Add trickbot malware about cape HOT 19 CLOSED

from cape.

It very easy to do it with signature+volatility

from cape.

This is a malwareconfig decoder I found, not sure if it works or not. I wanted see if this could be used with CAPE. I've looked at the other decoders to use as an example, but I'm still unclear what the best approach is to implement it.

https://github.com/kevthehermit/RATDecoders/blob/master/decoders/TrickBot.py

from cape.

I ran a trickbot sample and found that process dumps contained not only the trickbot loader, which has both the 32-bit and 64-bit main bot executables as resources, but also the 32-bit main executable. At this point the config is in the resources of the executable. I'm unsure how to proceed from here. I can of course manually pull the config and decode it using python script. What's the best way to integrate with CAPE?

from cape.

Ah fantastic I didn't reaslise there was a new malwareconfig.com signature and parser. I have already integrated malwareconfig/RATDecoders so all that is needed is to put the Yara sig into data/yara/CAPE and put the parser into modules/processing/parsers/malwareconfig. I've just added these and pushed so do a quick pull and see if it works. Would you be able to share the hash(es) for the samples you are looking at so I can test?

Cheers

from cape.

0a8a65f81001f20152e3b7591b01cfc82d3af55dd6a45187f8cdf38e15c23875 is the one I've been looking at.

from cape.

Process Name: 0a7a54e70000e10041d2a6480a00beb71c2ae44cc5a34076e7bce27d04b12764.exe
PID: 3416
Dump Size: 96256 bytes
Module Path: C:\Users\carlos\AppData\Roaming\winapp\0a7a54e70000e10041d2a6480a00beb71c2ae44cc5a34076e7bce27d04b12764.exe
Type: PE image: 32-bit executable
MD5: fc02b19daa60f2a0b0fab45ba7f2ac85
SHA1: 3bcddd949eb8b024a7f36c3627c8e91ad3fd35ea
SHA256: 66a7d7fc706a6c29314416fb66d448124157eaf45f39f41c866aa8b8c5417f8b
CRC32: 45FF8456
Ssdeep: 1536:v6bgEmPRnvuNbysAvZCoyUb5jV3DjpHzJ2T983SBcQ4xwZlYozj6csLWGAMnUnux:vogtPRnvabZAQVy3BTm983e4uZlYozj8
ClamAV: Win.Trojan.Trickbot-6335790-0
Yara:
network_dns - Communications use DNS
Visual_Cpp_2005_Release_Microsoft -
VC8_Microsoft_Corporation -
Armadillo_v4x -
Microsoft_Visual_Cpp_8 -
IsPE32 -
IsWindowsGUI -
HasRichSignature - Rich Signature Check
CAPE Yara: None matched
Dump Filename: 66a7d7fc706a6c29314416fb66d448124157eaf45f39f41c866aa8b8c5417f8b

Here's the results after running with your commit. This is the 32-bit bot exe with the encrypted config resource. Doesn't appear to have been decoded and/or the yara signature didn't match.

from cape.

Right, I have added a bit of code from this version to the yara sig to detect the 32-bit main exe. The config parser should now work - I get the following from this sample:

Type TrickBot Config
servs
84.238.198.166:449,91.139.236.92:449,84.40.65.85:449,51.254.164.249:443,188.165.62.15:443,67.21.84.23:443,210.16.102.251:443,188.165.62.8:443,185.147.34.95:443,185.158.115.151:443,104.152.187.28:443,5.152.210.179:443,178.156.202.227:443,216.107.149.57:443,194.87.237.129:443,194.87.235.164:443,93.95.97.180:443,194.87.238.42:443,178.156.202.226:443,185.117.73.4:443
ver
1000044
gtag
kas7
autorun
[[('ctl', 'GetSystemInfo'), ('name', 'systeminfo')], [('name', 'injectDll

Let me know if it works for you.

from cape.

Did you submit the 32-bit main manually? I submitted the original and it didn't detect. I would have expected the yara rule to trigger on the dumped process. Is that incorrect?

from cape.

My bad - the bit I added to the sig had an address in it which turns out to be variable - I've pushed a fix now.

You are right - the Yara sig should trigger on the process dump, as well as on some of the payloads from the resulting Extraction job. Let me know if it's working now.

from cape.

Latest commit worked.

I noticed the following in the log, not sure if it's anything to be concerned about.

ERROR: CAPE: malwareconfig parsing error with TrickBot: not well-formed (invalid token): line 1, column 1

from cape.

That is xml related

from cape.

Ok thanks.

from cape.

I didn't see that error myself, but if the config looks complete it may not be worth worrying about. But to investigate it, I would probably either run/debug the standalone decoder on the extracted payload (or process dump) or alternatively debug the decoder within CAPE using Python Tools for Visual Studio. Let me know if you want any pointers in doing either of these.

from cape.

Will PT for VS allow for remote debugging to a linux server running CAPE?

from cape.

Yep this is what I use to debug CAPE - it works really well, although the setup is a bit of a faff. Worth it though.

from cape.

Then I will definitely take whatever pointers you can offer to get it setup. I'll Google around and see how far I get. Thanks.

from cape.

Currently for this I'm using VS2012 and PTVS 2.1, once you've got it set up you launch the solution then Debug->Attach to Process then pick Python remote debugging to connect to the server. On the server side, you need to add a few of lines to the top of cuckoo.py:

import ptvsd
ptvsd.enable_attach(secret=None)
ptvsd.wait_for_attach()

before launching it obviously. It will appear hung waiting until you connect from VS then you will be running and can set breakpoints etc accordingly. Let me know how you get on.

from cape.

Can you run this sample and see if you get a config?
I get empty config results, but it does recognize it as TrickBot.
4b6a4fdafa64cf28891d2811416b23590b99269015ab90b2f4f3f3f8bd347399

Nevermind. I found a silly bug I introduced in the TrickBot.py file.

from cape.