TrickBot failed analysis

[SeanKim777]

Hi, Found TrickBot. SHA256: dc2e70d7deaac4e2d85851e2b7c484565b20ba329e4a27ff3611175372eadc96) VT Scan Malwr

Submitted to cuckoo with Win7 guest but finished analysis without any network traffic generated.

Tested whether Analyzer.py Line 402 properly restart Task scheduler, but Line 411 returned non zero (1 or 6) subprocess.call(['net', 'stop', 'schedule', '/y'], startupinfo=si)

Still not fully understand why restart schdule services but it may not working in Windows 7 environment. Also, tried to manually execute 'net stop schedule' with Administrator account but got Access denied.

Please give me advise.

FYI. manually execute malware generated network traffic eventhough its C2s are currently down

Please see below regarding TrickBot https://www.bleepingcomputer.com/news/security/new-trickbot-campaign-spamming-malicious-complaint-doc-attachments/ https://www.arbornetworks.com/blog/asert/trickbot-banker-insights/ http://www.threatgeek.com/2016/10/trickbot-the-dyre-connection.html https://blog.malwarebytes.com/threat-analysis/2016/10/trick-bot-dyrezas-successor/amp/

[Nwinternights]

same here....! the odd thing is that I've submitted the sample 10 times and only once i get network traffic results. regards

[agaglia]

It could be a problem with cuckoomon? In a failed case, the behavior has less process of an analysis of a successful analysis.

[Nwinternights]

when the analysis goes ok a process subtree is created: services.exe 488 C:\Windows\system32\services.exe svchost.exe 864 C:\Windows\system32\svchost.exe -k netsvcs taskeng.exe 2264 taskeng.exe {3B343AAC-4815-46B8-93D1-76BBFADB99C4} S-1-5-18:NT AUTHORITY\System:Service: ......when it fails seems that the task scheduler doesen't work ..and it stops.

[spender-sandbox]

I'll take a look, thanks.

-Brad

[eoinmiller-sfdc]

It always seems to balloon up the memory usage and crash in our instances. We have loads of hashes/samples for this one in particular if it would be useful @spender-sandbox

Attached list of MD5's for maldocs and payloads for TrickBot. trickbot.txt

[Nwinternights]

Just for testing, I've set up an XP VM(I've been using 7 64bit) and I always get network infos ( host name and partial dns only myexternalip.com ).

[SeanKim777]

@spender-sandbox any update? still seeing lots of TrickBot and can not mange to analyse using cuckoo

[spender-sandbox]

I did take a look at it for several days, basically reversed the entire thing statically. From what I can tell though it doesn't really seem to have to do with trickbot itself but with something going wrong in the task scheduler (and that's after testing out fixes for elevated SYSTEM restart of the task scheduler). Without the task scheduler part working correctly, the code won't proceed to network connectivity. My only suggestion there for now until someone else spends (a lot more time) trying to determine exactly what goes wrong with the task scheduler would be to run it on XP. The code has handling for both, and the older task scheduler API it uses for XP doesn't exhibit the same problems seen on 7+.

-Brad

[SeanKim777]

Thank you for detailed information. I'll have a look at more on task scheduler part then.

[jgajek]

Task is set to trigger at midnight. Try setting the VM clock to just before midnight before launching the analysis. You also need to run the analysis for at least 8 minutes after the scheduled task triggers.

[SeanKim777]

Tested on winxp and newly created task by TrickBot will repeat task every 1 minutes so don't need to set VM clock

[jgajek]

That's only true for XP. It behaves differently on Win 7.

[SeanKim777]

@jgajek I just checked it on win7 as well which will be repeated every 1 minute

[jgajek]

Test the actual behavior instead of just looking at the settings ;)

[SeanKim777]

Manually executed file as cuckoo can not analyse TrickBot properly on win7 as @spender-sandbox mentioned. If I terminate the malware process and also disable Task created by malware named 'Bot' then no malware process will be newly executed. Am I miss understand? hmm.... :-(

[jgajek]

Sorry if I was unclear. Try this:

1. Submit the trickbot executable for analysis via Cuckoo (to a Win 7 VM). Disable the human interaction module and set the timeout to something like 900 seconds.

2. After the analysis VM launches, give it a minute for the Cuckoo agent to launch the executable, then go to the analysis VM's desktop, and manually change clock to 11:59 PM.

3. Wait until the clock turns 12:00 AM, and you should see the scheduled task launch. If you watch in task manager, you should see a trickbot process appear. You need to let it run for several minutes, as the initial trickbot process launches a chain of three child processes. It is the fourth process in the chain that initiates the network activity.

4. After the analysis & processing terminates, you should see the expected results in Cuckoo:

[SeanKim777]

@jgajek Thank you for the detailed explanation.

[nahaye]

I still cannot execute task scheduler

[nahaye]

Task is create with this delay on time, so the tasksheduler will not execute in a time

[doomedraven]

cuckoo doesn't follow/not support the created jobs