a malicious URL, Emotet is known to retrieve from its C2 infrastructure additional modules; these modules can be either designed to propel its own operations by, for example, stealing email credentials to be used in future spam waves, or, when the attack is more targeted, engineered to be more a destructive artifact, like ransomware provided by an affiliated group.
8 |
9 | These additional components are meant to be executed by the core module directly from memory, and they are never dropped on disk. Even when payload extraction using dynamic analysis techniques succeeds, loading the extracted modules in isolation inexorably fails as the existence of a custom entry point requires specially crafted data structures to be allocated in memory. These data structures are normally allocated by the core module for various purposes, with only a portion being required by the loaded module.
10 |
11 | ## Try it out
12 |
13 | ### Prerequisites
14 |
15 | * Visual Studio 2022 and higher (including the Community Edition, which is free to use).
16 |
17 | ### Build
18 |
19 | How to build the tool:
20 | 1. Download [Visual Studio](https://visualstudio.microsoft.com/downloads/).
21 | 2. Open emotet-loader.vcxproj in Visual Studio.
22 | 3. Go to menu `Build` -> `Build Solution` or press Ctrl+Shift+B.
23 | 4. The resulting emotet-loader64.exe will appear in `x64\Debug` or `x64\Release` folder.
24 |
25 | ### Run
26 |
27 | Usage:
28 | `emotet-loader64.exe -d ${dll_path} -e ${epoch} [-c ${computer_name}] [-s ${root_serial}] [-o ${output_path}]`
29 |
30 | Where:
31 | * `${dll_path}` is the path to the Emotet module the be loaded (mandatory parameter).
32 | * `${epoch}` is the identifier of the epoch (i.e., a specific Emotet botnet) that the module belongs to; only identifiers to currently online botnets are supported, i.e., either 4 or 5 (mandatory parameter).
33 | * `${computer_name}` specifies the computer name; the tool generates a random computer name if this parameter is not specified.
34 | * `${root_serial}` specifies the C: volume serial number, which is a 32-bit hexadecimal number; the tool will generate a random serial number if this parameter is not specified.
35 | * `${output_path}` is the output file path when using the “-o” option; this option builds a standalone executable containing the module rather than loading the module.
36 |
37 | Specifying computer name and root serial allows for the customization of the execution environment; while we have not seen any modules blacklisting specific computer names and root serials, Emotet modules contacting the botnet are known to get blacklisted based on specific values corresponding to known sandboxes.
38 |
39 | Example of a command loading an Emotet module (coming from the epoch 5 botnet) with computer name WIN-1234 and C: volume serial number 0x123ABC:
40 | `emotet-loader64.exe -d C:\path\to\emotet-module.dll -e 5 -c WIN-1234 -s 0x123ABC`
41 |
42 | Example of a command embedding an Emotet module (coming from the epoch 5 botnet) into a standalone executable, with random computer name and random C: volume serial number:
43 | `emotet-loader64.exe -d C:\path\to\emotet-module.dll -e 5 -o emotet-standalone-module.exe`
44 |
45 | The executable emotet-standalone-module.exe, requiring no parameters, will drop the original emotet-module.dll on disk and then load it into memory; the computer name and the C: volume serial number will be generated automatically at each execution (unless specified when running emotet-loader64.exe).
46 |
47 | ### Examples
48 |
49 | Let's perform a quick analysis of two Emotet modules:
50 | 1. Thunderbird Email Client account stealer from epoch 5 with SHA1 `0a610c6de3419ce165d05d770637c8084d584ffd`.
51 | 2. Outlook Email Client account stealer from epoch 4 with SHA1 `a7bfaf7bc8528013bd460bef2a56adc7c5daf0ae`.
52 |
53 | The Hybrid Analysis sandbox [shows](https://www.hybrid-analysis.com/sample/58d9d7c2d4a4140bbdc16c9b6ab1b56244ebc8b1c3eaa1fc63386bbce7acdb4c/63722b5c17290b68447e9951) that the Thunderbird account stealer tries to open the `%APPDATA%\THUNDERBIRD\PROFILES` folder, where Thunderbird saves personal information such as messages, passwords and user preferences. The sandbox detects this behavior as `Tries to steal browser sensitive information (file access)`.
54 |
55 | The Intezer sandbox [shows](https://analyze.intezer.com/analyses/d2aa6c12-c50d-4f2b-a7f2-b0a6803a97ba/behavior) that the Outlook account stealer reads `HKEY_LOCAL_MACHINE\SOFTWARE\Clients\Mail\Microsoft Outlook\DLLPathEx`, where the path to msmapi32.dll is stored. This library can be used to access the Outlook's sensitive information such as messages, passwords and user preferences. The VMRay sandbox is more precise with the detection, [showing](https://www.vmray.com/analyses/_vt/e81704d02356/report/overview.html) that the sample `Accesses Outlook profile data via MAPI`.
56 |
57 | ## Contributing
58 |
59 | The emotet-loader project team welcomes contributions from the community. Before you start working with emotet-loader, please
60 | read our [Developer Certificate of Origin](https://cla.vmware.com/dco). All contributions to this repository must be
61 | signed as described on that page. Your signature certifies that you wrote the patch or have the right to pass it on
62 | as an open-source patch. For more detailed information, refer to [CONTRIBUTING.md](CONTRIBUTING.md).
