Analysis of Emotet

Analysis of the New Modules that Emotet Spreads

Anti-analysis techniques:

It checks to see if some of the dlls listed below are loaded in the current process. They all belong to some analysis tools and Anti-virus software, such as VMware, SunBelt Sandbox, Sandboxie, Virtual PC, WPE Pro, Avast, Comodo, and iDefense, etc.

pstorec.dll, vmcheck.dll, dbghelp.dll, wpespy.dll, api_log.dll, SbieDll.dll, SxIn.dll, dir_watch.dll, Sf2.dll, cmdvrt32.dll, snxhk.dll.

If one of these dlls is detected as having been loaded, it exits the process immediately.

TrickBot continues to check to determine whether the services Microsoft “WinDefend”, Malwarebytes “MBAMService”, Sophos “SAVService” are running, which are all Anti-virus services. If detected, it executes a command to stop and kill them, along with killing their relevant processes.

It executes “cmd.exe /c sc stop WinDefend” and “cmd.exe /c sc delete WinDefend” to stop Microsoft “WinDefend” and kill this service. It also kills the relevant processes “MsMpEng.exe”, “MSASCuiL.exe” (for win10) and “MSASCui.exe” (for Win10).

It also executes “cmd.exe /c sc stop SAVService” and “cmd.exe /c sc delete SAVService” to stop and kill this service if found, as well as also killing relevant processes “SavService.exe”, “ALMon.exe”, etc.

Finally, it calls the API “ControlService” to stop the service “MBAMService” if running. Figure 10 is the ASM snippet of its stopping “MBAMService”.