MalwareAnalysisFeatureImage

Malware Analysis – TrickBot – Part 2

Posted by

Part 1/3 ended when we saw an executable decrypted in memory and then executed. In this article, I’ll describe the malware’s process injection activity.

Note 1: Henceforth, the term binary applies to the decrypted executable and not the original malware sample.

Note 2: The binary contains self-modifying code, so it is important to set breakpoints carefully. If a breakpoint is set on an instruction that gets modified, an exception will occur and debugging will have to be restarted.

Analysis

Debugging – trickbot.exe

Checks for Defensive Solutions (Sandbox, AV)

The binary looks for sandbox environments and AV solutions by checking for existence of the following DLLs:

  • pstorec.dll (SunBelt Sandbox)
  • vmcheck.dll (Virtual PC)
  • dgbhelp.dll (MS debugging support routines)
  • wpespy.dll (WPE Pro)
  • api_log.dll (iDefense Labs)
  • sbiedll.dll (Sandboxie)
  • sxin.dll (360 Total Security)
  • dir_watch.dll (iDefense Labs)
  • sf2.dll (Avast Antivirus)
  • cmdvrt32.dll (Comodo Container)
  • snxhk.dll (Avast)

It is also capable of detecting the following AV solutions through their services:

  1. MBAMService (Malwarebytes Anti-Malware Real-Time Windows Service)
  2. SAVService (Sophos Anti-Virus Software)

Leverages PowerShell and Service Controller Utility to Stop Windows Defender Services

It stops and removes Windows Defender service through sc and PowerShell commands.

Modifies the Windows Registry to Disable Windows Defender

The binary disables Windows Defender by modifying the following Registry keys:

  • HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware
  • HKLM\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications\DisableNotifications

Copies Itself To AppData\Roaming

The binary copies itself to C:\Users\<user>\AppData\Roaming\vrssit\tsickbot.exe and starts it as a process. tsickbot.exe is the same as trickbot.exe because their MD5 sum is the same.

Debugging – tsickbot.exe

Data Decryption

Like trickbot.exe, tsickbot.exe decrypts an executable in memory and executes it. However, the decryption key used is different.

Note: Henceforth, the term binary refers to the decrypted executable.

Create svchost.exe Process

The binary contains self-modifying code. It creates C:\Windows\system32\svchost.exe process with its main thread suspended. This is an indication of process replacement.

After injecting into svchost.exe, it resumes the suspended thread (0x24F4868) and exits soon after.

Injecting into svchost.exe

The spawned svchost.exe is a 64-bit image. This is interesting because a 32-bit executable (tsickbot.exe) spawned and injected into a 64-bit process. This is called the Heaven's Gate technique and more information about it can be found here.

By tracking the values in registers before svchost.exe is resumed, I found the code that the malicious svchost.exe process executes.

Dumping svchost.exe Code

I dumped 37855 bytes starting from 0x4A9C20 into a file named, svchost.exe in the trickbot folder. After opening the sample in IDA, I applied multiple signatures to identify library code.

TL;DR

trickbot.exe decrypts an executable in memory and executes it. This decrypted executable checks for defensive solutions (sandbox, AV), stops and disables Windows Defender services, copies trickbot.exe into Appdata\Roaming\vrssit\tsickbot.exe and executes it. The binary, tsickbot.exe also decrypts an executable in its memory. This decrypted executable starts a 64-bit svchost.exe process and injects code into it.

Thanks for reading!

In this article (2/3), I described my analysis for the TrickBot malware’s ability to inject into another process. In the next part, I’ll describe my analysis for the 64-bit malicious svchost.exe process.

Thank you for reading! If you have any questions, leave them in the comments section below and I’ll get back to you as soon as I can!

Feature image credits: https://hackersonlineclub.com/malware-analysis/

Leave a Reply

Your email address will not be published.