63 |
64 |
--------------------------------------------------------------------------------
/emotet-loader.vcxproj:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | Debug
6 | x64
7 |
8 |
9 | Release
10 | x64
11 |
12 |
13 |
14 | 16.0
15 | Win32Proj
16 | {6e33413c-5bcd-4638-a001-fe920f46f332}
17 | emotetupdateloader
18 | 10.0
19 |
20 |
21 |
22 | Application
23 | true
24 | v143
25 | Unicode
26 |
27 |
28 | Application
29 | false
30 | v143
31 | true
32 | Unicode
33 |
34 |
35 | Application
36 | true
37 | v143
38 | Unicode
39 | Static
40 |
41 |
42 | Application
43 | false
44 | v143
45 | true
46 | Unicode
47 | Static
48 |
49 |
50 |
51 |
52 |
53 |
54 |
55 |
56 |
57 |
58 |
59 |
60 |
61 |
62 |
63 |
64 |
65 |
66 |
67 |
68 | true
69 |
70 |
71 | false
72 |
73 |
74 | true
75 |
76 |
77 | false
78 |
79 |
80 |
81 | Level3
82 | true
83 | WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)
84 | true
85 |
86 |
87 | Console
88 | true
89 |
90 |
91 |
92 |
93 | Level3
94 | true
95 | true
96 | true
97 | WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)
98 | true
99 |
100 |
101 | Console
102 | true
103 | true
104 | true
105 |
106 |
107 |
108 |
109 | Level3
110 | true
111 | _DEBUG;_CONSOLE;%(PreprocessorDefinitions)
112 | true
113 |
114 |
115 | Console
116 | true
117 | user32.lib;Advapi32.lib
118 | $(OutDir)$(TargetName)64$(TargetExt)
119 |
120 |
121 |
122 |
123 | Level3
124 | true
125 | true
126 | true
127 | NDEBUG;_CONSOLE;%(PreprocessorDefinitions)
128 | true
129 |
130 |
131 | Console
132 | true
133 | true
134 | false
135 | $(OutDir)$(TargetName)64$(TargetExt)
136 | user32.lib;Advapi32.lib
137 |
138 |
139 |
140 |
141 |
142 |
143 |
144 |
145 |
146 |
147 |
--------------------------------------------------------------------------------
/emotet-loader.cpp:
--------------------------------------------------------------------------------
1 | //
2 | // Copyright 2022 VMware, Inc.
3 | // SPDX-License-Identifier: BSD-2-Clause
4 | //
5 |
6 | #include
7 | #include
8 | #include
9 | #include
10 | #include
11 | #include
12 | #include
13 | #include
14 |
15 | extern unsigned char DummyDll[121344];
16 |
17 | #define COMPUTER_NAME_FIXED_WORD "DESKTOPX"
18 | #define COMPUTER_NAME_RANDOM_WORD "XXXXXXX"
19 | #define COMPUTER_NAME_RANDOM_CHARS_SET "0123456789ABCDEFGHZKLMNPORSTWXH"
20 |
21 | #define EMOLOAD_MAGIC 0xDEADBEEF
22 |
23 | #pragma pack(push,1)
24 | typedef struct {
25 | DWORD Magic;
26 | DWORD Epoch;
27 | DWORD SerialNumber;
28 | DWORD ComputerNameSize;
29 | DWORD DllSize;
30 | } EMOLOAD, * PEMOLOAD;
31 | #pragma pack(pop)
32 |
33 | #define COMPUTER_NAME_FIXED_WORD "DESKTOPX"
34 | #define COMPUTER_NAME_RANDOM_WORD "XXXXXXX"
35 | #define COMPUTER_NAME_RANDOM_CHARS_SET "0123456789ABCDEFGHZKLMNPORSTWXH"
36 |
37 | typedef BOOL(WINAPI* DllMain_t)(
38 | HINSTANCE hinstDLL,
39 | DWORD fdwReason,
40 | LPVOID lpReserved);
41 |
42 | #pragma pack(push,1)
43 | typedef struct {
44 | PCHAR pID; // "DESKTOPXHO47NFZ_1E62B7B" for computer name "DESKTOP-HO47NFZ" and C:\ volume serial number 0x1E62B7B
45 | PBYTE pECK1;
46 | ULONG64 ECK1_Size; // Always 0x48
47 | PBYTE pECS1;
48 | ULONG64 ECS1_Size; // Always 0x48
49 | ULONG Unk1;
50 | ULONG Unk2;
51 | ULONG64 Unk3;
52 | HANDLE hUnloadEvent;
53 | UCHAR Unk4[1024];
54 | } EMOTET_LOADER_DATA;
55 | #pragma pack(pop)
56 |
57 | unsigned char ECS1_Epoch4[72] = {
58 | 0x45, 0x43, 0x53, 0x31, 0x20, 0x00, 0x00, 0x00, 0x40, 0x5F, 0x74, 0xB6, 0xC4, 0xD8, 0xDC, 0x0C,
59 | 0x3D, 0x1F, 0x06, 0x7A, 0x37, 0xDC, 0xB9, 0xF9, 0xB7, 0xBD, 0x5E, 0x8A, 0x2F, 0xA6, 0xA1, 0xF2,
60 | 0x0F, 0xA1, 0x79, 0x0D, 0x14, 0xE5, 0xF5, 0x31, 0xE8, 0xB0, 0x0A, 0x1E, 0x3C, 0x8B, 0x3F, 0x7B,
61 | 0x90, 0x1D, 0x26, 0x26, 0x31, 0x86, 0x65, 0x7C, 0x1A, 0xAD, 0xD9, 0xC3, 0x5C, 0xAC, 0x48, 0xF0,
62 | 0x60, 0x87, 0x18, 0xD9, 0x74, 0x3C, 0x58, 0xF9
63 | };
64 | unsigned char ECK1_Epoch4[72] = {
65 | 0x45, 0x43, 0x4B, 0x31, 0x20, 0x00, 0x00, 0x00, 0xF3, 0xA3, 0x35, 0xB5, 0x0E, 0x2E, 0x2B, 0xF4,
