Skip to content

Instantly share code, notes, and snippets.

@hasherezade
Last active October 30, 2018 17:56
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
Star You must be signed in to star a gist
Save hasherezade/ff0b9ebacb1e47464cf6783e787e69b8 to your computer and use it in GitHub Desktop.
TrickBot string decoder (c3737aaf6b613a7c7d5e0c6d3c0d60a2)
1 : 1\
2 : 1
3 : DIAL
4 : NAT status
5 : failed
6 : client is behind NAT
7 : client is not behind NAT
8 : DNSBL
9 : listed
10 : not listed
11 : SINJ
12 : %s %s
13 : spk
14 : tmp
15 : .tmp
16 : config.conf
17 : user
18 : RES
19 : group_tag
20 : %s sTart
21 : SYSTEM
22 : <?xml version="1.0" encoding="UTF-16"?>
<Task version="1.2"
xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">
<RegistrationInfo>
<Version>1.0.1</Version>
<Description>Ms_Net_Cash</Description>
<URI></URI>
</RegistrationInfo>
<Triggers>
23 : <TimeTrigger>
<Repetition>
<Interval>PT10M</Interval>
<Duration>P415DT15H59M</Duration>
<StopAtDurationEnd>false</StopAtDurationEnd>
</Repetition>
<StartBoundary>
24 : </StartBoundary>
<Enabled>true</Enabled>
</TimeTrigger>
</Triggers>
<Principals>
<Principal id="Author">
25 : </Principal>
</Principals>
<Settings>
<MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy>
<DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>
<StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>
<AllowHardTerminate>false</AllowHardTerminate>
<StartWhenAvailable>true</StartWhenAvailable>
<RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>
<IdleSettings>
<StopOnIdleEnd>true</StopOnIdleEnd>
<RestartOnIdle>false</RestartOnIdle>
</IdleSettings>
<AllowStartOnDemand>true</AllowStartOnDemand>
<Enabled>true</Enabled>
<Hidden>true</Hidden>
<RunOnlyIfIdle>false</RunOnlyIfIdle>
<WakeToRun>false</WakeToRun>
<ExecutionTimeLimit>PT0S</ExecutionTimeLimit>
<Priority>7</Priority>
</Settings>
<Actions Context="Author">
<Exec>
<Command>
26 : </Command>
</Exec>
</Actions>
</Task>
27 : <BootTrigger>
<Enabled>true</Enabled>
28 : </BootTrigger>
29 : <RunLevel>HighestAvailable</RunLevel>
<GroupId>NT AUTHORITY\SYSTEM</GroupId>
<LogonType>InteractiveToken</LogonType>
30 : <LogonType>InteractiveToken</LogonType>
<RunLevel>LeastPrivilege</RunLevel>
31 : <UserId>
32 : </UserId>
33 : %Y-%m-%dT%H:%M:%S
34 : %s.%s
35 : %s.%s.%s.%s
36 : Msnetcs
37 : module
38 : name
39 : ctl
40 : srv
41 : /%s/%s/0/%s/%s/%s/%s/%s/
42 : /%s/%s/1/%s/
43 : /%s/%s/5/%s/
44 : /%s/%s/10/%s/%s/%d/
45 : /%s/%s/14/%s/%s/0/
46 : /%s/%s/23/%d/
47 : /%s/%s/25/%s/
48 : %s/%s/63/%s/%s/%s/%s/
49 : noname
50 : %s/%s/64/%s/%s/%s/
51 : data
52 : info
53 : No params
54 : Invalid params count
55 : Win32 error
56 : Decode from BASE64 error
57 : start
58 : Unable to load module from server
59 : GetParentInfo error
60 : Process was unloaded
61 : Start failed
62 : release
63 : Process has been finished
64 : Module was unloaded
65 : Process has been finished
66 : Control failed
67 : Module already unloaded
68 : %d%d%d.
