Yesterday I had a time to analyzed some new variant of trickbot malware and found how it keeps on updating its code to evade or bypassed detection and make the static or reading its unpack code more difficult and time consuming for malware researcher/analyst.
I will not focus on the behavior on this malware but rather on the said technique earlier.
Upon manually unpacking this Trickbot variant, you will notice that it will unpack 2 (PE) files and one of them contain most of the job to bypassed the detection from some AV Products and some anti-analysis.
 |
| fig. 1 - unpack trickbot |
 |
| fig. 1.1 - encrypted string of trickbot |
Loop routines to delay actual malware execution:
The first part of the unpack code is a loop routine that only increment ecx 0x7530 times. it seems like to be garbage or none sense code but this technique can also be an anti-sandbox technique where it delay the execution of its code to lure the sandbox from analysis.
 |
| fig. 2 - loops for delaying malware code execution |
Using Indirect Call, Garbage Code and Stack call reference
It also used an interesting way to execute its code function. First It computes the address of code that trickbot wants to execute and save it to stack.Then it will used EBP register to index the stack to grab the computed address and execute indirect call.
below is the code snippet that generate the index of function virtual addresses in stack.
 |
| fig. 3 - generating function virtual address in stack |
 |
| fig. 4 - samples of generated VA in stack |
 |
| fig. 5 - then by indexing address in EBP to execute indirect call |
Anti-Code Dumping Technique:
Process dump is one of the typical approach in malware analysis to see the actual malware code happened in the memory. but in this case this technique will not be so helpful.This trickbot sample use an anti-code dumping technique, where it decrypt the codes it wants to execute and encrypt it again afterwards. The decryption-encryption routine is a simple xor process with 16 bytes decryption key.
 |
| fig. 6 - anti- code dumping technique |
 |
| fig. 6.1 - code execution |
The Modified Base64 Encoding.
The encrypted string in fig. 1.1 show that it really looks like a base64 and as I mentioned to my last blog about
trickbot it used a custom b64 alphanum key table. So in this case I extract the encrypted string and created the simple python below.
 |
| fig. 7 - b64 python script |
Unfortunately there are some string that are failed to be decoded. This give me some hint that maybe Trickbot modify the actual Base64 algorithm for its own used.
 |
| fig. 8 - incomplete decoded string |
So what I did is I used the script I created in my last
Trickbot blog that do the Trickbot decryption routine in python and tadaaaa!! it was fully decrypted
 |
| fig. 9 - using my script that emulate the actual decryption routine |
Killing Sophos And Windefender
I also blackbox this file and found out that it kills the windefender app. by executing command in created cmd and powershell child process. By decrypting the whole string, I saw that WinDefender app. is not only the av product it tries to turn off or kill in the infected machine but also sophos , malwarebytes and etc.
 |
| IOC for killing Win Defender product |
 |
| IOC for killing Sophos and MalwareBytes product |
aside from this, It can check existence of virtual machine and debugger using common registry, dll modules, .exe and process artifact checking to the infected system.
Conclusion:
This show that malware keeps on updating there weapon to bypassed detection, do file less infection as much as possible and keep their code more difficult to analyze by security researcher and analyst.
File HASH:
sha1:796478235e3b973fb5bf62f26d50990a22ed0757
sha256:85f41612517a7e60582b9ee98f71a88203cd8941a31bc2d34ab5f42f89ee72e7
unpack code being analyzed:
https://www.virustotal.com/#/file/847ad5617cd7bf95bc1ec229fae32491effa01ec3284bc02c2c63e3c37395160/detection