66 | 0x35, 0x56, 0xCD, 0x0A, 0x4C, 0x29, 0x3E, 0x7C, 0xF1, 0x10, 0xDD, 0xCB, 0xB0, 0x4F, 0x20, 0xB3,
67 | 0xFA, 0x02, 0x20, 0xCE, 0x4C, 0xB6, 0x0C, 0x1E, 0x44, 0x96, 0xBE, 0xB4, 0x0E, 0xE6, 0xC9, 0x5B,
68 | 0x9A, 0xBD, 0x4E, 0xBD, 0x9D, 0x8F, 0xCF, 0xE0, 0x10, 0x5B, 0x34, 0x4C, 0x82, 0x04, 0x26, 0x02,
69 | 0xD3, 0xBA, 0xAC, 0xF1, 0xFB, 0x9F, 0x2C, 0x76
70 | };
71 |
72 | unsigned char ECS1_Epoch5[72] = {
73 | 0x45, 0x43, 0x53, 0x31, 0x20, 0x00, 0x00, 0x00, 0xF4, 0x2F, 0x1A, 0x83, 0x36, 0x1A, 0x27, 0x51,
74 | 0x8C, 0x24, 0xF2, 0xCA, 0xA8, 0xEC, 0x85, 0xAE, 0x52, 0x59, 0x51, 0x75, 0x48, 0x94, 0x06, 0x70,
75 | 0x02, 0x73, 0xAA, 0xE8, 0x9A, 0xC4, 0x28, 0x7B, 0x56, 0x09, 0x0F, 0xBC, 0x08, 0x7B, 0x80, 0x21,
76 | 0x7A, 0xA6, 0x28, 0x7E, 0x96, 0x45, 0xB9, 0xC3, 0xC3, 0x5C, 0x26, 0x74, 0xCF, 0xD8, 0xBE, 0xA2,
77 | 0x85, 0x1F, 0x7E, 0xA7, 0xA8, 0x2D, 0x95, 0x34
78 | };
79 | unsigned char ECK1_Epoch5[72] = {
80 | 0x45, 0x43, 0x4B, 0x31, 0x20, 0x00, 0x00, 0x00, 0xD8, 0x35, 0x93, 0xD7, 0x63, 0x8B, 0x50, 0xC5,
81 | 0xDF, 0xCD, 0xE1, 0x69, 0xF9, 0xB1, 0x36, 0x00, 0x9B, 0x9B, 0x54, 0x3B, 0x16, 0x36, 0xA2, 0x5D,
82 | 0x44, 0x2E, 0xB2, 0x38, 0x30, 0xD8, 0x47, 0x36, 0x2E, 0xB8, 0xD2, 0xF4, 0x8B, 0x6A, 0xC8, 0xD8,
83 | 0x4C, 0x7A, 0x45, 0x44, 0x1A, 0x06, 0xFA, 0x8F, 0x38, 0xBE, 0xDA, 0xFB, 0x00, 0x96, 0x9C, 0x84,
84 | 0x2C, 0xCE, 0x1E, 0x36, 0x80, 0x24, 0x50, 0x96
85 | };
86 |
87 |
88 |
89 | PVOID ReadFileData(
90 | __in std::string FilePath,
91 | __out PDWORD pFileSize
92 | )
93 | {
94 | HANDLE hFile = CreateFileA(FilePath.c_str(), GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, 0, NULL);
95 | if (hFile == INVALID_HANDLE_VALUE) {
96 | return NULL;
97 | }
98 |
99 | DWORD FileSizeHigh = 0;
100 | DWORD FileSize = GetFileSize(hFile, &FileSizeHigh);
101 | if (FileSize == INVALID_FILE_SIZE || FileSizeHigh)
102 | {
103 | CloseHandle(hFile);
104 | return NULL;
105 | }
106 |
107 | PVOID FileData = VirtualAlloc(NULL, FileSize, MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE);
108 | if (!FileData)
109 | {
110 | CloseHandle(hFile);
111 | return NULL;
112 | }
113 |
114 | *pFileSize = 0;
115 |
116 | if (!ReadFile(hFile, FileData, FileSize, pFileSize, NULL) || *pFileSize != FileSize)
117 | {
118 | VirtualFree(FileData, 0, MEM_RELEASE);
119 | CloseHandle(hFile);
120 | return NULL;
121 | }
122 |
123 | CloseHandle(hFile);
124 | return FileData;
125 | }
126 |
127 | BOOL WriteFileData(
128 | __in std::string FilePath,
129 | __in PVOID FileData,
130 | __in DWORD FileSize
131 | )
132 | {
133 | HANDLE hFile = CreateFileA(FilePath.c_str(), GENERIC_WRITE, FILE_SHARE_READ, NULL, CREATE_ALWAYS, 0, NULL);
134 | if (hFile == INVALID_HANDLE_VALUE) {
135 | return NULL;
136 | }
137 |
138 | DWORD Written = 0;
139 |
140 | if (!WriteFile(hFile, FileData, FileSize, &Written, NULL) || Written != FileSize)
141 | {
142 | CloseHandle(hFile);
143 | DeleteFileA(FilePath.c_str());
144 | return FALSE;
145 | }
146 |
147 | CloseHandle(hFile);
148 | return TRUE;
149 | }
150 |
151 | void FreeFileData(
152 | __in PVOID FileData
153 | )
154 | {
155 | VirtualFree(FileData, 0, MEM_RELEASE);
156 | }
157 |
158 | std::string WriteFileDataWithRandomName(
159 | __in PVOID FileData,
160 | __in DWORD FileSize
161 | )
162 | {
163 | char FileName[sizeof("XXXXXXXX.dll")];
164 | snprintf(FileName, sizeof(FileName), "%08X.dll", (rand() & 0xFFFF) | ((rand() & 0xFFFF) << 16));
165 |
166 | if (!WriteFileData(FileName, FileData, FileSize)) {
167 | return std::string();
168 | }
169 |
170 | return std::string(FileName);
171 | }
172 |
173 | std::string GetSha256(
174 | __in PVOID Data,
175 | __in DWORD Size
176 | )
177 | {
178 | HCRYPTPROV hProv = NULL;
179 |
180 | if (!CryptAcquireContext(&hProv, NULL, NULL, PROV_RSA_AES, CRYPT_VERIFYCONTEXT)) {
181 | return std::string();
182 | }
183 |
184 | HCRYPTHASH hSha256 = NULL;
185 |
186 | if (!CryptCreateHash(hProv, CALG_SHA_256, NULL, 0, &hSha256)) {
187 | CryptReleaseContext(hProv, 0);
188 | return std::string();
