The sample has 4 exports, dbkFCallWrapperAddr, _ dbk_fcallwrapper and TMethodImplementationIntercept exports are usual in DLLs compiled in Delphi XE6. The sample is detected by 33/65 antivirus engines, as " Trojan.Banker" The sample is a DLL compiled with Delphi, the Compiler timestamp: is (it can be modified), with a "valid certificate" signed by ITWAYSUK LTD. pointing to the legitimate program that is going to load de malicious DLL. Moreover, the sample is a DLL and it is possible that it uses DllHijacking to be more stealthy during its execution, setting an autorun mecanism using the registry, scheduled task, service. This word document could have malicious Macros or an exploit that takes advantage of CVE-2017-11882 or CVE-2018-0802 vulnerabilities in order to download, stablish the persistence and execute the second stage. For example, a common scenario, where an user receives an email with a malicious Word document attached. There is no info about how the sample infects the system, this sample could have been dropped/downloaded in an initial stage infection. Malware analysis sample with MD5 da3ae8369f32acaff188a5163adcf8a0
#SYNCOVERY BUFFER SIZE CODE#
Using the script it has found that the name of the process associated with the hash 0x388CC1E7 is services.exe, meaning that Trickbot's shellcode will inject its malicious code into services.exe process instead of lsass.exe.
The objective is to obtain the name of the process associated with the unknown hash 0x388CC1E7 that appears in the trickbot's shellcode. Ror edx, 13 Rotate right our hash valueĪdd edx, eax Add the next byte of the stringĪt this point, the original calc_hash function from the shellcode have been found in order to create a python script with the same functionality. Lodsb Read in the next byte of the ASCII string Useful for comparing ASCII string in shellcode. _find_target_process_loop function of the original shellcode from GitHub:
The EternalBlue POC can be found in this GitHub:Ĭomparing both the trickbot's shellcode and the original shellcode from GitHub, it have been noticed that the original one doesn't perform an APC injection into lsass.exe process as the original shellcode does. This is the first part of the trickbot shellcode.ĭoing a little research, it have found that the initial part of the shellcode corresponds to this code: The first one is the Ring 0 part that gets ready in order to perform a Ring 3 APC injection into the targeted process to execute the malicious Ring 3 code (if the injection is performed in lsass.exe or services.exe it will be executed with System priviledges) The examples given here come from x86 shellcode.
#SYNCOVERY BUFFER SIZE 64 BITS#
This module contains two shellcodes, one for 32 bits systems (left) and the other for 64 bits systems (right)īoth shellcodes contain a malicious URL from which the malicious code will be downloaded. The final stage of this process is to inject a shellcode into the targeted system. Then, the function creates the required structures to perform the EternalBlue attack and takes advantage of the vulnerability. If the version contains one of these strings, it will try to infect the device: If everything works as expected, the EternalBlue infection starts:įirst, the module checks the OS version. This function performs socket operations in order to establish communication with the targeted machine. With this info, OpenSocket_ThenEternalBlue function is called. Then, it obtains the IP of the hosts using gethostbyname and inet_ntoa functions. When the new thread is created, the module enumerates all the servers from the same domain using NetServerEnum.
The export that starts the malicious operations is Control. This module tries to infect all the devices into the same domain of the infected machine using EternalBlue.Īs it is usual in the Trickbot modules, the DLL has 4 exports: In this post, I going to analyze Trickbot's wormDll32 module, this module allows Trickbot to spreads using EternalBlue. This exploit takes advantage of a vulnerability in Microsoft's implementation of the Server Message Block (SMB) protocol ( CVE-2017-0143), sending crafted packets using SMBv1 allows arbitrary code execution into the target system. Was widely known when was used as part of the wordwide Wannacry ransomware attack on May 12,2017. Is an exploit developed by the NSA, leaked by the Shadow Brokers hacker group on April 14, 2017.
#SYNCOVERY BUFFER SIZE SERIES#
In this series of articles, I going to explain how the different malware families implement EternalBlue and how they take advantage of it.
0 kommentar(er)
