Part 1/3 ended when we saw an executable decrypted in memory and then executed. In this article, I’ll describe the malware’s process injection activity.
Note 1: Henceforth, the term binary applies to the decrypted executable and not the original malware sample.
Note 2: The binary contains self-modifying code, so it is important to set breakpoints carefully. If a breakpoint is set on an instruction that gets modified, an exception will occur and debugging will have to be restarted.
Checks for Defensive Solutions (Sandbox, AV)
The binary looks for sandbox environments and AV solutions by checking for existence of the following DLLs:
dgbhelp.dll(MS debugging support routines)
sxin.dll(360 Total Security)
It is also capable of detecting the following AV solutions through their services:
MBAMService(Malwarebytes Anti-Malware Real-Time Windows Service)
SAVService(Sophos Anti-Virus Software)
Leverages PowerShell and Service Controller Utility to Stop Windows Defender Services
It stops and removes
Windows Defender service through
Modifies the Windows Registry to Disable Windows Defender
The binary disables
Windows Defender by modifying the following Registry keys:
HKLM\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications\DisableNotifications
Copies Itself To
The binary copies itself to
C:\Users\<user>\AppData\Roaming\vrssit\tsickbot.exe and starts it as a process.
tsickbot.exe is the same as
trickbot.exe because their MD5 sum is the same.
tsickbot.exe decrypts an executable in memory and executes it. However, the decryption key used is different.
Note: Henceforth, the term binary refers to the decrypted executable.
The binary contains self-modifying code. It creates
C:\Windows\system32\svchost.exe process with its main thread suspended. This is an indication of process replacement.
After injecting into
svchost.exe, it resumes the suspended thread (
0x24F4868) and exits soon after.
svchost.exe is a 64-bit image. This is interesting because a 32-bit executable (
tsickbot.exe) spawned and injected into a 64-bit process. This is called the
Heaven's Gate technique and more information about it can be found here.
By tracking the values in registers before
svchost.exe is resumed, I found the code that the malicious
svchost.exe process executes.
37855 bytes starting from
0x4A9C20 into a file named,
svchost.exe in the
trickbot folder. After opening the sample in
IDA, I applied multiple signatures to identify library code.
trickbot.exe decrypts an executable in memory and executes it. This decrypted executable checks for defensive solutions (sandbox, AV), stops and disables Windows Defender services, copies
Appdata\Roaming\vrssit\tsickbot.exe and executes it. The binary,
tsickbot.exe also decrypts an executable in its memory. This decrypted executable starts a 64-bit
svchost.exe process and injects code into it.
Thanks for reading!
In this article (2/3), I described my analysis for the TrickBot malware’s ability to inject into another process. In the next part, I’ll describe my analysis for the 64-bit malicious
Thank you for reading! If you have any questions, leave them in the comments section below and I’ll get back to you as soon as I can!
Feature image credits: https://hackersonlineclub.com/malware-analysis/