Analysing an Emotet Downloader with CMD Watcher and CyberChef

pla9QvCSh_Y/default.jpg

Here I showcase how you can use an awesome tool from Kahu Security called CMD Watcher; which watches for where cmd.exe is invoked, suspends the process, extracts the command line and then kills the process.

I show you how to use this awesome tool to help analyse a malicious .doc file which is designed to download Emotet malware. The macros are designed to invoke cmd.exe to further invoke PowerShell, and CMD Watcher makes it super easy to grab the command line without further infection giving you time to perform additional analysis.

This is a great tool to have in your arsenal as a malware analyst. Many thanks for @campuscodi for sharing and for Kahu Security for developing.

Key Links:
https://twitter.com/campuscodi/status...
http://www.kahusecurity.com/tools.html

Python Script:
https://pastebin.com/W2vqY0uq

CyberChef Recipe:
https://gchq.github.io/CyberChef/#rec...)

pla9QvCSh_Y/default.jpg
Analysing an Emotet Downloader with CMD Watcher and CyberChef Analysing an Emotet Downloader with CMD Watcher and CyberChef Reviewed by Dump3R H3id3gg3R on November 09, 2018 Rating: 5