Reversing Newly Featured TrickBot [TrickBoot]
Static and Dynamic Analysis

Recently, newly featured Trickbot sample named “TrickBoot” has arrived on “malware bazaar” submitted by our friend Arkbird_SOLG. This sample of TrickBot is been having the feature of messing up the UEFI firmware by exploiting vulnerability in the UEFI firmware.
Static Analysis:Basic
Hash’s:

Strings:












Imports:




Static Analysis: Advanced
Deploying Ghidra[love of our reversing life], i managed to reverse the de-compiled code of TrickBoot [ TrickBot]. Going though the binary executable of i discovered that the Trickboot sample is sort of locking and encrypting the files and exploiting the kernel for accessing the control over the UEFI of system of victim.
Entry Function:
Mainly the entry function






fetch_sys_info_for_exec_exploit function:


scamblr_and_xor_header_modifier function:


Other then this, some interesting functions are:
Main Function:


cpu_info_fetcher function:


Dynamic Analysis:
I had uploaded the dynamic analysis report of TrickBoot on GitHub.
https://github.com/ashton2323/Reports/blob/main/report-406c7180fdf423c0e99b72c45f175bf0.pdf
That’s all for today.