Open in app
0xthreatintel
145 Followers
About

Sign in

Open in app

Reversing Newly Featured TrickBot [TrickBoot]

0xthreatintel

·Dec 5, 2020

Static and Dynamic Analysis

Recently, newly featured Trickbot sample named “TrickBoot” has arrived on “malware bazaar” submitted by our friend Arkbird_SOLG. This sample of TrickBot is been having the feature of messing up the UEFI firmware by exploiting vulnerability in the UEFI firmware.

Static Analysis:Basic

Hash’s:

Hash’s of TrickBoot file analysis.

Strings:

Strings present in TrickBoot Sample.

Imports:

Imports present in TrickBoot Sample.

Static Analysis: Advanced

Deploying Ghidra[love of our reversing life], i managed to reverse the de-compiled code of TrickBoot [ TrickBot]. Going though the binary executable of i discovered that the Trickboot sample is sort of locking and encrypting the files and exploiting the kernel for accessing the control over the UEFI of system of victim.

Entry Function:

Mainly the entry function

Code of Entry Function.
Graph of Entry Function.
Its; the full graph of entry function.
Functional Graph of Entry Function.

fetch_sys_info_for_exec_exploit function:

Code of fetch_sys_info_for_exec_exploit function.
Graph of fetch_sys_info_for_exec_exploit function.
Functional Graph of fetch_sys_info_for_exec_exploit function.

scamblr_and_xor_header_modifier function:

Code of scamblr_and_xor_header_modifier function.
Graph of scamblr_and_xor_header_modifier function.
Functional graph of scamblr_and_xor_header_modifier function.

Other then this, some interesting functions are:

Main Function:

Code of main_func function.
graph of main_func function.
Functional graph of main_func function.

cpu_info_fetcher function:

Code of cpu_info_fetcher function.
Graph of cpu_info_fetcher function.
Functional Graph of cpu_info_fetcher function.

Dynamic Analysis:

I had uploaded the dynamic analysis report of TrickBoot on GitHub.

https://github.com/ashton2323/Reports/blob/main/report-406c7180fdf423c0e99b72c45f175bf0.pdf

That’s all for today.

More from 0xthreatintel

Honey. Malware Analyst. I write blogs related to threat intelligence , malware analysis, APTs , network intrusions and incident responding.

More From Medium

{UPDATE} Airplane Pilot Flight Simulator 3D Hack Free Resources Generator

What I Wish I’d Known Before My Phone Was Stolen

{UPDATE} 逆転裁判5 Hack Free Resources Generator

{UPDATE} ポケットプランツ 人気の植物観察育成ゲーム Hack Free Resources Generator

Stuxnet; most famous APT

Setting Your WordPress Site to HTTPS with Let’s Encrypt

{UPDATE} Ghost Hunter Miri Hack Free Resources Generator

10 amazing cool websites you must know in 2021 Hey guys it's fatha here again 😁 and today I'm…