Malware analysis: decoding Emotet, part 2 | Advanced Mobile Spy Software
In part two of our series on decoding Emotet, (you can catch up on part 1 here), we'll cover analysis of the PowerShell code. Before we do that, however, it is a good idea to list some of the functions and calls that are used in the code for the execution. System.Runtime.InteropServices.Marshal: used for memory management SecureStringToBSTR: used to convert the secure string to decrypted data ConvertTo-SecureString: used to convert the encrypted data into secure string Encryption and PowerShell There are a couple of ways to encrypt data using PowerShell. DPAPI (Data Protection Application Programming Interface) is one method of encrypting with PowerShell, but it's not what our malware uses. Emotet downloader malware uses AES to encrypt data. So let's take a look at how AES works. If the data is encrypted using ConvertTo-SecureString but with NO key, PowerShell will by default use DPAPI. But it will only work for the logged in user on the machine it was encrypted on. If the data is