+ -

Pages

Monday, December 18, 2017

Malware - TrickBot Analysis December 2017

What's new:

New Execution flow - directory structure has changed.
Instead of the winapp folder, you need to look for this:

C:\Users\me\AppData\Roaming\services\
C:\Users\me\AppData\Roaming\services\Modules

And of course, new icon :)


 

 

Identifiers:


Microsoft Visual Basic v5.0/v6.0

Imports:
MSVBVM60.DLL  - 70 functions

1 VERSIONINFO
FILEVERSION 5,0,0,0
PRODUCTVERSION 5,0,0,0
FILEOS 0x4
FILETYPE 0x1
{
BLOCK "StringFileInfo"
{
    BLOCK "040904B0"
    {
        VALUE "CompanyName", "Thadickatt House"
        VALUE "FileDescription", "Pil, ecco quanto produce il Sistema Umbria"
        VALUE "LegalCopyright", "Copyright © 2017 - DUESSE COMMUNICATION S.r.l"
        VALUE "LegalTrademarks", "Edah, should not be confused with the Haredi communal body in Israel known as the Edah"
        VALUE "ProductName", "Thadickat"
        VALUE "FileVersion", "5.00"
        VALUE "ProductVersion", "5.00"
        VALUE "InternalName", "Thadickat"
        VALUE "OriginalFilename", "Thadickat.exe"
    }
}

BLOCK "VarFileInfo"
{
    VALUE "Translation", 0x0409 0x04B0 
}
}


FLOW:

Load Image
C:\Windows\SysWOW64\kernel32.dll






Load Image
C:\Windows\SysWOW64\KernelBase.dll






RegOpenKey
HKLM\System\CurrentControlSet\Control\Terminal Server






RegOpenKey
HKLM\Software\Wow6432Node\Policies\Microsoft\Windows\Safer\CodeIdentifiers






Load Image
C:\Windows\SysWOW64\apphelp.dll






RegOpenKey
HKLM\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Disable8And16BitMitigation






CreateFile
C:\Windows\SysWOW64\rpcss.dll






RegOpenKey
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager






RegCloseKey
HKLM\Software\Wow6432Node\Microsoft\Cryptography\Offload






CreateFile
C:\Users\Vishal Thakur\AppData\Local\Temp\~DF77D59600395B2DB0.TMP






RegOpenKey
HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions






RegOPenKey
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\KnownFolders






CreateFile
C:\Users\Vishal Thakur\AppData\Roaming






CreateFile
C:\Users\Vishal Thakur\AppData\Roaming\services






CreateFile
C:\Users\Vishal Thakur\AppData\Roaming\services\Uiaejdlat.exe






CreateFile
C:\Windows\SysWOW64\ntmarta.dll






SetEndOfFileInformationFile
C:\Users\Vishal Thakur\AppData\Roaming\services\Uiaejdlat.exe






WriteFile
C:\Users\Vishal Thakur\AppData\Roaming\services\Uiaejdlat.exe






Thread Exit






Process Exit






CloseFile






RegOpenKey
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Uiaejdlat.exe






CreateFile
C:\Users\Vishal Thakur\AppData\Roaming\services\Uiaejdlat.exe















*Uiaejdlat.exe will obviously change with every binary - lookout for the reg entries and file creations.

5 RakshaTec: Malware - TrickBot Analysis December 2017 What's new: New Execution flow - directory structure has changed. Instead of the winapp folder, you need to look for this: C:\...

No comments:

Post a Comment

< >