69 : servconf
70 : expir
71 : plugins
72 : psrv
73 : Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
74 : Windows 10 Server
75 : Windows 10
76 : Windows Server 2012 R2
77 : Windows 8.1
78 : Windows Server 2012
79 : Windows 8
80 : Windows Server 2008 R2
81 : Windows 7
82 : Windows Server 2008
83 : Windows Vista
84 : Windows Server 2003
85 : Windows XP
86 : Windows 2000
87 : Unknown
88 : x64
89 : x86
90 : %s %s SP%d
91 : Ncrypt.dll
92 : Bcrypt.dll
93 : NCryptOpenStorageProvider
94 : NCryptImportKey
95 : NCryptDeleteKey
96 : NCryptFreeObject
97 : BCryptOpenAlgorithmProvider
98 : BCryptImportKeyPair
99 : BCryptGetProperty
100 : BCryptVerifySignature
101 : BCryptCloseAlgorithmProvider
102 : BCryptDestroyKey
103 : shlwapi
104 : UrlEscapeW
105 : GET
106 : POST
107 : 0.0.0.0
108 : kernel32.dll
109 : HeapAlloc
110 : GetProcessHeap
111 : HeapFree
112 : HeapReAlloc
113 : Data\
114 : %s%s_configs\
115 : %s%s
116 : <moduleconfig>*</moduleconfig>
117 : autostart
118 : yes
119 : sys
120 : processname
121 : autoconf
122 : autocontrol
123 : needinfo
124 : control
125 : arg
126 : conf
127 : file
128 : period
129 : name
130 : id
131 : ip
132 : parentfiles
133 : Module has already been loaded
134 : Create ZP failed
135 : Find P failed
136 : Load to P failed
137 : Run D failed
138 : Load to M failed
139 : Start
140 : Control
141 : FreeBuffer
142 : Release
143 : svchost.exe
144 : SignalObjectAndWait
145 : WaitForSingleObject
146 : CloseHandle
147 : ResetEvent
148 : ExitProcess
149 : LoadLibraryW
150 : GetProcAddress
151 : wtsapi32
152 : WTSEnumerateSessionsA
153 : WTSFreeMemory
154 : WTSGetActiveConsoleSessionId
155 : WTSQueryUserToken
156 : winsta0\default
157 : ------Boundary%08X
158 : Content-Type: multipart/form-data; boundary=%s
Content-Length: %d
159 : --%s
Content-Disposition: form-data; name="%S"
160 : --%s--
161 : Global\Muta
162 : D:(A;;GA;;;WD)(A;;GA;;;BA)(A;;GA;;;SY)(A;;GA;;;RC)
163 : ssert
164 : expir
165 : checkip.amazonaws.com
166 : ipecho.net
167 : ipinfo.io
168 : api.ipify.org
169 : icanhazip.com
170 : myexternalip.com
171 : wtfismyip.com
172 : ip.anysrc.net
173 : /plain
174 : /ip
175 : /raw
176 : /text
177 : /plain/clientip
178 : 1045
179 : client_id
180 : Module is not valid
181 : GetNativeSystemInfo
182 : zen.spamhaus.org
183 : cbl.abuseat.org
184 : b.barracudacentral.org
185 : dnsbl-1.uceprotect.net
186 : spam.dnsbl.sorbs.net
187 : ECDSA_P384
188 : ECCPUBLICBLOB
189 : SignatureLength
190 : VERS
191 : InitializeCriticalSection
192 : EnterCriticalSection
193 : LeaveCriticalSection
194 : ModuleQuery
195 : ver.txt
196 : path
197 : working
198 : Global\%08lX%04lX%lu
199 : WinDefend
200 : MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths
201 : MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths
202 : MACHINE\SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Paths
203 : DEBG
204 : FAQ
205 : README.md
206 : %s%s
207 : info.dat
208 : .onion
209 : %s %S HTTP/1.1
Host: %s%s%S
210 : POST
211 : GET
212 :
213 : Content-Length:
214 : 174.127.217.73:55554
215 : 162.247.72.201:443