189 | }
190 |
191 | if (!CryptHashData(hSha256, (const BYTE*)Data, Size, 0)) {
192 | CryptDestroyHash(hSha256);
193 | CryptReleaseContext(hProv, 0);
194 | return std::string();
195 | }
196 |
197 | DWORD Sha256Size = 0, ParamSize = sizeof(Sha256Size);
198 |
199 | if (!CryptGetHashParam(hSha256, HP_HASHSIZE, (BYTE*)&Sha256Size, &ParamSize, 0) || ParamSize != sizeof(Sha256Size)) {
200 | CryptDestroyHash(hSha256);
201 | CryptReleaseContext(hProv, 0);
202 | return std::string();
203 | }
204 |
205 | PBYTE Sha256Hash = (PBYTE)malloc(Sha256Size);
206 | if (!Sha256Hash) {
207 | CryptDestroyHash(hSha256);
208 | CryptReleaseContext(hProv, 0);
209 | return std::string();
210 | }
211 |
212 | BOOL b = CryptGetHashParam(hSha256, HP_HASHVAL, Sha256Hash, &Sha256Size, 0);
213 |
214 | CryptDestroyHash(hSha256);
215 | CryptReleaseContext(hProv, 0);
216 |
217 | if (!b) {
218 | free(Sha256Hash);
219 | return std::string();
220 | }
221 |
222 | std::string Sha256String;
223 |
224 | for (DWORD i = 0; i < Sha256Size; i++)
225 | {
226 | char ByteString[sizeof("XX")];
227 | snprintf(ByteString, sizeof(ByteString), "%02X", Sha256Hash[i]);
228 | Sha256String += ByteString;
229 | }
230 |
231 | free(Sha256Hash);
232 | return Sha256String;
233 | }
234 |
235 | std::string GetFileSha256(
236 | __in std::string FilePath
237 | )
238 | {
239 | DWORD FileSize = 0;
240 | PVOID FileData = ReadFileData(FilePath, &FileSize);
241 | if (!FileData) {
242 | return std::string();
243 | }
244 |
245 | std::string Sha256 = GetSha256(FileData, FileSize);
246 | FreeFileData(FileData);
247 |
248 | return Sha256;
249 | }
250 |
251 | PVOID GetSelfData(
252 | __out PDWORD pFileSize
253 | )
254 | {
255 | char* SelfPath = nullptr;
256 |
257 | if (_get_pgmptr(&SelfPath)) {
258 | return NULL;
259 | }
260 |
261 | return ReadFileData(SelfPath, pFileSize);
262 | }
263 |
264 | //
265 | // Given that the input DLL's SHA256 is 3D8F8F406A04A740B8ABB1D92490AFEF2A9ADCD9BEECB13AECF91F53AAC736B4,
266 | // epoch is 5, computer name and the C: volume serial number are random, it transforms the original output
267 | // path "out.exe" to
268 | // "out_3D8F8F406A04A740B8ABB1D92490AFEF2A9ADCD9BEECB13AECF91F53AAC736B4_epoch_5_computer_name_random_serial_random.exe"
269 | //
270 |
271 | std::string GenerateOutputPath(
272 | __in std::string OriginalOutputPath,
273 | __in std::string DllSha256,
274 | __in DWORD Epoch,
275 | __in_opt std::string ComputerName,
276 | __in_opt DWORD SerialNumber
277 | )
278 | {
279 | std::string OutputPath = OriginalOutputPath;
280 | std::string Extension;
281 |
282 | auto pos = OutputPath.find_last_of('.');
283 | if (pos != std::string::npos) {
284 | Extension = OutputPath.substr(pos);
285 | OutputPath.resize(pos);
286 | }
287 |
288 | OutputPath += "_";
289 | OutputPath += DllSha256;
290 |
291 | OutputPath += "_epoch_";
292 | OutputPath += std::to_string(Epoch);
293 |
294 | if (!ComputerName.empty()) {
295 | OutputPath += "_computer_name_";
296 | OutputPath += ComputerName;
297 | }
298 | else {
299 | OutputPath += "_computer_name_random";
300 | }
301 |
302 | if (SerialNumber) {
303 | OutputPath += "_serial_";
304 | char aSerialNumber[sizeof("XXXXXXXX")] = { 0 };
305 | snprintf(aSerialNumber, sizeof(aSerialNumber), "%08X", SerialNumber);
306 | OutputPath += aSerialNumber;
307 | }
308 | else {
309 | OutputPath += "_serial_random";
310 | }
311 |
312 | OutputPath += Extension;
313 | return OutputPath;
314 | }
315 |
316 | //
317 | // Creates an executable bundle with given parameters (Emotet's DLL, epoch, computer name, C: volume serial number)
318 | // and drops it by the resulting path, that incorporates the bundle's parameters
319 | //
320 |
321 | BOOL GenerateEmotetLoader(
322 | __in std::string OutputPath,
323 | __in std::string DllPath,
324 | __in DWORD Epoch,
325 | __in_opt std::string ComputerName,
326 | __in_opt DWORD SerialNumber
327 | )
328 | {
329 | DWORD DllSize = 0;
330 | PVOID DllData = ReadFileData(DllPath, &DllSize);
