Let’s Learn: Decoding Latest "TrickBot" Loader String Template & New Tor Plugin Server Communication

Goal: Document presence of the new TrickBot Tor plugin server and deobfuscate the latest TrickBot Loader malware string template.
Trick Loader MD5: 6124c863c08f92732da180d4cf7cbf38 

https://platform.twitter.com/widgets.jsOutline

I. Background
II. New Discovery: Tor Plugin Server in Config
III. TrickBot Loader Deobfuscation Walkthrough
IV. Analysis of Deobfuscated TrickBot Loader
 A. Checks for the presence of the virtual machine processes and  analysis DLLs
 B. Injected process
 C. Imported DLL
 D. Command-line arguments via 
 cmd.exe & PowerShell -DisableRealtimeMonitoring
 E. Checks for processes
 F. Configuration storage
 G. Directory name in %APPDATA%
 H. Oddities
V. Analysis of Latest TrickBot Core Possible Build ‘1041’
 A. Hardcoded Tor Relay List
 B. External IP Resolution
 C. Task Scheduler XML Struct
 D. Bot IP Check for Spam Blocklist

I. Background
While analyzing one of the latest TrickBot samples from the impersonated Danske Bank sender (thanks to @dvk01uk for the sample), I decided to take a deeper dive into TrickBot Loader.
II. New Discovery: Tor Plugin Server in Config
The TrickBot crew recently implemented a plugin server communication via Tor .onion on port:448 to fetch malware modules. 

It is a novel technique for TrickBot; it is likely they are experimenting with the Tor connector in order to improve and/or sustain first-layer module and proxy server resiliency. It is also possible that the Tor connector would be a new norm for the TrickBot crew to not only fetch modules but also for client-server communications similarly as it is performed in the other malware variants such as Gozi ISFB Botnet “4000”.
III. TrickBot Loader Deobfuscation Walkthrough
A. Retrieve the first self-injected unpacked TrickBot payload in memory and dump as an executable and disk.
B. Locate the encoded string template in OllyDBG and set up a hardware breakpoint on access (DWORD), and run until you see the key and template execution.

C. Dump and save the encoded template ‘data’ with its ‘key’;
D. Decode the custom Base64 obfuscated string template (thanks to @sysopfb for the script) by entering the encoded template to ‘data’ and its key to ‘key’; and

import base64

data = 'dUQGvV0XC3hkvV0\x00vKYkvV0IbVyM\x00dUQM9UN0PuhkvV0\x00q/YUqmigCXAIbVyM\x00EWqp\x00dlbWPVFX9BhG2Vo\x00mVSXvnxp\x00d7JpvlfGqHhkvV0\x009nSWPVxWPHhkvV0\x00bVfKPVxMdBhkvV0\x009liGdlihcnYMvt\x00qmigmUy5bHhkvV0\x00oUfgboYMvBhkvV0\x00olQfv3hkvV0\x00bVGHml9Q9VJZcnYMvt\x00oUqHcnYMvt\x00qUSk9KfpCXAIbVyM\x00dUhrPVMIbVyM\x00DxJNYw9N\x00uoxxdUxH\x00opFVxN9iokxdD/GWdnFXvUbpmN9gvnY59lC1DGYdElxHdnxI9NbGdKJgvUhd\x00o7f5b7xW9whQv/o\x00YmbQv7xQ9VG5v1\x00opFVxN9iokxdD/GWdnFXvUbpmNbgdKYSq/01D/NWPVGIbE\x002XJNJobOJpqhcDGiJDwzJOCUJHphCOqXcowyCWtHJOYVEkxOJlp\x002XbNYwEUYOdpcoC0COdzJwolJuSBJXbicooSJXE0TDkSYDApElp\x00bmQ0vVFHbmAIbmQG\x00qny5vUYhAVf5vlYhAVfMquikbui3v7xk2ui3vlYp2ui3vVw1vVQGAVJQdVGpq/GIbui3vVF5bVoQ\x00vUyGCXAIbVyM\x009lYXqmigCXA\x00xSYDY/hSv/xHqmYGoUxXdUG5vKJi\x00xSYDYKfGboSGv/FH2E\x00xSYDYUxpE/JpPmbGEUFIdUFMbxJGdlJgvUhfbt\x00xSYDomxGdKGxdUxHxVFeb/r\x00oUxoqUfEdnGUP/yGbUo\x00Y/yG9nNpP/FITkNkv/GIPmJpdnNpvlAQvnxlT1\x00cny5b0\x00qUygb/hpmUGk\x00f/EGbBxkc1\x009mJGdWCHcnYMvt\x00EpyDuoYVdnFzolYHP/hK\x00uoGwYKf5vxJpdnGIb0\x00EXgdo7f5blfQvuiVP/yGdSyDvliZvlJdoUF0PVFXANJhdlYGvuiEdnFpb/JpP/FIm7JXdBhG2Vo\x00qUSkcnxrbE\x00cUC1vnxpA7Jpvlt1opN/oUxH9nGWbE\x00cUC1vnxpA7Jpvlt1opN/E/YzP/hDbmfUP/JG\x00cUC1vnxpA7Jpvlt1oUF0PVFXAwNS9VFxdVYQ9Vo1oUxH9nGWbE\x00cUC1vnxpA7Jpvlt1oUF0PVFXYVNpqxfGqUFHbVxHoUxH9nGWbE\x00cUC1vnxpA7Jpvlt1oUF0PVFXAwSOoHiibUxI9t\x00cUC1vnxpA7Jpvlt1oUF0PVFXAwSOoHiOvVGGvKE\x00cUC1vnxpA7Jpvlt1dUF0PVFXdliX\x00cUC1vnxpA7Jpvlt1oUhpdBiDbmfUP/JG\x00cUC1vnxpA7Jpvlt1oUF0PVFXAN9Gq3iOvUhpdnFMANJGdKbgqUo\x00cUC1vnxpA7Jpvlt1dl9gmlJGdKbgqUo\x00cUC1vnxpA7Jpvlt1dl9gmlx0bVNpbxaUJt\x00EXgdo7f5blfQvuiVP/yGdSyDvliZvlJdoUF0PVFXANJhdlYGvuiEdnFpb/JpP/FImOwIbmQG\x00EXgdo7f5blfQvuiVP/yGdSyJq/ylqmfGqKGpbmJdE/hpPuSJq/ylqmfGmwSBEoSDbmfUP/JGcnxrbE\x00cUC1dUC1dlY5dBimP/hwb/bGvnE\x00cUC1dUC1bVxMbmYGAN9gvkYGbnxIbt\x00DmJJdwxIbHhG2Vo\x00DxJiopJSPo0IbmQG\x00DxJiopJSPuhG2Vo\x00cUC1dVFlbmfXPVxMvBiDbmEzDmiEdnxnbmfGvnJGABSwPmJQqnyGonxQv7Ygv/xJvUhg9VFHP/hKABYpdKxG\x00opFVxN9iokxdoVFMP/JgbmJdD/GWdnFXvUbpmN9gvnY59lC1YVxnb/hkbmA\x00YVGXq/fMboNI9VGDd7GlqmfG\x00opFVxN9iokxdD/GWdnFXvUbpmN9gvnY59lC1YVxnb/hkbmA1oUxW9mfg97k1EUxI9VxHmwh59VGnP/JQ9VG5vKC\x00YVGXq/fMboh59VGnP/JQ9VG5vKC\x00xUGIYVxnb/hk\x00mwbioE\x00mNfNEoYJYuhzbt\x00DofiDxJGdKbgqUo\x00opN/oUxH9nGWbE\x00oUNUoUxH9nGWbuhG2Vo\x00EoyJvUrIbmQG\x00oUF0PVFXYGCIbmQG\x00EoyX9nCIbmQG\x00EUyGq/rIbmQG\x00opN/E/YzP/hDbmfUP/JGcnxrbE\x00oUNUoUxH9nGWbuhG2Vo\x00EoyJvUrIbmQG\x00cUC1dUC1dlY5dBiDExbDbmfUP/JG\x00cUC1dUC1bVxMbmYGANJixGJGdKbgqUo\x00opFVxN9iokxdD/GWdnFXvUbpmN9gvnY59lC1DGYdElxHdnxI9NbGdKJgvUhdu/SQbUo1YnGMbuiN2VxW9mYgvUr1DlipP/FId0\x00YVx39/9KbmA\x00PUgebUQSblxnbKGePnQeP1\x00'
key = 'tiBOwNV7AfLcCJT8EYuDox/mqbPvd92R1Q3WkGnKZgjeMzI50yHXpSUlrh64aFs+'
std_b64 = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"

