EmoCheck: Emotet detection tool for Windows OS

by ddos · Published · Updated

EmoCheck

Emotet detection tool for Windows OS.

How EmoCheck detects Emotet

(v0.0.1)
Emotet generates their process name from a specific word dictionary and C drive serial number. EmoCheck scans the running process on the host, and find Emotet process from their process name.

(added in v0.0.2)
Emotet keeps their encoded process name in a specific registry key. EmoCheck looks up and decode the registry value, and find it from the process list.

(added in v1.0)
Support the April 2020 updated of Emotet.
Obfuscated code.

(added in v2.0)
Support the December 2020 updated of Emotet.
French language support. (Thanks to CERT-FR)

Changelog v2.4

  • update detecting method

Download

How to use

  1. Download EmoCheck from the Releases page.
  2. Run EmoCheck on the host.
  3. Check the exported report.

Sample Report

[Emocheck v0.0.1]
Scan time: 2020-02-03 13:06:20
____________________________________________________

[Result] 
Detected Emotet process.

[Emotet Process] 
     Process Name  : khmerbid.exe
     Process ID    : 10508
     Image Path    : C:\Users\[username]\AppData\Local\khmerbid.exe
____________________________________________________

Please remove or isolate the suspicious execution file.

The report will be exported to the following path.

  • [path of emocheck.exe]\yyyymmddhhmmss_emocheck.txt

Copyright (C) 2020 JPCERT Coordination Center. All Rights Reserved.

Source: https://github.com/JPCERTCC/

Tags: EmoCheck