331 | if (!DllData) {
332 | std::cout << "Failed to read " << DllPath << "\n";
333 | return FALSE;
334 | }
335 |
336 | std::string DllSha256 = GetSha256(DllData, DllSize);
337 | OutputPath = GenerateOutputPath(OutputPath, DllSha256, Epoch, ComputerName, SerialNumber);
338 |
339 | DWORD SelfSize = 0;
340 | PVOID SelfData = GetSelfData(&SelfSize);
341 | if (!SelfData) {
342 | FreeFileData(DllData);
343 | return FALSE;
344 | }
345 |
346 | DWORD EmoLoadDataSize = SelfSize + sizeof(EMOLOAD) + ComputerName.length() + 1 + DllSize;
347 |
348 | PVOID EmoLoadData = VirtualAlloc(NULL, EmoLoadDataSize, MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE);
349 | if (!EmoLoadData) {
350 | FreeFileData(DllData);
351 | FreeFileData(SelfData);
352 | return FALSE;
353 | }
354 |
355 | memcpy(EmoLoadData, SelfData, SelfSize);
356 |
357 | PEMOLOAD EmoLoad = (PEMOLOAD)((PBYTE)EmoLoadData + SelfSize);
358 | memset(EmoLoad, 0, sizeof(EMOLOAD));
359 |
360 | EmoLoad->Magic = EMOLOAD_MAGIC;
361 | EmoLoad->Epoch = Epoch;
362 | EmoLoad->SerialNumber = SerialNumber;
363 |
364 | if (!ComputerName.empty())
365 | {
366 | EmoLoad->ComputerNameSize = ComputerName.length() + 1;
367 | memcpy((PBYTE)EmoLoad + sizeof(EMOLOAD), ComputerName.c_str(), EmoLoad->ComputerNameSize);
368 | }
369 |
370 | EmoLoad->DllSize = DllSize;
371 | memcpy((PBYTE)EmoLoad + sizeof(EMOLOAD) + EmoLoad->ComputerNameSize, DllData, DllSize);
372 |
373 | BOOL Result = WriteFileData(OutputPath, EmoLoadData, EmoLoadDataSize);
374 |
375 | if (Result)
376 | {
377 | std::cout << "Emotet loader bundle was dropped to " << OutputPath << "\n";
378 | }
379 | else
380 | {
381 | std::cout << "Failed to drop the Emotet loader bundle to " << OutputPath << "\n";
382 | }
383 |
384 | VirtualFree(EmoLoadData, 0, MEM_RELEASE);
385 | FreeFileData(DllData);
386 | FreeFileData(SelfData);
387 |
388 | return Result;
389 | }
390 |
391 |
392 |
393 | BOOL PatchSection(
394 | __in MODULEENTRY32* Module,
395 | __in PVOID SectionData,
396 | __in DWORD SectionSize,
397 | __in PUNICODE_STRING CommandLineToPatch,
398 | __in std::wstring& NewCommandLine
399 | )
400 | {
401 | BOOL Patched = FALSE;
402 |
403 | __try
404 | {
405 | PUNICODE_STRING BaseUnicodeCommandLine = (PUNICODE_STRING)SectionData;
406 | PUNICODE_STRING FinalBaseUnicodeCommandLine = (PUNICODE_STRING)((PBYTE)BaseUnicodeCommandLine + SectionSize - sizeof(UNICODE_STRING));
407 |
408 | while (BaseUnicodeCommandLine <= FinalBaseUnicodeCommandLine)
409 | {
410 | if (!memcmp(BaseUnicodeCommandLine, CommandLineToPatch, sizeof(UNICODE_STRING)))
411 | {
412 | BaseUnicodeCommandLine->Buffer = (PWCHAR)NewCommandLine.c_str();
413 | BaseUnicodeCommandLine->Length = NewCommandLine.length() * sizeof(WCHAR);
414 | BaseUnicodeCommandLine->MaximumLength = (NewCommandLine.length() + 1) * sizeof(WCHAR);
415 |
416 | std::wcout << Module->szModule << L"!BaseUnicodeCommandLine was patched\n";
417 |
418 | *(PULONG_PTR)&BaseUnicodeCommandLine += sizeof(UNICODE_STRING);
419 | Patched = TRUE;
420 | continue;
421 | }
422 |
423 | ++*(PULONG_PTR)&BaseUnicodeCommandLine;
424 | }
425 | }
426 | __except (EXCEPTION_EXECUTE_HANDLER) {
427 | ;
428 | }
429 |
430 | return Patched;
431 | }
432 |
433 |
434 | //
435 | // Emotet modules sometimes check the command line and they may refuse to work
436 | // if the process was started without parameters; additionally, some of them assume
437 | // that the first argument of the command line is the path to the core Emotet
438 | // component, that they try to read.
439 | //
440 | // This function drops a dummy DLL on disk and then it replaces all copies of
441 | // PEB.ProcessParameters.CommandLine found in all DLLs with a fake one:
442 | // "C:\Windows\System32\regsvr32.exe" "xxxxxxxx.dll"
443 | //
444 | // It is especially important to patch kernelbase.dll!BaseUnicodeCommandLine because
445 | // GetCommandLineW returns it; it also patches the command line stored in RTL_USER_PROCESS_PARAMETERS.
