Return of Emotet

To make malware analysis and reverse engineering more difficult, Emotet uses a number of anti-analysis techniques. One of the first ones that stands out is control flow flattening where the structure of the program's control flow is removed, making it difficult to trace its execution. Another technique that stands out is Windows API function call hashing with randomized function argument ordering. The Open Analysis HashDB IDA Plugin supports Emotet's hashing algorithm which helps defeat this anti-analysis mechanism. Using the same encryption algorithm as for strings, Emotet stores three encrypted configuration items: Command and Control (C2) IP addresses, ports, and "use TLS" flags An Elliptic Curve Diffie Hellman (ECDH) public key used in C2 communications An Elliptic Curve Digital Signature Algorithm (ECDSA) public key used to verify responses from a C2. C2 communications is via HTTP requests. The URI is randomly generated and data is encrypted in the Cookie header (a POST request is used for larger amounts of data). The Cookie header contains a randomly generated key name and base64 encoded key value. Once decoded, the key value contains: A generated ECDH public key AES encrypted request data Random bytes The AES key used to encrypt request data is generated via the following method: The generated ECDH private key and embedded ECDH public key are used with the BCryptSecretAgreement function to generate a shared secret between the malware and C2 The AES key is derived from the shared secret using the BCryptDeriveKey function Plaintext request data, command data, and response data use a basic data encoding to encode DWORDs and variable length data. Request data contains the following: Command number Command data SHA256 hash Command data As an example, a "command poll" (command number 1) contains the following command data: Bot ID (computer name and volume serial number) Hash of malware process path Build date (e.g. 20211114) Malware version (e.g. 10000) Encoded Windows version and architecture Malware process session ID Optional module acknowledgement Response data is encrypted similarly to requests and once decrypted, the data is verified using the embedded ECDSA public key. Once verified, the data contains a command number and optional arguments.