{"id":18291385,"url":"https://github.com/jpcertcc/emocheck","last_synced_at":"2025-04-04T11:14:42.304Z","repository":{"id":41372948,"uuid":"237361749","full_name":"JPCERTCC/EmoCheck","owner":"JPCERTCC","description":"Emotet detection tool for Windows OS","archived":false,"fork":false,"pushed_at":"2023-12-21T01:25:18.000Z","size":256,"stargazers_count":669,"open_issues_count":7,"forks_count":77,"subscribers_count":72,"default_branch":"master","last_synced_at":"2025-03-28T10:08:23.236Z","etag":null,"topics":["emotet","malware-detection","security"],"latest_commit_sha":null,"homepage":null,"language":"C++","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/JPCERTCC.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE.txt","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2020-01-31T04:45:12.000Z","updated_at":"2025-03-28T00:26:00.000Z","dependencies_parsed_at":"2022-08-10T02:06:54.919Z","dependency_job_id":"7cbd1bd7-3c04-441d-9c04-15e9c27f9f09","html_url":"https://github.com/JPCERTCC/EmoCheck","commit_stats":{"total_commits":28,"total_committers":5,"mean_commits":5.6,"dds":0.6428571428571428,"last_synced_commit":"58677d7c0bafe4ef7c7e2d355aa34b10a958a590"},"previous_names":[],"tags_count":11,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/JPCERTCC%2FEmoCheck","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/JPCERTCC%2FEmoCheck/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/JPCERTCC%2FEmoCheck/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/JPCERTCC%2FEmoCheck/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/JPCERTCC","download_url":"https://codeload.github.com/JPCERTCC/EmoCheck/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247166168,"owners_count":20894654,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["emotet","malware-detection","security"],"created_at":"2024-11-05T14:14:04.596Z","updated_at":"2025-04-04T11:14:42.283Z","avatar_url":"https://github.com/JPCERTCC.png","language":"C++","funding_links":[],"categories":[],"sub_categories":[],"readme":"# EmoCheck\n\n[![GitHub release](https://img.shields.io/github/release/jpcertcc/emocheck.svg)](https://github.com/jpcertcc/emocheck/releases)\n[![Github All Releases](https://img.shields.io/github/downloads/jpcertcc/emocheck/total.svg)](https://somsubhra.github.io/github-release-stats/?username=jpcertcc\u0026repository=emocheck\u0026page=1\u0026per_page=5)\n\nEmotet detection tool for Windows OS.\n\n## How to use\n\n1. Download EmoCheck from the Releases page.\n2. Run EmoCheck on the host.\n3. Check the exported report.\n\n## Download\n\nPlease download from the [Releases](https://github.com/JPCERTCC/EmoCheck/releases) page.\n\n## Command options\n\n(since v0.0.2)  \n\n- Specify output directory for the report (default: current directory)\n  - `/output [your output directory]` or `-output [your output directory]`\n- No console output\n  - `/quiet` or `-quiet`\n- Export the report in JSON style\n  - `/json` or `-json`\n- Debug mode (no report)\n  - `/debug` or `-debug`\n- Show help\n  - `/help` or `-help`\n\n## How EmoCheck detects Emotet\n\n(v0.0.1)  \nEmotet generates their process name from a specific word dictionary and C drive serial number.\nEmoCheck scans the running process on the host, and find Emotet process from their process name.\n\n(added in v0.0.2)  \nEmotet keeps their encoded process name in a specific registry key.\nEmoCheck looks up and decode the registry value, and find it from the process list.\nCode Signing with Microsoft Authenticode.\n\n(added in v1.0)  \nSupport the April 2020 updated of Emotet.  \nObfuscated code.  \n\n(added in v2.0)  \nSupport the December 2020 updated of Emotet.  \nFrench language support. (Thanks to CERT-FR)\n\n## Sample Report\n\nText stlye:  \n\n```txt\n[Emocheck v0.0.2]\nScan time: 2020-02-10 13:06:20\n____________________________________________________\n\n[Result]\nDetected Emotet process.\n\n[Emotet Process]\n     Process Name  : mstask.exe\n     Process ID    : 716\n     Image Path    : C:\\Users\\[username]\\AppData\\Local\\mstask.exe\n____________________________________________________\n\nPlease remove or isolate the suspicious execution file.\n```\n\nJSON style (added in v0.0.2):  \n\n```json\n{\n  \"scan_time\":\"2020-02-10 13:06:20\",\n  \"hostname\":\"[your hostname]\",\n  \"emocheck_version\":\"0.0.2\",\n  \"is_infected\":\"yes\",\n  \"emotet_processes\":[\n    {\n       \"process_name\":\"mstask.exe\",\n       \"process_id\":\"716\",\n       \"image_path\":\"C:\\\\Users\\\\[username]\\\\AppData\\\\Local\\\\mstask.exe\"\n    }\n  ]\n}\n```\n\nThe report will be exported to the following path.\n\n(v0.0.1)  \n`[current directory]\\yyyymmddhhmmss_emocheck.txt`\n\n(since v0.0.2)  \n`[output path]\\[computer name]_yyyymmddhhmmss_emocheck.txt`  \n`[output path]\\[computer name]_yyyymmddhhmmss_emocheck.json`\n\n## Screenshot\n\n(v0.0.1)  \n\u003cdiv align=\"left\"\u003e\u003cimg src=\"./img/report_en.png\"\u003e\u003c/div\u003e\n\n## Releases\n\n- (Feb. 3, 2020) v0.0.1\n  - Initial release\n- (Feb. 10, 2020) v0.0.2\n  - update detecting method\n  - add options\n- (Aug. 11, 2020) v1.0.0\n  - update detecting method\n- (Jan. 27, 2021) v2.0.0\n  - update detecting method\n  - Added French language support\n- (Mar. 4, 2022) v2.1.0\n  - update detecting method\n- (Mar. 14, 2022) v2.1.1\n  - Fixed a crash bug when executing with SYSTEM privileges\n- (Apr. 22, 2022) v2.2.0\n  - update detecting method\n- (May. 20, 2022) v2.3.0\n  - update detecting method\n- (May. 24, 2022) v2.3.1\n  - fixed a detection pattern\n- (May. 27, 2022) v2.3.2\n  - fixed a detection pattern\n- (Mar. 19, 2023) v2.4.0\n  - update detecting method\n\n## License\n\nPlease read the [LICENSE](https://github.com/JPCERTCC/EmoCheck/blob/master/LICENSE.txt) page.\n\n## Notes\n\n### Tested environments\n\n- Windows 11 21H2 64bit Japanese Edition\n- Windows 10 21H2 64bit Japanese Edition\n- Windows 8.1 64bit Japanese Edition\n- ~~Windows 7 SP1 32bit Japanese Edition~~\n- ~~Windows 7 SP1 64bit Japanese Edition~~\n\nWindows 7 does not support UTF-8 output in the Command Prompt.\n\n\n### Build\n\n- Windows 10 1809 64bit Japanese Edition\n- Microsoft Visual Studio Community 2017\n\n### Source code\n\nNot published from v2.1.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjpcertcc%2Femocheck","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fjpcertcc%2Femocheck","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjpcertcc%2Femocheck/lists"}