446 | //
447 |
448 | BOOL PatchCommandLine(
449 | )
450 | {
451 | std::string DummyPath = WriteFileDataWithRandomName(DummyDll, sizeof(DummyDll));
452 | if (DummyPath.empty()) {
453 | return FALSE;
454 | }
455 |
456 | std::cout << "Emotet dummy DLL was dropped to " << DummyPath << "\n";
457 |
458 | static std::wstring Regsvr32 = L"C:\\Windows\\System32\\regsvr32.exe";
459 | static std::wstring CommandLine = L"\"C:\\Windows\\System32\\regsvr32.exe\" \"";
460 |
461 | CommandLine += std::wstring_convert>().from_bytes(DummyPath);
462 | CommandLine += L"\"";
463 |
464 | PTEB Teb = (PTEB)__readgsqword(0x30);
465 | PRTL_USER_PROCESS_PARAMETERS UserParams = Teb->ProcessEnvironmentBlock->ProcessParameters;
466 |
467 | HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, 0);
468 | if (hSnapshot == INVALID_HANDLE_VALUE) {
469 | DeleteFileA(DummyPath.c_str());
470 | return FALSE;
471 | }
472 |
473 | MODULEENTRY32 Module = { 0 };
474 | Module.dwSize = sizeof(Module);
475 |
476 | if (!Module32First(hSnapshot, &Module)) {
477 | CloseHandle(hSnapshot);
478 | DeleteFileA(DummyPath.c_str());
479 | return FALSE;
480 | }
481 |
482 | BOOL BaseUnicodeCommandLinePatched = FALSE;
483 |
484 | do
485 | {
486 | PIMAGE_DOS_HEADER pDosHdr = (PIMAGE_DOS_HEADER)Module.modBaseAddr;
487 | PIMAGE_NT_HEADERS pNtHdrs = (PIMAGE_NT_HEADERS)((PCHAR)Module.modBaseAddr + pDosHdr->e_lfanew);
488 | PIMAGE_SECTION_HEADER Section = IMAGE_FIRST_SECTION(pNtHdrs);
489 |
490 | for (WORD SectionIdx = 0; SectionIdx < pNtHdrs->FileHeader.NumberOfSections; SectionIdx++, Section++)
491 | {
492 | BaseUnicodeCommandLinePatched |= PatchSection(
493 | &Module, (PBYTE)Module.modBaseAddr + Section->VirtualAddress, Section->Misc.VirtualSize, &UserParams->CommandLine, CommandLine);
494 | }
495 | } while (Module32Next(hSnapshot, &Module));
496 |
497 | CloseHandle(hSnapshot);
498 |
499 | if (!BaseUnicodeCommandLinePatched) {
500 | std::cout << "Couldn't find kernelbase.dll!BaseUnicodeCommandLine\n";
501 | DeleteFileA(DummyPath.c_str());
502 | return FALSE;
503 | }
504 |
505 | UserParams->CommandLine.Buffer = (PWCHAR)CommandLine.c_str();
506 | UserParams->CommandLine.Length = CommandLine.length() * sizeof(WCHAR);
507 | UserParams->CommandLine.MaximumLength = (CommandLine.length() + 1) * sizeof(WCHAR);
508 |
509 | UserParams->ImagePathName.Buffer = (PWCHAR)Regsvr32.c_str();
510 | UserParams->ImagePathName.Length = Regsvr32.length() * sizeof(WCHAR);
511 | UserParams->ImagePathName.MaximumLength = (Regsvr32.length() + 1) * sizeof(WCHAR);
512 |
513 | std::wcout << L"Command line was patched to " << CommandLine << L"\n";
514 |
515 | return TRUE;
516 | }
517 |
518 |
519 | //
520 | // Loads an Emotet module with given parameters; generates random computer name and
521 | // the C: volume serial number if they are not provided
522 | //
523 |
524 | BOOL LoadEmotetModule(
525 | __in std::string DllPath,
526 | __in DWORD Epoch,
527 | __in_opt std::string ComputerName,
528 | __in_opt DWORD SerialNumber
529 | )
530 | {
531 | bool ComputerNameProvided = !ComputerName.empty(), SerialNumberProvided = !!SerialNumber;
532 | EMOTET_LOADER_DATA LoaderData = { 0 };
533 |
534 | if (Epoch == 4)
535 | {
536 | LoaderData.pECK1 = ECK1_Epoch4;
537 | LoaderData.ECK1_Size = sizeof(ECK1_Epoch4);
538 | LoaderData.pECS1 = ECS1_Epoch4;
539 | LoaderData.ECS1_Size = sizeof(ECS1_Epoch4);
540 | }
541 | else
542 | {
543 | LoaderData.pECK1 = ECK1_Epoch5;
544 | LoaderData.ECK1_Size = sizeof(ECK1_Epoch5);
545 | LoaderData.pECS1 = ECS1_Epoch5;
546 | LoaderData.ECS1_Size = sizeof(ECS1_Epoch5);
547 | }
548 |
549 | srand(GetTickCount());
550 |
551 | if (!ComputerName.empty())
552 | {
553 | for (int i = 0; i < ComputerName.length(); i++)
554 | {
555 | if (ComputerName[i] == '-') {
556 | ComputerName[i] = 'X';
557 | }
558 | }
559 | }
560 | else
561 | {
562 | CHAR GeneratedComputerName[sizeof(COMPUTER_NAME_FIXED_WORD COMPUTER_NAME_RANDOM_WORD)] = COMPUTER_NAME_FIXED_WORD;
563 |
564 | for (int i = _countof(COMPUTER_NAME_FIXED_WORD) - 1; i < _countof(GeneratedComputerName) - 1; i++)
565 | {
566 | GeneratedComputerName[i] = COMPUTER_NAME_RANDOM_CHARS_SET[rand() % (_countof(COMPUTER_NAME_RANDOM_CHARS_SET) - 2)];
567 | }
568 |
569 | ComputerName = GeneratedComputerName;
570 | }
571 |
572 | char aSerialNumber[sizeof("XXXXXXXX")] = { 0 };
