Malware Reverse Engineering to Find the Malicious Activity of Emotet

Abstract

Emotet is a Trojan that is commonly spread through emails. It was initially designed to steal banking credentials. It uses a number of strategies and infection vectors to spread over space and establish persistence on infected devices. This paper proposes a framework for analyzing Emotet malware through the process of reverse engineering, to reduce this time consumption we have researched some function calls that can help us in understanding the activity and where to locate the payload. The research is done for two types of files only, they are EXE and DLL files. Firstly we analyze the PE structure of the file using CFF explorer and check for irregularities in the address of the header. using Ghidra we further our analysis of the sample to check for irregularities, API calls, strings and many other information relating to structure of our file. On finding the common functionality and understanding its usage we can determine the kind of behavior the sample would perform and the API calls used for malicious activity. Based on the malicious activity performed we will determine whether the sample provided is Emotet or clean.