In a previous post, I covered the file analysis for an Excel file containing malicious code related to Emotet. In this post, we take things on the flip side and analyze an Emotet/Heodo DLL statically for part one of a two-part series.
After retrieving the sample and extracting it for analysis, I threw it into PE studio for a quick gauge:
I make a note of the export; this will be the parameter I use when I go to execute the DLL during dynamic analysis.
I then passed the DLL over to my REMnux instance for further static analysis there. Capa offered some insights as to what capabilities the DLL has:
As shown in the capa output screenshots, this binary can do quite a bit. At a glance we can see debugger detection, and registry, process, and file system interaction. This can offer some guidance when we progress to dynamic analysis as to what to look out for.
Next, I ran emu_dll.py to emulate a Windows environment and execution with the DLL. Not very much was conclusive after a cursory check, but the one thing that stood out was svchost.exe:
In a last sweep, I ran strings to see if anything else was worth noting:
In strings I observed a couple of registry keys, along with a plethora of API calls that corroborate what capa identified as capabilities. Below is a small snippet:
No networking IOCs or additional significance were identified during the static assessment of this sample.
It's worth mentioning that with certain samples, this is how the art of reversing goes. Until it's dynamically assessed or torn apart at a code level, things may not make complete sense. Some of this is due to the fact that samples will generate additional aspects at runtime, and they are therefore not available for static analysis.
I wrote this post to show that just conducting one facet of analysis on a sample may not always be conclusive, but leveraging those findings in a multi-faceted approach can prove useful. In the next post, I'll conduct dynamic analysis on this same sample and use some of these findings to draw conclusions and characterize IOCs.
Sample hash: 72af65d5e78e9bbb56660fbb7f15db83142c6d96d548bcbf53c6ed3595aa771d
Comments