This repository provides a set of Ghidra Script for EMOTET analysis. Included scripts are following.
extract_xor_key.py
: extract XOR key for API hash. extracted XOR key will be used to generate hash database (db.json
) for resolving hashes.make_hash_db.py
: generate hash database for resolving API hash. this script is NOT Ghidra Script. make sure to run this on your host.search_hash.py
: search hashes in target binary and add comment with corresponding API. database for hashes which is used for lookup APIs must be generated bymake_hash_db.py
.decrypt_strings.py
: decrypt strings as much as possible.extract_c2.py
: extract C&C URL (including protocol, hostname and port) automatically.analyzer.py
: all-in-one script of above scripts, especially for Headless Analyzer.
Originally these scripts were shared in Japan Security Analyst Summit (JSAC) 2021. If you need the scripts that is used in that workshop, you can find them in for_training
folder. The slide deck is available here (Japanese).
This is Gihdra Script. You need to install Ghidra before running script. If you're not familiar with Ghidra Script, please see the documents below.
- https://ghidra.re/courses/GhidraClass/Intermediate/Scripting_withNotes.html#Scripting.html
- https://ghidra.re/ghidra_docs/analyzeHeadlessREADME.html
Plus this should be noted, these scripts will analyzer "unpacked" EMOTET. So you need unpacked one before running this script. You can get it by yourself with hollow_hunter or use online sandbox for unpack (like CAPE).
clone this repository, and add the cloned path into your Script Directories
.
> git clone https://github.com/AllsafeCyberSecurity/malware-analysis-at-scale-defeating-emotet-by-ghidra.git
> cd malware-analysis-at-scale-defeating-emotet-by-ghidra.git
> python -m pip install -r requirements.txt
Only analyzer.py
is Headless Script. After making sure to import the unpacked EMOTET in your Ghidra Project, You can run this script as following.
> %GHIDRA_INSTALL_DIR%\support\analyzeHeadless.bat <path-to-your-project> <project-name> -process <already-imported-unpacked-emotet-filename> -scriptPath <path-to-this-repo> -postScript analyzer.py <path-to-output>.json
Other scripts are Ghidra Script. You can run them from Script Manager.