for s in data.split('\x00'):
s = s.translate(str.maketrans(key,std_b64))
if len(s)%4 != 0:
s += '='*(4 - len(s)%4)
print(base64.b64decode(s))

E. Review the output

b'shell32.dll'
b'ntdll.dll'
b'shlwapi.dll'
b'advapi32.dll'
b'B64'
b'svchost.exe'
b'\\msnet'
b'pstorec.dll'
b'vmcheck.dll'
b'dbghelp.dll'
b'wpespy.dll'
b'api_log.dll'
b'SbieDll.dll'
b'SxIn.dll'
b'dir_watch.dll'
b'Sf2.dll'
b'cmdvrt32.dll'
b'snxhk.dll'
b'MSEDGE'
b'IEUser'
b'SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\'
b'ProductName'
b'Evaluation'
b'SOFTWARE\\Microsoft\\Virtual Machine'
b'{3E5FC7F9-9A51-4367-9063-A120244FBEC7}'
b'{6EDD6D74-C007-4E75-B76A-E5740995E24C}'
b'explorer.exe'
b'bloody booty bla de bludy botty bla lhe capitaine bloode!'
b'ole32.dll'
b'wtsapi32'
b'WTSEnumerateSessionsA'
b'WTSFreeMemory'
b'WTSGetActiveConsoleSessionId'
b'WTSQueryUserToken'
b'SeTcbPrivilege'
b'Elevation:Administrator!new:'
b'.log'
b'client_id'
b'%d%d%d.'
b'user32.dll'
b'CLSIDFromString'
b'IIDFromString'
b'C:\\Program Files\\Sophos\\Sophos System Protection\\ssp.exe'
b'cmd.exe'
b'/c net stop SAVService'
b'/c net stop SAVAdminService'
b'/c net stop Sophos AutoUpdate Service'
b'/c net stop SophosDataRecorderService'
b'/c net stop Sophos MCS Agent'
b'/c net stop Sophos MCS Client'
b'/c net stop sophossps'
b'/c net stop Sntp Service'
b'/c net stop Sophos Web Control Service'
b'/c net stop swi_service'
b'/c net stop swi_update_64'
b'C:\\Program Files\\Sophos\\Sophos System Protection\\1.exe'
b'C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe'
b'/c sc stop WinDefend'
b'/c sc delete WinDefend'
b'MsMpEng.exe'
b'MSASCuiL.exe'
b'MSASCui.exe'
b'/c powershell Set-MpPreference -DisableRealtimeMonitoring $true'
b'SOFTWARE\\Policies\\Microsoft\\Windows Defender'
b'DisableAntiSpyware'
b'SOFTWARE\\Microsoft\\Windows Defender Security Center\\Notifications'
b'DisableNotifications'
b'WinDefend'
b'\\FAQ'
b'\\README.md'
b'MBAMService'
b'SAVService'
b'SavService.exe'
b'ALMon.exe'
b'SophosFS.exe'
b'ALsvc.exe'
b'Clean.exe'
b'SAVAdminService.exe'
b'SavService.exe'
b'ALMon.exe'
b'/c sc stop SAVService'
b'/c sc delete SAVService'
b'SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options'
b'Debugger'
b'kjkghuguffykjhkj'

