Wednesday, July 1, 2020

failed attempt at trickbot analysis with ida

Trickbot analysis following OALabs tutorial

http://www.malware-traffic-analysis.net/2018/05/16/index.html
https://www.youtube.com/watch?v=EdchPEHnohw
Sha256: fa9ad80c0977cdbfe8419d27ca9ad909d34f1737df726f4d175f6b85b0670074

checked pestudio, ASLR was enabled
disabled ASLR with CFF Explorer (Dll can move, Image is NX Compatible)

since hybrid analysis loads same malware (process injection maybe?) set breakpoints
CreateProcessInternalW
WriteProcessMemory
ResumeThread

bp1 [CreateProcessInternalW] 3rd parameter on stack debug033:003089C0
which is the same path as our binary we are running

then it terminated? unlike the OALabs video in which is break next at WriteProcessMemory
must be something catching my vm and terminating?

kill the trickbot process
restart in IDA
hit CreateProcessInternalW breakpoints
CTRL-F7 (run until return) until i get to user code

code resolves all APIs (repeated multiple times)
GetModuleHandleA
GetProcAddress
then calls
GetThreadContext
followed by
ReadProcessMemory
VirtualAllocEx
test/jz <-- Virtual Alloc is returning 0 and then debugger is terminating (but a process still alive in task manager [the paused one?])
WriteProcessMemory


Posted by at

1 comment:

  1. Sharon WayneNovember 2, 2020 at 4:45 AM

    I want to thank Dr Emu a very powerful spell caster who help me to bring my husband back to me, few month ago i have a serious problem with my husband, to the extend that he left the house, and he started dating another woman and he stayed with the woman, i tried all i can to bring him back, but all my effort was useless until the day my friend came to my house and i told her every thing that had happened between me and my husband, then she told me of a powerful spell caster who help her when she was in the same problem I then contact Dr Emu and told him every thing and he told me not to worry my self again that my husband will come back to me after he has cast a spell on him, i thought it was a joke, after he had finish casting the spell, he told me that he had just finish casting the spell, to my greatest surprise within 48 hours, my husband really came back begging me to forgive him, if you need his help you can contact him with via email: Emutemple@gmail.com or add him up on his whatsapp +2347012841542 is willing to help any body that need his help.

    ReplyDelete

Subscribe to: Post Comments (Atom)