Thursday, July 12, 2018

Trickbot Anti-Code Dumping Techniques and Defense Evasion for Sophos and WinDefender

Yesterday I had a time to analyzed some new variant of trickbot malware and found how it keeps on updating its code to evade or bypassed detection and make the static or reading its unpack code more difficult and time consuming for malware researcher/analyst.

I will not focus on the behavior on this malware but rather on the said technique earlier.

Upon manually unpacking this Trickbot variant, you will notice that it will unpack 2 (PE) files and one of them contain most of the job to bypassed the detection from some AV Products and some anti-analysis.

fig. 1 - unpack trickbot

fig. 1.1 - encrypted string of trickbot

Loop routines to delay actual malware execution:

The first part of the unpack code is a loop routine that only increment ecx 0x7530 times. it seems like to be garbage or none sense code but this technique can also be an anti-sandbox technique where it delay the execution of its code to lure the sandbox from analysis.

fig. 2 - loops for delaying malware code execution

Using Indirect Call, Garbage Code and Stack call reference

It also used an interesting way to execute its code function. First It computes the address of code that trickbot wants to execute and save it to stack.Then it will used EBP register to index the stack to grab the computed address and execute indirect call.

 below is the code snippet that generate the index of function virtual addresses in stack.

fig. 3 - generating function virtual address in stack

fig. 4 - samples of generated VA in stack

fig. 5 - then by indexing address in EBP to execute indirect call

Anti-Code Dumping Technique:

Process dump is one of the typical approach in malware analysis to see the actual malware code happened in the memory. but in this case this technique will not be so helpful.This trickbot sample use an anti-code dumping technique, where it decrypt the codes it wants to execute and encrypt it again afterwards. The decryption-encryption routine is a simple xor process with 16 bytes decryption key.

fig. 6 - anti- code dumping technique

fig. 6.1 - code execution

The Modified Base64 Encoding.

The encrypted string in fig. 1.1 show that it really looks like a base64 and as I mentioned to my last blog about trickbot it used a custom b64 alphanum key table. So in this case I extract the encrypted string and created the simple python below.

fig. 7 - b64 python script

Unfortunately there are some string that are failed to be decoded. This give me some hint that maybe Trickbot modify the actual Base64 algorithm for its own used.

fig. 8 - incomplete decoded string

So what I did is I used the script I created in my last Trickbot blog that do the Trickbot decryption routine in python and tadaaaa!! it was fully decrypted

fig. 9 - using my script that emulate the actual decryption routine

Killing Sophos And Windefender

I also blackbox this file and found out that it kills the windefender app. by executing command in created cmd and powershell child process. By decrypting the whole string, I saw that WinDefender app. is not only the av product it tries to turn off or kill in the infected machine but also sophos , malwarebytes and etc.

IOC for killing Win Defender product

IOC for killing Sophos and MalwareBytes product

aside from this, It can check existence of virtual machine and debugger using common registry, dll modules, .exe and process artifact checking to the infected system.


This show that malware keeps on updating there weapon to bypassed detection, do file less infection as much as possible and keep their code more difficult to analyze by security researcher and analyst.

File HASH:
unpack code being analyzed: https://www.virustotal.com/#/file/847ad5617cd7bf95bc1ec229fae32491effa01ec3284bc02c2c63e3c37395160/detection

No comments:

Post a Comment

The Tales of Macro Payload Steganography with 5 Layers of Obfuscation...

Cyber Security Industry are very familiar with malicious Windows office files that contains macro to execute batch or powershell script to d...