573 |
574 | if (!SerialNumber) {
575 | SerialNumber = (rand() & 0xFFFF) | ((rand() & 0xFFFF) << 16);
576 | }
577 |
578 | snprintf(aSerialNumber, sizeof(aSerialNumber), "%08X", SerialNumber);
579 |
580 | std::cout << "DLL SHA256:......." << GetFileSha256(DllPath) << "\n";
581 | std::cout << "Epoch:............" << Epoch << "\n";
582 | std::cout << "Computer name:...." << ComputerName << " (" << (ComputerNameProvided ? "static" : "random") << ")\n";
583 | std::cout << "Serial:..........." << aSerialNumber << " (" << (SerialNumberProvided ? "static" : "random") << ")\n";
584 |
585 | std::string ID = ComputerName;
586 | ID += "_";
587 | ID += aSerialNumber;
588 |
589 | LoaderData.pID = (PCHAR)ID.c_str();
590 | LoaderData.Unk2 = 0x45c; // It is always different and it is not a handle; doesn't seem to affect execution
591 |
592 | LoaderData.hUnloadEvent = CreateEventW(NULL, TRUE, FALSE, NULL);
593 | if (!LoaderData.hUnloadEvent) {
594 | std::cout << "CreateEventW failed with error " << GetLastError() << "\n";
595 | return FALSE;
596 | }
597 |
598 | if (!PatchCommandLine()) {
599 | CloseHandle(LoaderData.hUnloadEvent);
600 | return FALSE;
601 | }
602 |
603 | std::cout << "Loading " << DllPath << "...\n";
604 |
605 | // LoadLibraryA call will call DllMain with DLL_PROCESS_ATTACH code (1), that will
606 | // NOT trigger the module's main functionality
607 |
608 | HMODULE hEmotet = LoadLibraryA(DllPath.c_str());
609 | if (!hEmotet) {
610 | std::cout << DllPath << " failed to load, last error: " << GetLastError() << "\n";
611 | CloseHandle(LoaderData.hUnloadEvent);
612 | return FALSE;
613 | }
614 |
615 | PIMAGE_DOS_HEADER pDosHdr = (PIMAGE_DOS_HEADER)hEmotet;
616 | PIMAGE_NT_HEADERS pNtHdrs = (PIMAGE_NT_HEADERS)((PCHAR)hEmotet + pDosHdr->e_lfanew);
617 |
618 | DllMain_t DllMain = (DllMain_t)((PCHAR)hEmotet + pNtHdrs->OptionalHeader.AddressOfEntryPoint);
619 |
620 | std::cout << "Calling DllEntryPoint() in custom mode...\n";
621 |
622 | // Code 100 triggers the main functionality of 64-bit modules
623 |
624 | if (DllMain(hEmotet, 100, &LoaderData))
625 | {
626 | std::cout << "DllEntryPoint() returned TRUE\n";
627 | }
628 | else
629 | {
630 | std::cout << "DllEntryPoint() returned FALSE\n";
631 | }
632 |
633 | std::cout << "The module may still be running in a separated thread\n";
634 |
635 | // The module returned execution; now let the analyst decide
636 | // whether to kill the process manually or not
637 |
638 | Sleep(INFINITE);
639 | return TRUE;
640 | }
641 |
642 |
643 | PEMOLOAD FindEmoLoadStruct(
644 | __in PVOID SelfData,
645 | __in DWORD SelfSize
646 | )
647 | {
648 | PBYTE Current = (PBYTE)SelfData;
649 | DWORD CurrentSize = SelfSize;
650 |
651 | while (CurrentSize > sizeof(EMOLOAD))
652 | {
653 | PEMOLOAD EmoLoad = (PEMOLOAD)Current;
654 |
655 | if (EmoLoad->Magic == EMOLOAD_MAGIC &&
656 | (EmoLoad->Epoch == 4 || EmoLoad->Epoch == 5) &&
657 | CurrentSize >= sizeof(EMOLOAD) + EmoLoad->ComputerNameSize + EmoLoad->DllSize &&
658 | (EmoLoad->ComputerNameSize ? ((PCHAR)EmoLoad + sizeof(EMOLOAD))[EmoLoad->ComputerNameSize - 1] == 0 : true) &&
659 | ((PIMAGE_DOS_HEADER)((PCHAR)EmoLoad + sizeof(EMOLOAD) + EmoLoad->ComputerNameSize))->e_magic == IMAGE_DOS_SIGNATURE)
660 | {
661 | return EmoLoad;
662 | }
663 |
664 | Current++;
665 | CurrentSize--;
666 | }
667 |
668 | return NULL;
669 | }
670 |
671 |
672 | //
673 | // Detects if the current executable is a bundle with embedded DLL and parameters
674 | // (epoch, computer name, C: volume serial number); it drops the DLL on disk and
675 | // returns the parameters if it is true
676 | //
677 |
678 | BOOL GetEmbeddedData(
679 | __out std::string& DllPath,
680 | __out DWORD& Epoch,
681 | __out std::string& ComputerName,
682 | __out DWORD& SerialNumber
683 | )
684 | {
685 | DllPath.clear();
686 | Epoch = 0;
687 | ComputerName.clear();
688 | SerialNumber = 0;
689 |
690 | DWORD SelfSize = 0;
691 | PVOID SelfData = GetSelfData(&SelfSize);
692 | if (!SelfData) {
693 | return FALSE;
694 | }
695 |
696 | PEMOLOAD EmoLoad = FindEmoLoadStruct(SelfData, SelfSize);
697 | if (!EmoLoad) {
698 | FreeFileData(SelfData);
699 | return FALSE;
700 | }
701 |
702 | DllPath = WriteFileDataWithRandomName(
703 | (PBYTE)EmoLoad + sizeof(EMOLOAD) + EmoLoad->ComputerNameSize, EmoLoad->DllSize);
