Some time ago I have found out that Emotet malware is a huge problem especially when it comes to malspam – lots of phishing mails contain Emotet downloader in various formats. I happened to analyze one the them and you can see my anaysis there. I have also prepared tracker under tracker.malwaredancer.com which presents Emotet C2 proxy servers on the world map. The problem seems to be quite big. That is why I wanted to have a look into Emotet sample. I got mine from https://app.any.run.

One of the top samples send to app.any.run is tagged as #NanoCore. Because of that I wanted to have a look inside this malware. At first I run the sample under VM. Except some calls to Windows registry I have not found any interesting behavior. Then I run this sample under OllyDBG.

I am still reversing LockerGoga sample. This time I want to focus on network part. You would ask why ransomware even need networking part? Yes, the same question crossed my mind, but now I would like to stick to facts. And as you can see from Ida Imports subview there are two functions import from WS2_32 library.

Having in mind previous ROP Emporium challenge, I tried to crack the second one. Below you can find python script which I used to get the flag.

Since I wanted to get into Return-Oriented-Programming technique I got to the ROP Emporium challenges. The first one was pretty simple, I needed to call specific function within the binary, which is not called during normal binary execution. Since I wanted to automate exploitation, I created script using pwntools python package.

I wanted to see the real ransomware in the action, so I got LockerGoga sample from app.any.run. Then I have run exe file with opened ProcessExplorer and ProcessMonitor in the background to see what it will really do on my virtual machine system.

Today I have started my malware analisys from getting the sample from virusshare.com. Output of file command states that this is XML document.