Sample – 7a305cbbe2a950663827953cf398078d7b18baa4
It locates the encrypted payload by direct reference the memory. Noted that there are many obfuscation instructions found in the cryptor.
The structure of encrypted payload is:
struct encrypted_payload {
DWORD payload_size; //At the black underline
BYTE payload[]; // Data followed by blue bracket
}
Then, the payload is copy by chunks. The chunk size is decided by a hardcoded value, in my sample is 0x60.
Decrypting the payload is just simple a continuous 4 bytes value add and XOR routine. The following python script is able to decrypt the payload.
However, unlike previous Emotet sample, which preserves a full PE loader; The sample destroy the PE header.
After decrypting the payload, cryptor jumps to the next stage. The entry point of the stage is set by:
It means the entry point is at allocated_mem + 0x1A701 – 0x21.
Workflow Summary
• GetEncryptedPayload
• AllocateMemory
• CopyPayloadToNewAllocatedMem
• DecryptsThePayload
