• Stars
    star
    669
  • Rank 67,451 (Top 2 %)
  • Language
    C++
  • License
    Other
  • Created almost 5 years ago
  • Updated 12 months ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Emotet detection tool for Windows OS

EmoCheck

GitHub release Github All Releases

Emotet detection tool for Windows OS.

How to use

  1. Download EmoCheck from the Releases page.
  2. Run EmoCheck on the host.
  3. Check the exported report.

Download

Please download from the Releases page.

Command options

(since v0.0.2)

  • Specify output directory for the report (default: current directory)
    • /output [your output directory] or -output [your output directory]
  • No console output
    • /quiet or -quiet
  • Export the report in JSON style
    • /json or -json
  • Debug mode (no report)
    • /debug or -debug
  • Show help
    • /help or -help

How EmoCheck detects Emotet

(v0.0.1)
Emotet generates their process name from a specific word dictionary and C drive serial number. EmoCheck scans the running process on the host, and find Emotet process from their process name.

(added in v0.0.2)
Emotet keeps their encoded process name in a specific registry key. EmoCheck looks up and decode the registry value, and find it from the process list. Code Signing with Microsoft Authenticode.

(added in v1.0)
Support the April 2020 updated of Emotet.
Obfuscated code.

(added in v2.0)
Support the December 2020 updated of Emotet.
French language support. (Thanks to CERT-FR)

Sample Report

Text stlye:

[Emocheck v0.0.2]
Scan time: 2020-02-10 13:06:20
____________________________________________________

[Result]
Detected Emotet process.

[Emotet Process]
     Process Name  : mstask.exe
     Process ID    : 716
     Image Path    : C:\Users\[username]\AppData\Local\mstask.exe
____________________________________________________

Please remove or isolate the suspicious execution file.

JSON style (added in v0.0.2):

{
  "scan_time":"2020-02-10 13:06:20",
  "hostname":"[your hostname]",
  "emocheck_version":"0.0.2",
  "is_infected":"yes",
  "emotet_processes":[
    {
       "process_name":"mstask.exe",
       "process_id":"716",
       "image_path":"C:\\Users\\[username]\\AppData\\Local\\mstask.exe"
    }
  ]
}

The report will be exported to the following path.

(v0.0.1)
[current directory]\yyyymmddhhmmss_emocheck.txt

(since v0.0.2)
[output path]\[computer name]_yyyymmddhhmmss_emocheck.txt
[output path]\[computer name]_yyyymmddhhmmss_emocheck.json

Screenshot

(v0.0.1)

Releases

  • (Feb. 3, 2020) v0.0.1
    • Initial release
  • (Feb. 10, 2020) v0.0.2
    • update detecting method
    • add options
  • (Aug. 11, 2020) v1.0.0
    • update detecting method
  • (Jan. 27, 2021) v2.0.0
    • update detecting method
    • Added French language support
  • (Mar. 4, 2022) v2.1.0
    • update detecting method
  • (Mar. 14, 2022) v2.1.1
    • Fixed a crash bug when executing with SYSTEM privileges
  • (Apr. 22, 2022) v2.2.0
    • update detecting method
  • (May. 20, 2022) v2.3.0
    • update detecting method
  • (May. 24, 2022) v2.3.1
    • fixed a detection pattern
  • (May. 27, 2022) v2.3.2
    • fixed a detection pattern
  • (Mar. 19, 2023) v2.4.0
    • update detecting method

License

Please read the LICENSE page.

Notes

Tested environments

  • Windows 11 21H2 64bit Japanese Edition
  • Windows 10 21H2 64bit Japanese Edition
  • Windows 8.1 64bit Japanese Edition
  • Windows 7 SP1 32bit Japanese Edition
  • Windows 7 SP1 64bit Japanese Edition

Windows 7 does not support UTF-8 output in the Command Prompt.

Build

  • Windows 10 1809 64bit Japanese Edition
  • Microsoft Visual Studio Community 2017

Source code

Not published from v2.1.

More Repositories

1

LogonTracer

Investigate malicious Windows logon by visualizing and analyzing Windows event log
Python
2,690
star
2

MalConfScan

Volatility plugin for extracts configuration data of known malware
Python
478
star
3

aa-tools

Artifact analysis tools by JPCERT/CC Analysis Center
Python
452
star
4

SysmonSearch

Investigate suspicious activity by visualizing Sysmon's event log
JavaScript
417
star
5

ToolAnalysisResultSheet

Tool Analysis Result Sheet
HTML
341
star
6

YAMA

Yet Another Memory Analyzer for malware detection
C++
171
star
7

phishurl-list

Phishing URL dataset from JPCERT/CC
HTML
150
star
8

DetectLM

Detecting Lateral Movement with Machine Learning
Python
137
star
9

MalConfScan-with-Cuckoo

Cuckoo Sandbox plugin for extracts configuration data of known malware
Python
134
star
10

jpcert-yara

JPCERT/CC public YARA rules repository
YARA
96
star
11

log-analysis-training

γƒ­γ‚°εˆ†ζžγƒˆγƒ¬γƒΌγƒ‹γƒ³γ‚°η”¨γ‚³γƒ³γƒ†γƒ³γƒ„
HTML
88
star
12

impfuzzy

Fuzzy Hash calculated from import API of PE files
Python
87
star
13

MemoryForensic-on-Cloud

Memory Forensic System on Cloud
HTML
84
star
14

Windows-Symbol-Tables

Windows symbol tables for Volatility 3
Python
71
star
15

cordova

Vulnerability Analysis of Hybrid Applications using Apache Cordova
HTML
55
star
16

Lazarus-research

Lazarus analysis tools and research report
Python
54
star
17

OWASPdocuments

Japanese translation of OWASP documents
HTML
52
star
18

STrelok

Application for STIX v2.0 objects management and analysis
Python
27
star
19

CobaltStrike-Config

Repository for archiving Cobalt Strike configuration
27
star
20

QuasarRAT-Analysis

QuasarRAT analysis tools and research report
Python
24
star
21

Lucky-Visitor-Scam-IoC

Automatically update IoC for lucky visitor scam
24
star
22

SurfaceAnalysis-on-Cloud

Surface Analysis System on Cloud
HCL
18
star
23

ToolAnalysisResultSheet_jp

εˆ†ζžγƒ„γƒΌγƒ«η΅ζžœγ‚·γƒΌγƒˆ
HTML
16
star
24

AutoYara4FLIRT

Python
14
star
25

cwe-1003-ja

CWE-1003 ζ—₯本θͺžθ¨³
9
star
26

vdo-json-schema

JSON Schema for Vulnerability Description Ontology (VDO)
JavaScript
8
star
27

JPCERT-IR-Statistics

JPCERT/CC Incident handling statistics
HTML
6
star
28

xml2evtx

Convert Event Log XML to EVTX file
Python
5
star
29

HUILoader-research

HUI Loader analysis research
4
star
30

GobRAT-Analysis

Python
1
star