216 : 185.13.39.197:443
217 : 88.99.216.194:9001
218 : 185.22.172.237:443
219 : 199.249.223.62:443
220 : 2.137.16.245:9001
221 : 84.40.112.70:9001
222 : 212.47.246.229:9003
223 : 159.89.151.231:9001
224 : 69.163.34.173:443
225 : 83.163.164.15:9003
226 : 82.118.17.235:443
227 : 37.252.190.176:443
228 : 185.41.154.130:9001
229 : cmd.exe
230 : fifty
231 : WantRelease
232 : \iocopy
233 : api.ipify.org
234 : api.ip.sb
235 : ident.me
236 : www.myexternalip.com
237 : /?format=text
238 : path
239 : CI failed, 0x%x
240 : pIT NULL
241 : pIT connect failed, 0x%x
242 : pIT GetFolder failed, 0x%x
243 : Win10, Reg success
244 : Win10, Reg failed
245 : Create xml failed
246 : Create xml2 failed
247 : Register u failed, 0x%x
248 : Register s failed, 0x%x
249 : autorun
250 : <LogonTrigger>
<Enabled>true</Enabled>
251 : </LogonTrigger>
252 : CreateThread
253 : GetComputerNameW
254 : lstrcmpW
255 : lstrlenW
256 : GetFullPathNameW
257 : FindFirstFileW
258 : FindResourceW
259 : FreeLibrary
260 : LoadResource
261 : GetModuleHandleW
262 : SetFileTime
263 : lstrcpynW
264 : GetLastError
265 : FindClose
266 : LockResource
267 : GetSystemInfo
268 : FindNextFileW
269 : GetFileTime
270 : LoadLibraryA
271 : lstrcmpA
272 : SetFileAttributesW
273 : CreateDirectoryW
274 : WaitForSingleObject
275 : SignalObjectAndWait
276 : SetEvent
277 : CreateRemoteThread
278 : OpenProcess
279 : VirtualFreeEx
280 : ReadProcessMemory
281 : TerminateProcess
282 : VirtualProtectEx
283 : VirtualAllocEx
284 : ResetEvent
285 : GetExitCodeThread
286 : CreateEventW
287 : DuplicateHandle
288 : WriteProcessMemory
289 : ResumeThread
290 : CreateMutexW
291 : LocalFree
292 : lstrcpyW
293 : DeleteFileW
294 : SetCurrentDirectoryW
295 : EnterCriticalSection
296 : MoveFileW
297 : GetTempPathW
298 : GetStartupInfoW
299 : GetModuleFileNameW
300 : GetFileAttributesW
301 : LeaveCriticalSection
302 : Sleep
303 : InitializeCriticalSectionAndSpinCount
304 : GetTickCount
305 : MoveFileExW
306 : CreateProcessW
307 : GetTempFileNameW
308 : lstrcmpiW
309 : CreateFileW
310 : ReadFile
311 : WriteFile
312 : SetFilePointer
313 : GetVersion
314 : CloseHandle
315 : GetVersionExW
316 : GetCurrentProcess
317 : GetSystemTimeAsFileTime
318 : GetCurrentProcessId
319 : lstrlenA
320 : UnhandledExceptionFilter
321 : SetUnhandledExceptionFilter
322 : GetCurrentThreadId
323 : QueryPerformanceCounter
324 : GetModuleHandleA
325 : WideCharToMultiByte
326 : MultiByteToWideChar
327 : Process32FirstW
328 : Process32NextW
329 : CreateToolhelp32Snapshot
330 : ADVAPI32.dll
331 : GetUserNameW
332 : GetTokenInformation
333 : LookupAccountSidW
334 : DuplicateTokenEx
335 : CreateProcessAsUserW
336 : EqualSid
337 : OpenProcessToken
338 : FreeSid
339 : AllocateAndInitializeSid
340 : CryptDestroyKey
341 : CryptHashData
342 : CryptDestroyHash
343 : CryptDecrypt
344 : CryptCreateHash
345 : CryptImportKey
346 : ConvertStringSecurityDescriptorToSecurityDescriptorW
347 : CryptReleaseContext
348 : CryptSetKeyParam
349 : CryptAcquireContextW
350 : CryptGetHashParam
351 : LookupPrivilegeValueW
352 : AdjustTokenPrivileges
