Usage
python emutet.py -h
Usage: emutet.py [options]
Options:
-h, --help show this help message and exit
-c CAPE, --cape=CAPE Analysis ID from https://www.capesandbox.com
-t TRIAGE, --triage=TRIAGE
Analysis ID from https://www.tria.ge
-k TRIAGE_API_KEY, --triage-api-key=TRIAGE_API_KEY
Triage API key file. To get yours go to
https://tria.ge and ask for an account
-o OUTPUT, --output=OUTPUT
Output directory
-v, --verbose Verbose mode. Shows errors and debugging prints
-T, --try-all Try all C&C in the C&C list. By default the bot will
stop oncea sucess response is gotten from the C&C.
This can be when it downloads new modules or when the
C&C response is empty. If this option is enabled the
bot doesn't stop until all C&C responses are checked
IMPORTANT: Be patient. Not always it works on the first try. As it’s explained in the documentation each time the bot is executed a random bot_id is created. Perhaps that the C&C doesn’t allow that bot_id or at the moment the C&C is down for the country you are connected from. Try more times, connect from other country and/or also add new entries into config files. New names, surnames, processes…
Example using Triage (Anaysis: https://tria.ge/reports/191017-kla4z5rz3x/task1)
It downloads new modules + Trickbot sample
Example using CAPE (Analysis: https://www.capesandbox.com/analysis/4102/)
It Downloads new modules
More Examples
python emutet.py -T --triage 191018-294pp5srbn --triage-api-key {triage-api-key-file}python emutet.py -T --triage 191018-294pp5srbn(default Triage api key file location is used./config/triage-api-key.txt)python emutet.py -T --cape 4010python emutet.py --cape 4010this case the-Toption is missing. This means that once a sucess response is returned from the list of C&Cs the bot stops, the rest of the C&C won’t be checked.python emutet.py -v -T --cape 4010verbose mode.