Open in app
0xthreatintel
91 Followers
About

Sign in

Open in app

Reversing Newly Featured TrickBot [TrickBoot]

0xthreatintel

·Dec 5, 2020

Static and Dynamic Analysis

Recently, newly featured Trickbot sample named “TrickBoot” has arrived on “malware bazaar” submitted by our friend Arkbird_SOLG. This sample of TrickBot is been having the feature of messing up the UEFI firmware by exploiting vulnerability in the UEFI firmware.

Static Analysis:Basic

Hash’s:

Hash’s of TrickBoot file analysis.

Strings:

Strings present in TrickBoot Sample.

Imports:

Imports present in TrickBoot Sample.

Static Analysis: Advanced

Deploying Ghidra[love of our reversing life], i managed to reverse the de-compiled code of TrickBoot [ TrickBot]. Going though the binary executable of i discovered that the Trickboot sample is sort of locking and encrypting the files and exploiting the kernel for accessing the control over the UEFI of system of victim.

Entry Function:

Mainly the entry function

Code of Entry Function.
Graph of Entry Function.
Its; the full graph of entry function.
Functional Graph of Entry Function.

fetch_sys_info_for_exec_exploit function:

Code of fetch_sys_info_for_exec_exploit function.
Graph of fetch_sys_info_for_exec_exploit function.
Functional Graph of fetch_sys_info_for_exec_exploit function.

scamblr_and_xor_header_modifier function:

Code of scamblr_and_xor_header_modifier function.
Graph of scamblr_and_xor_header_modifier function.
Functional graph of scamblr_and_xor_header_modifier function.

Other then this, some interesting functions are:

Main Function:

Code of main_func function.
graph of main_func function.
Functional graph of main_func function.

cpu_info_fetcher function:

Code of cpu_info_fetcher function.
Graph of cpu_info_fetcher function.
Functional Graph of cpu_info_fetcher function.

Dynamic Analysis:

I had uploaded the dynamic analysis report of TrickBoot on GitHub.

https://github.com/ashton2323/Reports/blob/main/report-406c7180fdf423c0e99b72c45f175bf0.pdf

That’s all for today.

More from 0xthreatintel

aka Nikhil Rathor | Honey. Malware Analyst. I write blogs related to threat intelligence , malware analysis, APTs , network intrusions and incident responding.

More From Medium

Can the Feds Force Trickle-Down Security on the Internet of Things?

API Security Testing

Don’t get crushed by the SaaS Tsunami

Passwords are Obsolete — How to Secure Your App and Protect Your Users

Confidential Computing is cool!

Hackers Have Infiltrated Many of Washington State’s Agencies

Ways to Protect Your Privacy and Money (While Making Some) in Trading and Investing

Towards A More Distributed, Trusted and Resilient Data World

About

Help

Legal

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store