How to use EmoCheck to detect Emotet trojan on Windows

0 24
Windows 11 21H2 64-bitWindows 10 21H2 64-bitWindows 8.1 64-bitNote: Windows 7 do...

How to use EmoCheck to detect Emotet trojan on Windows

Windows 11 21H2 64-bit

Windows 10 21H2 64-bit

Windows 8.1 64-bit

Note: Windows 7 does not support outputting UTF-8 reports in the command line terminal.

Build platform

Windows 10 1809 64-bit

Microsoft Visual Studio Community 2017

Tool features

1. Emotet generates its process name based on a specific dictionary of words and the serial number of the C drive, and EmoCheck can scan the running processes on the host and find the Emotet process from the process name.

2. Emotet will save the encoded process name in a specific registry entry, and EmoCheck can find and decode the registry value, and find it in the process list.

3. Supports detection of Emotet versions updated in April 2020.

4. Supports detection of Emotet versions updated in December 2020.

Tool download

Researchers can access the project's [Releases pageDownload the latest version of this tool:

Command options

Specify the report output directory (default: current directory: )

/output [your output directory]

-output [your output directory]

Disable console output:

/quiet

-quiet

Output the report in JSON data format:

/json

-json

Enable debug mode (no report):

/debug

-debug

Display tool help information:

/help

-help

Report example

Text format

[Emocheck v0.0.2]

Scan time: 2020-02-10 13:06:20

____________________________________________________

 

[Result]

Detected Emotet process.

 

[Emotet Process]

Process Name   : mstask.exe

Process ID   : 716

Image Path   : C:\Users\[username]\AppData\Local\mstask.exe

____________________________________________________

 

Please remove or isolate the suspicious executable file.

JSON format

{

"scan_time":"2020-02-10 13:06:20",

"hostname":"[your hostname]",

"emocheck_version":"0.0.2",

"is_infected":"yes",

"emotet_processes":[

{

"process_name":"mstask.exe",

"process_id":"716",

"image_path":"C:\\Users\\[username]\\AppData\\Local\\mstask.exe"

}

]

}

Report generation path

[current directory]\yyyymmddhhmmss_emocheck.txt

[output path]\[computer name]_yyyymmddhhmmss_emocheck.txt

[output path]\[computer name]_yyyymmddhhmmss_emocheck.json

Tool operation screenshot

Project address

EmoCheck:【GitHub link

你可能想看:

EMOTET banking trojan is still active: shellcode release methods, infrastructure updates, and traffic encryption

DDoS Trojan virus troubleshooting and removal in Linux system

(3) Is the national secret OTP simply replacing the SHA series hash algorithms with the SM3 algorithm, and becoming the national secret version of HOTP and TOTP according to the adopted dynamic factor

In-depth Analysis: Mining Trojan Analysis and Emergency Response Disposal Under a Complete Attack Chain

Analysis of Windows spyware, will you still easily download Windows crack software?

Be vigilant against the domestic mining trojan CPLMiner using WMI to reside and mine

d) Adopt identification technologies such as passwords, password technologies, biometric technologies, and combinations of two or more to identify users, and at least one identification technology sho

As announced today, Glupteba is a multi-component botnet targeting Windows computers. Google has taken action to disrupt the operation of Glupteba, and we believe this action will have a significant i

In-depth Analysis and Practice: Analysis of Apache Commons SCXML Remote Code Execution Vulnerability and POC EXP Construction

How to use truffleHog to search for high-entropy strings and sensitive data in Git repositories to protect the security of code repositories

最后修改时间:
admin

本文仅代表作者观点,不代表平台立场

内容由 admin 发布,转载请注明内容出处

上一篇 2025年03月29日 20:43
下一篇 2025年03月29日 21:05

评论已关闭