Reversing Newly Featured TrickBot [TrickBoot]

Static and Dynamic Analysis

Recently, newly featured Trickbot sample named “TrickBoot” has arrived on “malware bazaar” submitted by our friend Arkbird_SOLG. This sample of TrickBot is been having the feature of messing up the UEFI firmware by exploiting vulnerability in the UEFI firmware.

Static Analysis:Basic


Hash’s of TrickBoot file analysis.


Strings present in TrickBoot Sample.


Imports present in TrickBoot Sample.

Static Analysis: Advanced

Deploying Ghidra[love of our reversing life], i managed to reverse the de-compiled code of TrickBoot [ TrickBot]. Going though the binary executable of i discovered that the Trickboot sample is sort of locking and encrypting the files and exploiting the kernel for accessing the control over the UEFI of system of victim.

Entry Function:

Mainly the entry function

Code of Entry Function.
Graph of Entry Function.
Its; the full graph of entry function.
Functional Graph of Entry Function.

fetch_sys_info_for_exec_exploit function:

Code of fetch_sys_info_for_exec_exploit function.
Graph of fetch_sys_info_for_exec_exploit function.
Functional Graph of fetch_sys_info_for_exec_exploit function.

scamblr_and_xor_header_modifier function:

Code of scamblr_and_xor_header_modifier function.
Graph of scamblr_and_xor_header_modifier function.
Functional graph of scamblr_and_xor_header_modifier function.

Other then this, some interesting functions are:

Main Function:

Code of main_func function.
graph of main_func function.
Functional graph of main_func function.

cpu_info_fetcher function:

Code of cpu_info_fetcher function.
Graph of cpu_info_fetcher function.
Functional Graph of cpu_info_fetcher function.

Dynamic Analysis:

I had uploaded the dynamic analysis report of TrickBoot on GitHub.

That’s all for today.

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store