IV. Analysis of Deobfuscated TrickBot Loader
The TrickBot Loader contains various logic targeting and “relaxing” various security measures on the host machine including stopping a plethora of Sophos and Windows Defender anti-virus services. Additionally, TrickBot Loader executes a Powershell script disabling real-time monitoring via “powershell Set-MpPreference -DisableRealtimeMonitoring $true”. Based on the analysis of the Loader, the crew is primarily concerned about Sophos, Windows Defender, and MalwareBytes anti-virus engines. Currently, this Loader installs itself and creates a directory “msnet” in %APPDATA%.
The oddities of the TrickBot loader include ever-present string  ‘bloody booty bla de bludy botty bla lhe capitaine bloode!’ as well as a random ‘kjkghuguffykjhkj’ ones. The TrickBot crew appears to reference the US movie Captain Blood” (“Capitaine Blood” in French), in which “[i]n 1685, Dr. Peter Blood was arrested for assisting a wounded rebel in a revolt against King James II of England…Blood and Levasseur [main nemesis of Blood. -VK] not being able to agree on the attribution of this “booty”, a duel ensues where Blood kills Levasseur, before starting on the way to Jamaica to deposit Arabella and the royal delegate.”
 It is notable that the group consistently improves its loader since its rather crude GetModuleHandle anti-analysis DLL check implementation in late 2017.
A. Checks for the presence of the virtual machine processes and analysis DLL;

b'pstorec.dll'
b'vmcheck.dll'
b'dbghelp.dll'
b'wpespy.dll'
b'api_log.dll'
b'SbieDll.dll'
b'SxIn.dll'
b'dir_watch.dll'
b'Sf2.dll'
b'cmdvrt32.dll'
b'snxhk.dll
B. Injected process;

b'svchost.exe'
C. Imported DLLs;
b'shell32.dll'
b'ntdll.dll'
b'shlwapi.dll'
b'advapi32.dll'
b'ole32.dll'
b'user32.dll'
D. Command-line arguments via cmd.exe;

/c powershell Set-MpPreference -DisableRealtimeMonitoring $true'
b'/c net stop SAVService'
b'/c net stop SAVAdminService'
b'/c net stop Sophos AutoUpdate Service'
b'/c net stop SophosDataRecorderService'
b'/c net stop Sophos MCS Agent'
b'/c net stop Sophos MCS Client'
b'/c net stop sophossps'
b'/c net stop Sntp Service'
b'/c net stop Sophos Web Control Service'
b'/c net stop swi_service'
b'/c net stop swi_update_64'
b'/c sc stop SAVService'
b'/c sc delete SAVService'
E. Checks for processes and services;
b'MBAMService'
b'SAVService'
b'SavService.exe'
b'ALMon.exe'
b'SophosFS.exe'
b'ALsvc.exe'
b'Clean.exe'
b'SAVAdminService.exe'
b'SavService.exe'
b'ALMon.exe'
b'MsMpEng.exe'
b'MSASCuiL.exe'
b'MSASCui.exe'
b'C:\\Program Files\\Sophos\\Sophos System Protection\\1.exe'
b'C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe'
b'C:\\Program Files\\Sophos\\Sophos System Protection\\ssp.exe'

F. Configuration storage;

b'\\FAQ'
b'\\README.md'

G. Directory name in %APPDATA%;

b'\\msnet'

H: Oddities

b'bloody booty bla de bludy botty bla lhe capitaine bloode!'
b'kjkghuguffykjhkj'

II. Update: July 26, 2018: Analysis of Latest TrickBot Core Possible Build ‘1041’
This exact methodology also works to decode the bot core template.