353 : RevertToSelf
354 : RegCreateKeyExW
355 : RegCloseKey
356 : RegOpenKeyExW
357 : RegSetValueExW
358 : SetNamedSecurityInfoW
359 : SetSecurityInfo
360 : GetSecurityInfo
361 : SetEntriesInAclW
362 : GetLengthSid
363 : CopySid
364 : InitializeSecurityDescriptor
365 : SetSecurityDescriptorDacl
366 : ole32.dll
367 : CoCreateInstance
368 : CoUninitialize
369 : CRYPT32.dll
370 : CryptStringToBinaryW
371 : CryptBinaryToStringW
372 : SHLWAPI.dll
373 : PathFindFileNameW
374 : PathAddBackslashW
375 : PathRenameExtensionW
376 : StrStrIW
377 : PathRemoveBackslashW
378 : PathRemoveFileSpecW
379 : PathFindExtensionW
380 : ntdll.dll
381 : NtQueryInformationProcess
382 : IPHLPAPI.dll
383 : GetAdaptersInfo
384 : USERENV.dll
385 : CreateEnvironmentBlock
386 : DestroyEnvironmentBlock
387 : LoadUserProfileW
388 : UnloadUserProfile
#include <stdio.h>
#include <windows.h>
#include "peconv.h"
/*
Requires a path to the original trick bot module: c3737aaf6b613a7c7d5e0c6d3c0d60a2
*/
#define OFFSET_DECODE_LIST 0xe930 //decode_from_the_list
#define OFFSET_DECODE_STR 0x40c0 // decode_string
#define OFFSET_ENC_LIST 0x27C44 // enc_string_list
int(__cdecl *decode_from_the_list)(DWORD string_index, char *output_buf) = nullptr;
int(__cdecl *decode_str)(char* input_buf, char *output_buf) = nullptr;
int main(int argc, char *argv[])
{
if (argc < 2) {
std::cerr << "Args: <path to the malware> [string to decode]" << std::endl;
system("pause");
return 0;
}
size_t v_size = 0;
char* mal_path = argv[1];
char* inp_str = nullptr;
if (argc >= 3) {
inp_str = argv[2];
}
std::cout << "Reading module from: " << mal_path << std::endl;
BYTE *malware = peconv::load_pe_executable(mal_path, v_size);
if (!malware) {
system("pause");
return -1;
}
std::cout << "Loaded" << std::endl;
char** enc_list = (char**)((ULONGLONG)malware + OFFSET_ENC_LIST);
ULONGLONG func_offset = (ULONGLONG)malware + OFFSET_DECODE_LIST;
decode_from_the_list = (int(__cdecl *) (DWORD, char*)) func_offset;
func_offset = (ULONGLONG)malware + OFFSET_DECODE_STR;
decode_str = (int(__cdecl *) (char*, char*)) func_offset;
char out_buf[0x1000] = { 0 };
if (inp_str != nullptr) {
DWORD res1 = decode_str(inp_str, out_buf);
if (res1 == 0) {
std::cerr << "[ERROR] Invalid input. Could not decode" << std::endl;
peconv::free_pe_buffer(malware, v_size);
return -1;
}
std::cout << out_buf << std::endl;
peconv::free_pe_buffer(malware, v_size);
system("pause");
return 0;
}
//if nothing supplied, decode the internal table
for (DWORD i = 1; true; i++) {
if (!peconv::validate_ptr(malware, v_size, enc_list[i], sizeof(PVOID))) {
break;
}
DWORD res1 = decode_str(enc_list[i], out_buf);
if (res1 == 0) {
break;
}
std::cout << i << " : " << out_buf << std::endl;
}
peconv::free_pe_buffer(malware, v_size);
system("pause");
return 0;
}
@hasherezade
Copy link
Author

Decoder for the TrickBot strings, based on LibPeConv library.
Using sample:
https://www.virustotal.com/#/file/74c8906309f3beb372346a86ef672e7b20b5ee0708b56a5b11b2693139429583/detection

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment