Skip to main content

TrickBot Execution Flow

Step by step
In this post, we go through a step by step look at the execution flow of the latest TrickBot variant. I’ll skip some of the more basic stuff and get to the parts that are interesting. To get you started, I have summed it up in this diagram, it shows the entire flow but as I said earlier, we’ll skip over the some of the steps.
Trickbot execution stages
I’ll start off with some of the interesting bits. In the code below, you can see that the malware uses some very clever ways to get around the local anti-malware software. The anti-malware in this case happens to be Windows Defender. It tries to simply stop the service to start with. Then it moves on to deleting the service altogether.
Stop the Defender service
Delete the Defender service
Then the malware moves on to an interesting approach. It uses Powershell to disable the ‘Real-time Monitoring’ feature of the application — which would allow the malware to execute without being detected at all.
Using Powershell to disable the Realtime Monitoring feature
After the anti-malware solution has been dealt with, the malware copies itself to a different location and launches from there.
Malicious process launched from AppData
Next step is to launch the fake svchost.exe (no ‘-k’ in the command used, basic DFIR steps should guide you through this) and move on to getting the config from the c2.
Fake svchost.exe is launched
After this step, new directories are created for the modules to be loaded into and configs are saved to these locations for later use.
Example: C2 config is created
File being written to disk
Another example
We can see here that the C2 config is written to the stack:
Stack view
And here’s a view of the mem dump:
C2 info loaded to memory
The image below shows all the instances of svchost that are spawned by the malicious process (each one has a specific function).
Settings.ini is an encrypted file that has information on the system. The key used to encrypt the modules/configs is saved in this file.
In the image below, you can see the encrypted data being loaded into the memory before it is written to disk:
And here is the final process tree:
The malware also does a quick IP check on the victim machine:
This one if interesting. I first wrote about this back in 2017. The malware launches an instance of firefox (along with other available browsers) which in turn spawns an instance of the ctfmon.exe — a process that helps recognise input from sources other than the keyboard.
Now, let’s have a quick look at how the actual injection works at this point in time. The configs have all the information on which websites should be injected into (the list has grown quite a lot, with generic URIs that seem to target the login pages, regardless of the sites).
Example of a config file
Once the user browses to a site that matches the config, the injection is transacted. It is good to see that chrome is picking these injections up (in some cases) and blocking the sites (other browsers are not doing that at the time of this writing).
Let’s go ahead and take a deeper look. The same session on a non-infected machine looks like this:
End of code on a non-infected machine
On an infected machine, we are able to see the injected code:
End of code on an infected machine
At the time of this writing, the injected code loads a JS variable that is used to steal information that is exchanged over this session (like passwords and account IDs).
The samples used for this analysis were taken from virustotal.com and are available through various OSINT resources. If you need the hash for one of them, let me know through comments and I’ll make that available.

Comments

Popular posts from this blog

Major update: Emotet C2i Apr 2019

Emotet has updated the C2 comms in the latest release, going for URIs instead of IPs (root). Here’s a complete list of the current campaign: Emotet C2i: http://51.255.50.164:8080/window/child/ringin/ http://109.104.79.48:8080/cookies/tlb/ http://92.48.118.27:8080/rtm/pnp/ http://197.248.67.226:8080/enabled/forced/ http://181.170.93.38:8080/teapot/balloon/ http://69.163.33.82:8080/glitch/scripts/arizona/ http://192.155.90.90:7080/prov/odbc/arizona/ http://43.229.62.186:8080/teapot/ http://72.47.248.48:8080/sess/cone/ http://209.159.244.240:443/publish/vermont/tlb/ http://197.248.67.226:8080/codec/between/tlb/ http://176.58.93.123:8080/splash/ http://72.47.248.48:8080/sess/glitch/entries/ http://181.170.93.38:8080/schema/free/ http://69.163.33.82:8080/badge/symbols/results/ http://109.73.52.242:8080/results/prov/ http://68.191.37.107/iplk/vermont/sym/merge/ http://154.120.228.126:8080/xian/enabled/sym/merge/ http://136.49.87.106/usbccid/taskbar/enabled/ http://5.9.128.163:8080/json

Grinju Downloader: Anti-analysis (on steroids) | Part 2

  This malware takes anti-analysis and stealth techniques to a new level We took a look at this malware in the Part 1 of this publication. Now let’s carry on with the analysis and dig deeper into the various anti-analysis and stealth-exec features of this malware in Part2. Malpedia Inventory: https://malpedia.caad.fkie.fraunhofer.de/details/vbs.grinju Secondary Macro Code First of all, here’s the entire code that is dumped in the sheet once all the macro functions have been completed. Take a look at these lines and try to figure out what they are meant to do. Then we’ll take a look at the most important of these briefly before moving on to the next section. =CLOSE(FALSE) =FORMULA(LEN(APP.MAXIMIZE())+-459,Sheet1!R18690C129) =FORMULA(LEN(GET.WINDOW(7))+-131,Sheet1!R18691C129) =FORMULA(LEN(GET.WINDOW(20))+-893,Sheet1!R18692C129) =FORMULA(LEN(GET.WINDOW(23)=3)+433,Sheet1!R18693C129) =FORMULA(LEN(GET.WORKSPACE(31))+864,Sheet1!R18694C129) =FORMULA(LEN(GET.WORKSPACE(13)>770)+707,Sheet1!R18

Emotet C2 Network IOC August 2018 Week 4 Campaign

Article by  Vishal Thakur IP Port COUNTRY REGION CITY TIME ZONE 50.33.142.65 United States Texas Dallas CST 173.63.125.138 United States New Jersey EST 67.175.118.157 United States South Carolina Tamassee EST 47.186.71.56 Canada Ontario Ottawa EST 71.12.111.50 443 United States Georgia Moultrie EST 100.16.243.115 443 United States Virginia Ashburn EST 80.89.191.118 United Arab Emirates Dubai GMT+4 104.219.132.28 United States Oklahoma Oklahoma City CST 23.25.247.205 443 United States Massachusetts Cambridge EST 118.244.214.210 443 Korea, Republic Of Seoul GMT+9 212.129.56.179 443 Russian Federation Moscow GMT+3 47.16.187.196 8090 Canada Ontario Ottawa EST 97.68.6.155 8090 United States New Jersey Bedminster EST 71.174.9.241 United States Florida Brandon EST 14.1.39.3 443 China Guangzhou GMT+8 199.119.78.38 443 United States Missouri Springfield CST 71.8.233.246 7080 United States Delaware Seaford EST 108.191.59.73 United States District Of Columbia Washingt