import base64

data = 's27kD6oUsVHWbWAeD645DIT tIf04osR4VdBbyfyM2YWsw 8IsRmldjGTs1myWeD67X427xByYjQ6k BEdWQV8W8276MVdjDy/WDC8rDIfqMw ssHoTUsNsh7UDIw 86sxB280bl8WbCHdDy4j asA3toAATLU14IYk tC88m2seGTW14yfeD2oxM2f1TldjQ6sRbw DC8UDIw14IYk TIoxML45Dy8oGl8WDCH5D67V TIoxModWD2f64T45DIstbIsqsw TIoxModWD2f64Td0Q6XRDIoRMob TE8eTE8easb TIoxModWDyoX4TsvmIs1b6WjDWb TIoxMLoU4Ld0Q6XRDIoRMob TIoxML45Dy8IM2YWtyoX4sb Tx0zsxoBaa7UDIw BEd7bl8rM270bCWTD/HxbyW14/b BEd7bl8tmld5DymTDxd5DyoeGsb B/d4ToBRzh7UDIw B6fsDyW1MV85Q2Y5GyT B6fPbys0mIsdDCHxQ27q4B D6YWzR314IYk T6sxT6sqmVd5mlWL4VHqbyWwmIfe8IoqD+ a275mIW0DIWF4sHWQEseMV878IsRQEd5bl8jbu B6fwGsH54+ 86sxtIs14E8nT6WU T6sx827xbyWWbxW1B2Hksw 86sxT6sqmVd5mlWdDy4j T6sxT6sqmVd5mlWdDy4j T6sxtyoX428t42H/byWxGTW14yfV TysCT6sxsyokm2soGob TysCtEAWDUXWGTsvsw TysCB6Yjb6si4VU TysCBEdWQV8Wa6s78V0V Tys64VdxsIft42Yy B28gmVHxsIfc427BbyW6M2YW46sR tIfjMEswTld5myWk42mWsyokm2sV BEd7bl8l4V83QVHnTIoeQ2x BEd7bl8AQEo/MVdWB6f1mIsvmob BEd7bl8t4V8i4VWBQVd0DB BEd7bl8a42YWQVHWB6f1mIsvm+ B6f1mysemoHxbyW14/HWQEseMV878IsRQEd5bl8jbW8jT6sqmVd5mlWL4VHqbyWwmIfesw BEd7bl8dDVAjbC8i4VU BEd7bl8Pbys0mIs3QVHn BEd7bl8L42HeGVAx BEd7bl8L4VHxbyf7aIoRM+ BEd7bl83QVHn8IoxQB BEd7bl8L4VHxbyf7a6s7 B2YkD6H0mIsADy8dDyWxM2okMV5WT6WU 8CdW4sH54+ tEAWDWAeD6HWbEHTD6XWDu 8Vo/Q2YtM2B BEdWQV8WTldjQ6sRbxoRsVHWbWb 8lswDIWqQV8WsIfc427oG+ tIfjMEswB2HqDEs1moH54ob 86sxsIfc427dDy4jby/0mIWjDu 86sxsVHWbU70D2sV BT82BsAdzR314IYk BEdWQV8WsIfjDI0WDl+RzWH1QVARMIfx TldjQ6sRbRzetysvmob TldjQ6sRbRze8yWebE8V tVskmIWrGV8WsIfVM28WB600bu s6WU4THnQVdTDx//Dl85BCWx4B 86sxt2fUm2YWaIo14IYWBB TVsWbCWB4VdyDEdXQ27q4THjm27x4V3 86sxBEsebys1mo8nbys04LWU T6sxs27nQ27UDIsU8V0q4VAxM2f18yWkmIse s27nQ27UDIsU8V0q4VAxM2f18yWkmIse DlHxbyYWDUL 86sxBEsebys1moAeD6HWbEHd4+ 86sxTEWRmIsXsIWX4ToR8yWk4s85D2T 86sxBEsebys1moAeD6HWbEz 86sxsyseb6WjDUsvsw 86sxsyseb6WjDu T6sx8yWk4sAjM27x4V3 sEd5mIsIM2YW Tys04L45DIT BEdWQV8W8yWk4sb DlHxbyHXbIWV 86sxsIsXbL45DIsNQ2/Wsw BEdWQV8WTldjQ6sRb/b t2f64T45DIsoGob 86sxsIWqMxHjm27x a275mIW0DIWF4THeMV85Q6okT6sqmIWjDUo14oHwM27PDEs1m+ T6YW4V+ 86sx8yWk4Toxmld5QCsx4VHV 86sxt2fUm2YW8yWk4T70D2sV 86sxTE80bC8/bLW14yfV 86sxsIsXboA0mI0V t2f64T45DIsV T6sxBEsebys1mL85bysqmIfeGsb 8Isk4V8W8yWk4sb DlHxbyHwGsb tIfqQ2YIbysW BEdWQV8WtVsx4V0V TysRm2/WsI0e42oU sEd5mIsBbyfq4VHRt2sXDEd7 8lswDIWqQV8WaIo14IYW BEdWQV8W8V4WDC8V 86sx8V05mLHj4IsTMldWQ2B syWemls0DLokDIfq8Vu syWemls0DoAeDE8WQE8oG+ sIseD2W1QV8WTldjQ6sRbw Tys04oAeD6HWbEHH42/jbCU syWemls0DL4e42soG+ tEAWDWAeD6HWbEz BEdWQV8WTysXDE8WsI0e42oU T6sx8V4WDCB BEdWQV8W8IWe42HxDEd7sw T6sx8yWk4Toxmld5QCsx4VHV DlHxbyHXbLL tIf04LY5QCd0bCWA 86sx8yWk4s85D2T 8yW14L7WGl8IM2YWsw 86sxTEWRmIsXa27yDw tIfqM/dWb6f/byHW 8yW14LHkDEHW 86sxtIoRmLsebyfe DlHxbyHwG27V T6sx8yWk4s85D2T 86sxt2fUm2YWaIo14IYWsw tIf04odWb6f/byHW 8CdW4TY5QCd0bCU 8yW14odWb6f/byHWsw 8yW14L45bCHx8yWk4sb 86sx8CskDoA0mI0NQ2/Wsw DlHxbyYWDWb DlHxbyHXbob 86sxB6fXblsx4VdNQ2/Wsw BEdWQV8WsI0e42oU iRfyDEdXQVBfmIsvm+ mEmEiy/74V0x4Vd1Q2Y5br7qD6x M28WDCB1D2T QVA5iyWwiCHh VIWjQ6fwGB s6o1modWDIs0b6T 4yWymlU Q6/Uiysv4B ztu/iqBYiqL/HrvYzR+FNt+wzB zRb1zqTeiqL7zrvYHRQFHPBR NP31ztLviqLEiq3RHtnxHPz NPz1ztQRiqL6HrvYHtn7zP+R HqU1ztQRiqzxiqLEzRnxHPz ztT7iqu7iqL/zavezRLFNt+wzB zqLeiqBEiq3xHhvezqUFNt+wzw NPB1HP+1ztLeiqbwNqUwzPL zhvYzRb1ztQ1zqB/NqUwzPL ztU7iq3xNavezqz1Hq3FHPBR ztu/iq3eiqLEzhvezRbFHPBR NPu1NtU1zqL6iqL7HPn7zP+Y ztu/iqLRiqz7iqL7HRnxHPz ztQeiq3xHevEzhvezPLFHPBR ztbxiqLeHeveztb1HRzFHtT/HtB B6f1mIs1mr/z427CmIuF3+ PBnHru dVzudszuao8TTrZYiqLHrU0jbEBF3rsRdVzWTw iyf1M2f1 M27yDe7UQVB TUsA8L/oiy/U 8Uo8 8Lsr8w tToPaLWN8sYttx4Tsxoa8sYHM2HeDEHj4C8bt2WqbyfRD64x3Lo1mIWXQ2YEQVdWVLsvQ6Y/b6WjDCHbTIoxMlz tToPaLWN8sYttx4Tsxoa8sYBD6Y5Q6WWb/YHM2HeDEHj4C8bs6W14IfEbeAL424WDy8WbWYoGIHkmVH5D67RVoA0mI0R tToPaLWN8sYttx4Tsxoa8sYHM2HeDEHj4C8bs6W14IfEbeAL424WDy8WbWYoGIHkmVH5D67RVoA0mI0R s6W18Isy427U 86YjQyokVrTwNIYQdt+xDouWDlT 3lmjbyX5Dyb bIoxM+ myseiC8vm+ t2fUm2YWTVsWbCU tIs0mysPbyWxM2H0DoHWQE85D6v 827x4VdPbyWxM2H0DoHWQE85D6v a275mIW0DIWF4THeMV85Q6okT6sqmIWjDu sUsaTw T6WCDyoxmVdWtIs14E8n 8THPTosrtLWPBUY9Bu 8THLTxopTPzvH+ bEA0Da7UDCHhDr7RDEdhbe714VB 4I7RQywXza7/Q6swbyfx42Hxiy7Wm+ Qh7hQVdeQ2H/4Ioq427xbyokiyfe4w Q6dkiyohmVHWQVB1DEdC Gys1iCHwQ2/nQVsRiyfe4w 86sxtyoxMV4WTEWRmIsXa27yDw t2fUm2YW3IWR3I7jmrA6Q2Y54+ Q6Y5427xV6WU zt+xzB iEAkQ2W1i6HkM2s1mIWw iE8WGlB iEd0mw i6Ww iEAkQ2W1 MV+1Q277bEdqiy7Wm+ mE8yMVHXG2WwiyHjDB DVWWGl8Wby70DIWwiyHjDB M2H0Dy00GyWwiyHjDB QVA5iyWwM247iyfe4w MVA5Dy4jiyWj MVAWQ60jiy7Wm+ Q60WQ6X5br70D2oFD670mEz1Q6fX bEHWbCB 8PnnBtkS8xLSNRXV8rUnBtkS8xLSNRXrBaUnBtkS8xLSNRXt2aUnBtkS8xLSNRXaBeU 86YjQyokVL//mIL iaxWbexXPBnHru iaxWbwxKB6f1mIs1mr/LMVHwDEH5mIWjDqnu4yfeDa/UQV80NeA1Q2/W9a3WTe3HruxK B6f1mIs1mr/TGVAWNhAXm2YxMVA0bCBj4yfeDa/UQV80NeAhDEs14IoeGtxWbwxKB6f1mIs1mr/z427CmIuF3rsUPBnHru iaxXiaxXByf/Dy80bCUWzP0Q m6W1bE80zoYU4240m2Yx s/8tTVsWbCWsb6sesIfc42v s/8t86sxB2HxMV4WB6f1b6fk4sHWbEH5D67d4+ s/8t8CdW4T/WD2feGB s/8t827/D2seQV8WT6sRb6WjDCHA mE8RQVA5zR3 86sxTldjQxoU4ldWbEz tIf04LY5QCd0bCWV 8V05moAeD6HWbEz TysR4V8omys1m+ B6Yjb6s3Q27UDIT s6o5mL4jbWH5Dymk4TfhMysqm+ T6WCDyokt6dg42HxB27Us6o5m+ bE4qMIfRmr7WGIT Tysk42oR4B 8CdW4Td/4y4Wbu B6f1mldjD+ TE80bCB tIf04rAxDeAH3I40M2YW4+ TCs13LBu4yo5DIsU tIf04rAxDeAB3I40M2YW4+ 8yW14rAB3I40M2YW4+ BEdWQV8W3o5B3I40M2YW4+ t2fUm2YW3I00beA0DldWQ2873IdW42vuDIf04IsU bIoe427x4yWk4Vz MV+ M2B bIseM2fU 4yWk4B Q6f14u QVdC Q6f1mldjD+ DysW4IW14yZ QVsxD6HjDC8eD6w QVsxD6HjDyQ bldjQ6sRb670D2T bEWR G2sR QVsxDEHxQVdx 9I/j4lsk42HjDy454Rvg9rfXD68/DIsqD67yM2bO dVzWbw dVzWb/fqD67yM2mRV+ t2fUm2YWb/w aIs0bodWB2YkD6z aIs0bL4e42T 86sxTldjQ6sRbx0WQV+ aIs0bLokDIfq M6seDyskzR314IYk zrvwiq+1z+ TLfts+ 8xsT sVdk8VHqQVAWsw b60km6owMB BUHeGVAx8IsRmldjGTXWGB BUHeGVAxB6Yjb6sADImjbyWxMI/Bbyf6M28Wbu BUHeGVAxsyseM247T6WCDyoxmVdW BUHeGVAx86sxTldjbIsemlU BUHeGVAxa2/wDEdxa6s7TIo5bu BUHeGVAxtEAWDUok46feMV8nDsAeDE454Ise tUHeGVAx8CdW4TfhMysqm+ tUHeGVAx8Isk4V8Wa6s7 tUHeGVAxa2/wDEdxa6s7 tUHeGVAxtEAWDWHxDEd046sBbyf6M28Wbu ByHeGVAxiy8kD+ tyHeGVAxiy8kD+ dVzudVzuT/+W4+ GPu6 GPQx s27cDyfEDu s6W14IfEbe+ezP+w s6W14IfEbeAQT+ s6W14IfEbeAt4Vd64V3uzq+wzw s6W14IfEbeA2MVHxQB s6W14IfEbeAt4Vd64V3uzq+wN+ s6W14IfEbe+E s6W14IfEbeAt4Vd64V3uzq+wNrAazu s6W14IfEbe+v s6W14IfEbeAt4Vd64V3uzq+Yzu s6W14IfEbe+viqL s6W14IfEbeAt4Vd64V3uzq+YzhAazu s6W14IfEbe+Yz+ s6W14IfEbe+YzrAt4Vd64V3 t2fFM2YkQaZ/iq+uKom5Dy8jmEzutWBuzt+1zPkus6W1HqBS3lu6HrUuBVAwDIsV42diMVBjHtzEiqz63r0iao8HtrwuDIWc4aAl42HcDeUuB60eD6/WiRQwiq+1zRLYzhvYztzuT6oyQVd5iRTRHevRHu blHemu bIY/46W1bw 4V0wMV3 b6semyHjDyQ d2BW4rsUiu t2fUm2YW3Iokbys04lUum27kD6oU42B B6f1mldjDrAyQ2Wk42B t2fUm2YW3lm0beA/DyYjQ28W4+ TldjQ6sRbeAnQVzuQysWDhAyM275b60W4+ bysk42oR4B TE80bCBu4yo5DIsU TldjQ6sRbeAEQVzum27kD6oU42B 86sxTIoe427xa27yDeAWbCdjbu s270QyYW3l8j3IYjQ2BuD2fUm2YW3I4eD6xub6semyse bE80bCB 8IsqD68W3I4eD6xuBUot8tQx3Isebyfe s6W1zR3u4VdeDE3 a276Q2Y54rAwQVd0DVzuQ6f/DCB tyZubIoeQ2/R M27yDw 4IoxQB dVzjdVzjHqBjdVzjdVzjdVzj Dyf1Q2/W dVzjdVzjHqzjdVzjdVzjdVzjdVzj iesRiesRiR3/iesRiw iesRiesRiR3RiesUiw iesRiesRiRLxiesRiesRiR+j iesRiesRiRLwiesRiesRiesUiw iesRiesRiRTjdVzj iesRiesRiRLjdVzj iesRiesRiR+jdVzjdVzjdVzjdVzjdVzj bEd6 QE8k DyoX4B D2fUm2YW tVHtGVHx42/VQV8qMIse dVz1dVz1dVz1dVz dVz1dVz dsUXd2xXd28TdTuFdTxFdsz 9rfsb6sea2BO 9osR4Vdd4Pv 9LYj46f1slWw4t7dDC8WbyoqmIW64s8jM6s19rfzD6mjDW87bITOrqYam27z4V4WDP7z42oRmoAeMV45DIsC4twjTCs1tIs642wO 9od/DUYWmysk9U05460WbE8Amyo5DIohDITZi/d/DUYWmysk9unZ8EdjmVAd4P7NsrAAss83t/ddsoWbT/WtsLsH9rflbyf/bLWU9unZtIfCD67TGVAW9UW1mIseQ2HxMV4WsIfc42vZixYj46f1slWw4tvK 9rfrD6fxsld546mWbqvK 9LdjDE8TbyWC46se9unZ8270QyYW4P7xbCsW9rfoDyohDIsU9un 9rfPD6/XQ27U9unZixsv42zOrqwjB2HxM2f1bRvK9rfTQVHc9un 9rfBbyW1Q6WwQ2wOrqwjTld5DyH5bIokbRvK9oHWml85DymR9unZtVskmIWwDIsdDCHxQ27q4VHBD6Y5QEUOa2m1DEdWtysE9rfHm2YxMVAk4TW1bE80DyHWb/AjDIWqGtvK9L85b6okDIfETE80bC8d4Uf1ByoxmIseM2sR9y40DlHW9rfLMVH0DIYjm/HxQVdxa249DUd0ml8WbyWWbRvK9oHxDEAd4UmjM27Ct67rQV8x4Vd54VzO4yokb6TZi/HxDEAd4UmjM27Ct67rQV8x4Vd54VzOrqYADIYjmx00by8T4VdXM270mITO4yokb6TZixokDIfEaIoe4o8Wby/5Dyox4tvK9oHxQVdxs60WDUo6Q2WkQ2dk4t7xbCsW9rftmIoemomn427Amyo5DIohDITOrqYam279DyY7a24N4V8EDEdcBV40M2Y0QyYW9y40DlHW9rfam279DyY7a24N4V8EDEdcBV40M2Y0QyYW9unZa28k4sHWml85DymR9unZTE8jbLf1a28k4Ts14P7xbCsW9rftmIfwt67d4IYW827U9unZTysRmIoemLf1a28k4t7yQ2YR4twjTysRmIoemLf1a28k4tvK9rfd4IYWT6sxmIW14EzOrqYADIYjm/HxQVdxt67L42/0DyBOmld/4twjB2YkDEmtmIoemLf18IsXQ27U9unZ8270QyYW4P7xbCsW9rfoDyohDIsU9unZaIWU4Is19C8em2TZix054I8WDqvK9od/DUf1DlWd4UWUDITO4yokb6TZi/d/DUf1DlWd4UWUDITOrqYVQ2XWsIfam2vO4yokb6TZi/m0M6sTD/d/DqvK9Lsv42H/mIWjDW85D2szM2/5mP7BsPAt9rfoGIsqmV85D67TM2/WtIWXMVBOrqYBbyWjbyWxGtvE9rfBbyWjbyWxGtvK9rft4V8xM27CbRvK9LoqmIWjDCzuB6f1mIsvmPxhBVsxMIfe3qvK9Lsv42zOrqYPD6/XQ27U9u 9rftmIoemLdjm27UQVd79unZ8270QyYW4P7xbCsW9rfoDyohDIsU9unZT6Hn428/DIsrGT80GtvK9L80GVHdDC8WbC40DPvY9rfLQVWRa27x4Vd6Q2wOrqwjT6Hn428/DIsrGT80GtvK9rfPQ2YWDy80bW8eM2mC4V3Orqwjsld546mWbCzOrqYBbyW1Q6WwQ2YR9unZTld5DyH5bIok3IWU9adAmV8nDE3h9un 9LH0DIs14Ioesld546mWbqvK9odWbIsxMV85D6vOrqYdDC8WbC40DP7BsPLwttwja27x4Vd6Q2wOrqYLmVd0mIWjDq7BzTBZix8/byoxM2f19unZTE8jbLox8lseQV85D67oDyBO4yokb6TZi/HxDEAAmL8/byoxM2f1827U9unZi/dWbIsxMV85D6vOrqYtmIoemLdjm27UQVd79u 9PfvD2wumyseb6WjDqxhzavw3hAWDyHj4IW14Rxhss8IitL63qZOrqYTQVHc3l4WbCH5D6vf3qL1zh3KGI/kDCzf3y0xml+FiefRQ60WD2oRiy/5QEdjb6fymr7qD6xjm6W14IfEbeZezP+xiR+ei6/5mrfxQVHc3qvK9odW46WRmld0mIWjDUW14yZOrqY24VdRM2f19qL1zrvY9rf24VdRM2f19unZ8IsRQEd5bl85D6vOtVzuTEWRmIsX3lm0mIHn4V3Zix8Wb6HeMVAxM2f19unZssdd9qwjssdd9unZi/dW46WRmld0mIWjDUW14yZOrqYTbyWC46sebRvK T/WtsLsH dVzub/80bCB 4EdjmVApmIoC TUst mVHWbu Q6f14yWCiyHjDyQ iC8Xb+ mI/w bEAc dVzudVz TxWNau Dyfx3IY5bE8W4+ DIWRmIsU 8L7tBUw Q6Y5427x3IWR3I7jmrAh4205DyButUoT Q6Y5427x3IWR3IdWMIW14rANBsB 4yo5DIsU'
key = '+ArPLoIl3dKizHN9B8atTs2VQ4MDbmGpu0hqUWyCn5gckX1jwYeRx/6Ev7FSZfOJ'
std_b64 = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"

for s in data.split(' '):
s = s.translate(str.maketrans(key,std_b64))
if len(s)%4 != 0:
s += '='*(4 - len(s)%4)
print(base64.b64decode(s))

The output is as follows:

b'UnloadUserProfile'
b'LoadUserProfileW'
b'DestroyEnvironmentBlock'
b'CreateEnvironmentBlock'
b'USERENV.dll'
b'GetAdaptersInfo'
b'IPHLPAPI.dll'
b'NtQueryInformationProcess'
b'ntdll.dll'
b'PathFindExtensionW'
b'PathRemoveFileSpecW'
b'PathRemoveBackslashW'
b'StrStrIW'
b'PathRenameExtensionW'
b'PathAddBackslashW'
b'PathFindFileNameW'
b'SHLWAPI.dll'
b'CryptBinaryToStringW'
b'CryptStringToBinaryW'
b'CRYPT32.dll'
b'CoUninitialize'
b'CoCreateInstance'
b'ole32.dll'
b'SetSecurityDescriptorDacl'
b'InitializeSecurityDescriptor'
b'CopySid'
b'GetLengthSid'
b'SetEntriesInAclW'
b'GetSecurityInfo'
b'SetSecurityInfo'
b'SetNamedSecurityInfoW'
b'RegSetValueExW'
b'RegOpenKeyExW'
b'RegCloseKey'
b'RegCreateKeyExW'
b'RevertToSelf'
b'AdjustTokenPrivileges'
b'LookupPrivilegeValueW'
b'CryptGetHashParam'
b'CryptAcquireContextW'
b'CryptSetKeyParam'
b'CryptReleaseContext'
b'ConvertStringSecurityDescriptorToSecurityDescriptorW'
b'CryptImportKey'
b'CryptCreateHash'
b'CryptDecrypt'
b'CryptDestroyHash'
b'CryptHashData'
b'CryptDestroyKey'
b'AllocateAndInitializeSid'
b'FreeSid'
b'OpenProcessToken'
b'EqualSid'
b'CreateProcessAsUserW'
b'DuplicateTokenEx'
b'LookupAccountSidW'
b'GetTokenInformation'
b'GetUserNameW'
b'ADVAPI32.dll'
b'CreateToolhelp32Snapshot'
b'Process32NextW'
b'Process32FirstW'
b'MultiByteToWideChar'
b'WideCharToMultiByte'
b'GetModuleHandleA'
b'QueryPerformanceCounter'
b'GetCurrentThreadId'
b'SetUnhandledExceptionFilter'
b'UnhandledExceptionFilter'
b'lstrlenA'
b'GetCurrentProcessId'
b'GetSystemTimeAsFileTime'
b'GetCurrentProcess'
b'GetVersionExW'
b'GetVersion'
b'SetFilePointer'
b'WriteFile'
b'ReadFile'
b'CreateFileW'
b'lstrcmpiW'
b'GetTempFileNameW'
b'CreateProcessW'
b'MoveFileExW'
b'GetTickCount'
b'InitializeCriticalSectionAndSpinCount'
b'Sleep'
b'GetFileAttributesW'
b'GetModuleFileNameW'
b'GetStartupInfoW'
b'GetTempPathW'
b'MoveFileW'
b'SetCurrentDirectoryW'
b'DeleteFileW'
b'lstrcpyW'
b'LocalFree'
b'CreateMutexW'
b'ResumeThread'
b'WriteProcessMemory'
b'DuplicateHandle'
b'CreateEventW'
b'GetExitCodeThread'
b'VirtualAllocEx'
b'VirtualProtectEx'
b'TerminateProcess'
b'ReadProcessMemory'
b'VirtualFreeEx'
b'OpenProcess'
b'CreateRemoteThread'
b'SetEvent'
b'CreateDirectoryW'
b'SetFileAttributesW'
b'lstrcmpA'
b'LoadLibraryA'
b'GetFileTime'
b'FindNextFileW'
b'GetSystemInfo'
b'LockResource'
b'FindClose'
b'GetLastError'
b'lstrcpynW'
b'SetFileTime'
b'GetModuleHandleW'
b'LoadResource'
b'FreeLibrary'
b'FindResourceW'
b'FindFirstFileW'
b'GetFullPathNameW'
b'lstrlenW'
b'lstrcmpW'
b'GetComputerNameW'
b'CreateThread'
b'/?format=text'
b'www.myexternalip.com'
b'ident.me'
b'api.ip.sb'
b'\\iocopy'
b'WantRelease'
b'fifty'
b'cmd.exe'
b'185.41.154.130:9001'
b'37.252.190.176:443'
b'82.118.17.235:443'
b'83.163.164.15:9003'
b'69.163.34.173:443'
b'159.89.151.231:9001'
b'212.47.246.229:9003'
b'84.40.112.70:9001'
b'2.137.16.245:9001'
b'199.249.223.62:443'
b'185.22.172.237:443'
b'88.99.216.194:9001'
b'185.13.39.197:443'
b'162.247.72.201:443'
b'174.127.217.73:55554'
b'Content-Length: '
b'\r\n\r\n'
b'%s %S HTTP/1.1\r\nHost: %s%s%S'
b'.onion'
b'info.dat'
b'README.md'
b'FAQ'
b'DEBG'
b'MACHINE\\SOFTWARE\\Microsoft\\Microsoft Antimalware\\Exclusions\\Paths'
b'MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Exclusions\\Paths'
b'MACHINE\\SOFTWARE\\Microsoft\\Windows Defender\\Exclusions\\Paths'
b'WinDefend'
b'Global\\%08lX%04lX%lu'
b' working'
b'path'
b'ver.txt'
b'ModuleQuery'
b'LeaveCriticalSection'
b'EnterCriticalSection'
