Open in app

Sign in

Write

Sign in

How to Analyze TrickBot PoS Module w/ Labled Data Structure in IDAPro

ZYWU
3 min readJan 10, 2019

Trickbot is yet another active banking torjan in the wild. The malware is modularized, any module can be executed on the infected machines.

For those who wants to know the background of trickbot, my personal suggestion is to read hasherezade’s and Vitali Kremez’s researches . Just type in the researcher’s name with TrickBot and there’s a whole bunch of great materials.

Main

Today, I’m going to share how I label the data structure name against a TrikBot’s PoS module in IDAPro and analysis on it.

I use the sample shared by Vitali at here: https://www.vkremez.com/2018/11/lets-learn-introducing-latest-trickbot.html. He has done a great analysis on the sample. Here, I just want to give some label on the IDApro and hope that might help anyone who also want to poke around.

Once the sample been load into IDAPro, the procedure of searching AD looks like this:

This is not easy to understand at all. There are many dereference to unknown data structures that makes pseudocode hard to understand. We can see three IID Strings includes —

{001677D0-FD16-11CE-ABC4-02608C9E7553} #IADsContainer
{00020404-0000-0000-C000-000000000046} #IEnumVARIANT
{109BA8EC-92F0-11D0-A790-00C04FD8D5A8} #IDirectorySearch

API ADsOpenObject is define as follow:

HRESULT ADsOpenObject(
  LPCWSTR lpszPathName,
  LPCWSTR lpszUserName,
  LPCWSTR lpszPassword,
  DWORD   dwReserved,
  REFIID  riid,
  void    **ppObject
);

The argument riid is IADsContainer so ppObject might have the data type some data type realted to IADsContainer. It is defined in adshlp.h according to the offical document.

In adshlp.h, the IID is defined with data structure IADsContainerVtbl and IADsContainerVtbl.

Let’s add the data structure in to IDAPro by pushing SHIFT+F9 and INSERT, then type in the IADsContainerVtbl and IADsContainer. Right click the variable name ppObject ->Convert to struct * ->Choose IADsContainer. Then we will get this:

Repeat the same way, finally, the more friendly pseudocode can be constructed.

The summary of module’s interest is the following:

However, there’s a additional check on this:

"&(objectCategory=computer)(userAccountControl:1.2.840.113556.1.4.803:=8192))"

OID 1.2.840.113556.1.4.803 can be resolve to Microsoft OID used with DEN and the userAccountControl 8192 means SERVER_TRUST_ACCOUNT. If the computer matches the criteria, it will show it’s interest as following:

That’s all, see you next time.

Malware Analysis
Idapro
Reverse Engineering
Trickbot
Cybercrime

--

--

ZYWU

Written by ZYWU

14 Followers

push ebp; mov ebp, esp;

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams