jpcertcc / emocheck Goto Github PK

I rewrote the program in powershell to better integrate it into System Management solutions like SCCM, Baramundi and others.

function GetWord([string]$keywords, [uint32]$ptr, [uint32]$keylen)
{
    $keyword = ""

      for ($i = $ptr; $i -gt 0; $i--) {
        if ($keywords[$i] -ne ",") {
            continue;
        } else {
            $ptr = $i;
            break;
        }
    }
    if ($keywords[$ptr] -eq ',') {
        $ptr++;
    }
    for ($i = $ptr; $i -lt $keylen; $i++) {
        if ($keywords[$i] -ne ',') {
            $keyword += $keywords[$i];
            $ptr++;
        } else {
            break;
        }
    }
    return $keyword
}

function ScanEmotetProcess([string ]$keyword)
{
    $processes = Get-Process $keyword -erroraction 'silentlycontinue'
    return $processes
}

function GenerateEmotetProcessName()
{
    $keyword = ""
    $keywords = [string]::Join("","duck,mfidl,targets,ptr,khmer,purge,metrics,acc,inet,msra,symbol,driver,", 
                "sidebar,restore,msg,volume,cards,shext,query,roam,etw,mexico,basic,url,",
                "createa,blb,pal,cors,send,devices,radio,bid,format,thrd,taskmgr,timeout,",
                "vmd,ctl,bta,shlp,avi,exce,dbt,pfx,rtp,edge,mult,clr,wmistr,ellipse,vol,",
                "cyan,ses,guid,wce,wmp,dvb,elem,channel,space,digital,pdeft,violet,thunk")


    [uint32]$keylen = $keywords.Length
    [uint32]$seed =  (Get-WmiObject Win32_volume |  Where-Object {$_.DriveLetter -eq "C:"}).SerialNumber

    #$hex = [Convert]::ToString($seed, 16)
    #Write-Host "[debug] Serial Number : $hex"

    [uint32]$q = $seed / $keylen
    [uint32]$mod = $seed % $keylen

    $keyword += GetWord $keywords $mod $keylen

    [uint32]$seed = [uint32]"0xffffffff" - $q

    $mod = $seed % $keylen;
    $keyword += GetWord $keywords $mod $keylen

    #Write-Host "[debug] Emotet process name on this host is $($keyword).exe"

    return $keyword
}

function ScanEmotet()
{
    $emotet_process_name = GenerateEmotetProcessName
    return ScanEmotetProcess $emotet_process_name
}


$emotet_processes = ScanEmotet

if ($emotet_processes.Length -gt 0)
{
    Write-Output "[Emotet Process]"
    Write-Output "     Process Name  : $($emotet_processes.ProcessName)"
    Write-Output "     Process ID    : $($emotet_processes.Id)"
    Write-Output "     Image Path    : $($emotet_processes.Path)"
}
else
{
    Write-Output "[Result] `nNo detection."

}

First of all: many thanks for your great work and the possibility to get the code.
I'm the author of EmoKill which will not only detect processes of Emotet, it also kills those processes as soon as possible.

I've found references to further keywords that Emotet uses, it's documented at the following website of F-Secure. What do you think about integration of these keywords to EmoCheck?

v2.1 did not work with Windows10Pro with UAC disabled.
v2.0 worked.

I would like to simulate an infection to test the correct functioning of the tool. Is there a possibility?
And if so, what exactly do I have to do? Unfortunately this is not documented.

Thank you.

It would flash back at the beginning, so I recompiled with VS2022 to solve the flash back, but the Japanese garbled, and finally converted to a wide character set to fix.

https://github.com/TheClockIT/EmoCheck

素晴らしいツール作成ありがとうございます。
1台のPCを複数ユーザーが利用している場合に実行ユーザーを確認したいため、
ログ、ログファイル名に実行ユーザーを追加できないでしょうか。

This code makes

Maybe he want as:

    {
        int i;
        for (i = ptr; i > 0; i--) {
            if (keywords[i] != ',') {
                continue;
            } else {
                break;
            }
        }
        ptr = i;
    }

Does this bug origin old emotet (- 2020/02/05)?

Cant open in windows xp

It would be nice to specify the output path of the report with a command line parameter. Also a silent mode would be great, so that the script can be executed on many systems at the same time in the background.

It's cumbersome to integrate your script into 3rd party monitoring solutions since it always pauses output and because it doesn't return a proper ERRORLEVEL.

Please remove the pause instruction and return an ERRORLEVEL of 1 if emotet is found.

I tried to improve your tool myself with a pull request and also sent an email, both have been ignored unfortunately.

Hi, to check the Logs we need the german sample report...

Thx

Regards

ROB

I downloaded v1.0.0 from Github and then cloned the repo. I am noticing that the downloaded v1.0.0 is detecting a new version of Emotet but building from source is not. Is the master branch up to date with what was included in the v1.0.0 release?

From Repo

Emotet detection tool by JPCERT/CC.

Version      : 1.2
Release Date : 2020/02/10
URL          : https://github.com/JPCERTCC/EmoCheck

Download v1.0.0

Emotet detection tool by JPCERT/CC.

Version      : 1.0.0
Release Date : 2020/07/20
URL          : https://github.com/JPCERTCC/EmoCheck

Hello,

Emocheck failed to detect an instance of malware that got us listed. How I can submit this instance to allow update of the detection?

Maybe the mistake has been corrected in later versions, but...

The & (bitwise-and) should be && (logical-and) in the context.

v2.1 doesn't work in Windows7x64 so far in the morning of Mar 5,2022. Window comes up and then disappears right after that.

Is this Version of EmoCheck still effective for detect Emotet or has Emotet adopt their methode?

Hi,

on line #76 in emocheck.cpp:
shouldn't it be better to determine the correct systemdrive than to assume that is allways C:?

Regards
Patrick

Hi All,

I've written a short python-script which can be used to automatically check the Reports on any given destination.

I thank you very much for your work!
Feel free to use, edit and spread the tool.

you can check it out:
https://github.com/Lecatron/Emocheck-ReportChecker/tree/master

Hi,

I've tested a lot of samples and they does not behave how you are expected. Can you give me a sample or at least a sha256 that can be found on virustotal?
Here are the sha256 tested by me (also, you can find them on virustotal):
f2e66165689cc6eb77c4bb53c744423651a9a00c8bb8ca560c6ef2a1cad79949
fbd6cd18394dc4b979d2589e54aaa20185dd3c6ce4ab28af7238d0be187e9c55
6787c59952c4d444bd996f0d1ce0769e3be01efb4a956dab6a0002eacb823549
f066141214ab9f04623391e1f7921e594b34a3a13be97e223bfb7d3488c69d5d
50067b34f57ae6946c02c0697d029d746b860d356e80d6403805747bc05b7a51
c37ae465ddd63d49f36380cf223d1b0d3117021190d73bc37ee132ec10020342
045c4ab485bd45781234451af0eae62f23abceae375d5434cff37c3e5620f872
cbc44f30526548b0a09a2d64a30eda9447f80bbc698fbeec08c2b68d80e96d5a
75310a0db927a7e4836d8695290b5c845ee3caa9586367e65a14430451df1e49
53f029fc5471105a2bc966c7198191553b3f1a96a1277f696a84152c0b250def
acad577c915ed6284f669c66c4d9e1ef5a9241f98cdf6a8a776ad9eed24772fd
fde4852adcc6e3625c0afcd772640d059008391c7864c044a00b5b1706ed6571
67c953c97c193395a03b2fadf0aca391bd6b71c35701388c7342ccb513cc84a2
e86bcbd08dda8259efd9b77df1ed30ca3ef0692c40f017a3a8fd52e9ccea5aae
9428c78a7bb6377b58fe7130e8a42e18d6f52c2d46a1c8f9e49ccac5cc7a32a8
b1340d61918fbfe760ee2088dec385fd2667c8301ecf647ed5f6a4bc953bf791
a199d34708d1493e53b284ce545015a97027f4bf6f7bc8cf0a2ccd1c33b1048a
8a4fe49cc132a49abbefe3031870b3727ad5b3984f383f83cc617b0a1464edcf
ac5f2bc1d47e3473b7331c576d0be55079ad7c4c15462ba265c30cdd27611692
3acb71f6f54d49e9751a75e6b0e048be8e21b33e2a5fb2e484e1b5bf305a3505
265da95da87a36881e4acaf61d1b9674f0eb549b395f3141b540f3f2e5d487a6