Friday, June 26, 2020

another failed attempt at trickbot analysis in IDA

2nd attempt at trickbot analysis

Trickbot
https://app.any.run/tasks/229b1b03-c04b-4826-a9f4-1a0c60f87d9a/
md5 09CF5ED5EDF9532A802526B663277739
6/26/2020

Breakpoints at
 VirtualAlloc ret 10
 VirtualProtect start

1st breakpoint at VirtualAlloc
 EAX = debug043:00290000

2nd breakspoint at VirtualProtect
 top stack = debug043:00291000
  has something in it ... but does not start with MZ

3rd breakpoint at VirtualAlloc
 EAX = debug045:00200000

4th breakpoint at VirtualAlloc
 EAX = 10000000 (i missed what this was?)

 BUT previous EAX (debug045:00200000) now has MZ header!!!

so lets try to dump debug045
 start = 00200000
 end   = 00203000
 size  = 00003000

 so hit SHIFT-F2, choose python, type

filename = AskFile(1, "*.bin", "Output file name")
address = 0x00200000
size = 0x3000
dbgr = False
with open(filename, "wb") as out:
  data = GetManyBytes(address, size, use_dbg=dbgr)
  out.write(data)

 Open with PE Bear
  does not look right, no Imports or Exports, only 1 section (.text)
  seems like invalid dos header text "!This is a 64-bit PE executable"

5th breakpoint is at VirtualAlloc
 EAX = debug047:10001000
 No new MZ headers, just some random looking data in the monitored sections

6th breakpoint is at VirtualAlloc
 EAX = debug049:002D0000
 No new MZ headers, just some random looking data in the monitored sections

7th breakpoint is at VirtualAlloc
 EAX = debug050:002E0000
 No new MZ headers, just some random looking data in the monitored sections

8th breakpoint is at VirtualAlloc
 EAX = debug051:01D30000

then process in IDA terminated

1 comment:

  1. I want to thank Dr Emu a very powerful spell caster who help me to bring my husband back to me, few month ago i have a serious problem with my husband, to the extend that he left the house, and he started dating another woman and he stayed with the woman, i tried all i can to bring him back, but all my effort was useless until the day my friend came to my house and i told her every thing that had happened between me and my husband, then she told me of a powerful spell caster who help her when she was in the same problem I then contact Dr Emu and told him every thing and he told me not to worry my self again that my husband will come back to me after he has cast a spell on him, i thought it was a joke, after he had finish casting the spell, he told me that he had just finish casting the spell, to my greatest surprise within 48 hours, my husband really came back begging me to forgive him, if you need his help you can contact him with via email: Emutemple@gmail.com or add him up on his whatsapp +2347012841542 is willing to help any body that need his help. I want to thank Dr Emu a very powerful spell caster who help me to bring my husband back to me, few month ago i have a serious problem with my husband, to the extend that he left the house, and he started dating another woman and he stayed with the woman, i tried all i can to bring him back, but all my effort was useless until the day my friend came to my house and i told her every thing that had happened between me and my husband, then she told me of a powerful spell caster who help her when she was in the same problem I then contact Dr Emu and told him every thing and he told me not to worry my self again that my husband will come back to me after he has cast a spell on him, i thought it was a joke, after he had finish casting the spell, he told me that he had just finish casting the spell, to my greatest surprise within 48 hours, my husband really came back begging me to forgive him, if you need his help you can contact him with via email: Emutemple@gmail.com or add him up on his whatsapp +2347012841542 is willing to help any body that need his help.

    ReplyDelete