Live Stream VOD: Emotet Deobfuscation Part 2 - Attempting A Generic Algorithm to Learn The Control Flow (Patreon)

In this Twitch stream we attempt to build a generic algorithm to separate the dispatcher basic blocks from the original basic blocks in an obfuscated Emotet sample. 

We build off of our work from the previous stream and attempt to convert our assembly specific algorithm to a generic algorithm that uses symbolic execution with Angr instead of direct analysis of the assembly code. Our hope is that with a generic algorithm we can remove the manual work that we had to perform as an analyst identifying the control flow assembly instructions and pattern -- hopefully we can convert that pattern to a generic one!

This was a struggle stream - something weird happened to my internet so we had to restart the stream - and we had to fight angr to get it to give us the information we wanted. In the end we were able to implement our algorithm but it has bugs that we will need to fix in the next stream!!

Sample: c7574aac7583a5bdc446f813b8e347a768a9f4af858404371eae82ad2d136a01

Sample Unpacked (this is the one we use in the stream): eeb13cd51faa7c23d9a40241d03beb239626fbf3efe1dbbfa3994fc10dea0827

Rough notes (with code): Emotet Deobfuscation