704 | if (DllPath.empty()) {
705 | FreeFileData(SelfData);
706 | return FALSE;
707 | }
708 |
709 | std::cout << "The embedded DLL was dropped to " << DllPath << "\n";
710 |
711 | if (EmoLoad->ComputerNameSize) {
712 | ComputerName = (PCHAR)((PBYTE)EmoLoad + sizeof(EMOLOAD));
713 | }
714 | Epoch = EmoLoad->Epoch;
715 | SerialNumber = EmoLoad->SerialNumber;
716 |
717 | FreeFileData(SelfData);
718 | return TRUE;
719 | }
720 |
721 | BOOL GetCommandLineParameters(
722 | __in int argc,
723 | __in char* argv[],
724 | __out std::string& DllPath,
725 | __out DWORD& Epoch,
726 | __out std::string& ComputerName,
727 | __out DWORD& SerialNumber,
728 | __out std::string& OutputPath
729 | )
730 | {
731 | DllPath.clear();
732 | Epoch = 0;
733 | ComputerName.clear();
734 | SerialNumber = 0;
735 | OutputPath.clear();
736 |
737 | if (argc < 5) {
738 | return FALSE;
739 | }
740 |
741 | for (int i = 1; i < argc; i++)
742 | {
743 | if (!strcmp(argv[i], "-d"))
744 | {
745 | if (++i > argc) {
746 | return FALSE;
747 | }
748 |
749 | DllPath = argv[i];
750 |
751 | if (DllPath.empty()) {
752 | return FALSE;
753 | }
754 | }
755 | else if (!strcmp(argv[i], "-e"))
756 | {
757 | if (++i > argc) {
758 | return FALSE;
759 | }
760 |
761 | Epoch = strtoul(argv[i], nullptr, 10);
762 |
763 | if (Epoch != 4 && Epoch != 5) {
764 | return FALSE;
765 | }
766 | }
767 | else if (!strcmp(argv[i], "-c"))
768 | {
769 | if (++i > argc) {
770 | return FALSE;
771 | }
772 |
773 | ComputerName = argv[i];
774 |
775 | if (ComputerName.empty()) {
776 | return FALSE;
777 | }
778 | }
779 | else if (!strcmp(argv[i], "-s"))
780 | {
781 | if (++i > argc) {
782 | return FALSE;
783 | }
784 |
785 | SerialNumber = strtoul(argv[i], nullptr, 16);
786 |
787 | if (!SerialNumber) {
788 | return FALSE;
789 | }
790 | }
791 | else if (!strcmp(argv[i], "-o"))
792 | {
793 | if (++i > argc) {
794 | return FALSE;
795 | }
796 |
797 | OutputPath = argv[i];
798 |
799 | if (OutputPath.empty()) {
800 | return FALSE;
801 | }
802 | }
803 | else
804 | {
805 | return FALSE;
806 | }
807 | }
808 |
809 | if (DllPath.empty() || !Epoch) {
810 | return FALSE;
811 | }
812 |
813 | return TRUE;
814 | }
815 |
816 |
817 | int main(int argc, char* argv[])
818 | {
819 | std::string DllPath, ComputerName, OutputPath;
820 | DWORD Epoch = 0, SerialNumber = 0;
821 |
822 | srand(GetTickCount());
823 |
824 | if (GetEmbeddedData(DllPath, Epoch, ComputerName, SerialNumber))
825 | {
826 | std::cout << "Running the embedded DLL with the following parameters:\n";
827 |
828 | return !LoadEmotetModule(DllPath, Epoch, ComputerName, SerialNumber);
829 | }
830 | else if (GetCommandLineParameters(argc, argv, DllPath, Epoch, ComputerName, SerialNumber, OutputPath))
831 | {
832 | if (!OutputPath.empty())
833 | {
834 | return !GenerateEmotetLoader(OutputPath, DllPath, Epoch, ComputerName, SerialNumber);
835 | }
836 | else
837 | {
838 | return !LoadEmotetModule(DllPath, Epoch, ComputerName, SerialNumber);
839 | }
840 | }
841 | else
842 | {
843 | std::cout << "Usage: " << argv[0] << " -d ${dll_path} -e ${epoch} [-c ${computer_name}] [-s ${root_serial}] [-o ${output_path}]\n";
844 | std::cout <<
845 | "Where: \n" \
846 | "\t${dll_path} is the path to the Emotet module to be loaded (mandatory parameter).\n" \
847 | "\n" \
848 | "\t${epoch} is the identifier of the epoch (i.e., a specific Emotet botnet) that the\n" \
849 | "\tmodule belongs to; only identifiers to currently online botnets are supported,\n" \
850 | "\ti.e., either 4 or 5 (mandatory parameter).\n" \
851 | "\n" \
852 | "\t${computer_name} specifies the computer name; the tool generates a random computer name\n" \
853 | "\tif this parameter is not specified.\n" \
854 | "\n" \
855 | "\t${root_serial} specifies the C: volume serial number, which is a 32-bit hexadecimal number;\n" \
856 | "\tthe tool will generate a random serial number if this parameter is not specified.\n" \
857 | "\n" \
858 | "\t${output_path} is the output file path when using the \"-o\" option; this option\n" \
859 | "\tbuilds a standalone executable containing the module. When started, the build will\n" \
860 | "\tautomatically drop the module on disk and load it.";
861 | return 1;
862 | }
863 | }
864 |
--------------------------------------------------------------------------------