b'InitializeCriticalSection'
b'VERS'
b'SignatureLength'
b'ECCPUBLICBLOB'
b'ECDSA_P384'
b'spam.dnsbl.sorbs.net'
b'dnsbl-1.uceprotect.net'
b'b.barracudacentral.org'
b'cbl.abuseat.org'
b'zen.spamhaus.org'
b'GetNativeSystemInfo'
b'Module is not valid'
b'client_id'
b'1041'
b'/plain/clientip'
b'/text'
b'/raw'
b'/ip'
b'/plain'
b'ip.anysrc.net'
b'wtfismyip.com'
b'myexternalip.com'
b'icanhazip.com'
b'api.ipify.org'
b'ipinfo.io'
b'ipecho.net'
b'checkip.amazonaws.com'
b'ssert'
b'D:(A;;GA;;;WD)(A;;GA;;;BA)(A;;GA;;;SY)(A;;GA;;;RC)'
b'Global\\Muta'
b'--%s--\r\n\r\n'
b'--%s\r\nContent-Disposition: form-data; name="%S"\r\n\r\n'
b'Content-Type: multipart/form-data; boundary=%s\r\nContent-Length: %d\r\n\r\n'
b'------Boundary%08X'
b'winsta0\\default'
b'WTSQueryUserToken'
b'WTSGetActiveConsoleSessionId'
b'WTSFreeMemory'
b'WTSEnumerateSessionsA'
b'wtsapi32'
b'GetProcAddress'
b'LoadLibraryW'
b'ExitProcess'
b'ResetEvent'
b'CloseHandle'
b'WaitForSingleObject'
b'SignalObjectAndWait'
b'svchost.exe'
b'Release'
b'FreeBuffer'
b'Control'
b'Start'
b'Load to M failed'
b'Run D failed'
b'Load to P failed'
b'Find P failed'
b'Create ZP failed'
b'Module has already been loaded'
b'parentfiles'
b'ip'
b'id'
b'period'
b'file'
b'conf'
b'arg'
b'control'
b'needinfo'
b'autocontrol'
b'autoconf'
b'processname'
b'sys'
b'yes'
b'autostart'
b'*'
b'%s%s'
b'%s%s_configs\\'
b'Modules\\'
b'HeapReAlloc'
b'HeapFree'
b'GetProcessHeap'
b'HeapAlloc'
b'kernel32.dll'
b'0.0.0.0'
b'POST'
b'GET'
b'UrlEscapeW'
b'shlwapi'
b'BCryptDestroyKey'
b'BCryptCloseAlgorithmProvider'
b'BCryptVerifySignature'
b'BCryptGetProperty'
b'BCryptImportKeyPair'
b'BCryptOpenAlgorithmProvider'
b'NCryptFreeObject'
b'NCryptDeleteKey'
b'NCryptImportKey'
b'NCryptOpenStorageProvider'
b'Bcrypt.dll'
b'Ncrypt.dll'
b'%s %s SP%d'
b'x86'
b'x64'
b'Unknown'
b'Windows 2000'
b'Windows XP'
b'Windows Server 2003'
b'Windows Vista'
b'Windows Server 2008'
b'Windows 7'
b'Windows Server 2008 R2'
b'Windows 8'
b'Windows Server 2012'
b'Windows 8.1'
b'Windows Server 2012 R2'
b'Windows 10'
b'Windows 10 Server'
b'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36'
b'psrv'
b'plugins'
b'expir'
b'servconf'
b'%d%d%d.'
b'Module already unloaded'
b'Control failed'
b'Module was unloaded'
b'Process has been finished'
b'release'
b'Start failed'
b'Process was unloaded'
b'GetParentInfo error'
b'Unable to load module from server'
b'start'
b'Decode from BASE64 error'
b'Win32 error'
b'Invalid params count'
b'No params'
b'info'
b'data'
b'%s/%s/64/%s/%s/%s/'
b'noname'
b'%s/%s/63/%s/%s/%s/%s/'
b'/%s/%s/25/%s/'
b'/%s/%s/23/%d/'
b'/%s/%s/14/%s/%s/0/'
b'/%s/%s/10/%s/%s/%d/'
b'/%s/%s/5/%s/'
b'/%s/%s/1/%s/'
b'/%s/%s/0/%s/%s/%s/%s/%s/'
b'srv'
b'ctl'
b'name'
b'module'
b'MsSystemWatcher'
b'%s.%s.%s.%s'
b'%s.%s'
b'%Y-%m-%dT%H:%M:%S'
b''
b''
b'InteractiveToken\nLeastPrivilege'
b'HighestAvailable\nNT AUTHORITY\\SYSTEM\nInteractiveToken\n'
b'\n'
b'\ntrue\n'
b'\n\n\n\n'
b'\n\n\nIgnoreNew\nfalse\nfalse\nfalse\ntrue\nfalse\n\ntrue\nfalse\n\ntrue\ntrue\ntrue\nfalse\nfalse\nPT0S\n7\n\n\n\n'
b'\ntrue\n\n1\n\n\n\n\n\n'
b'\n\nPT10M\nP1D\nfalse\n\n'
b'\n<Task version="1.2"\nxmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">\n\n1.0.1\nMs System watcher\n\n\n\n'
b'SYSTEM'
b'%s sTart'
b'group_tag'
b'RES'
b'user'
b'config.conf'
b'.tmp'
b'tmp'
b'spk'
b'%s %s'
b'SINJ'
b'not listed'
b'listed'
b'DNSBL'
b'client is not behind NAT'
b'client is behind NAT'
b'failed'

Analysis of Latest TrickBot Core Possible Build ‘1041’
A. Hardcoded Tor Relay List

b'185.41.154.130:9001'
b'37.252.190.176:443'
b'82.118.17.235:443'
b'83.163.164.15:9003'
b'69.163.34.173:443'
b'159.89.151.231:9001'
b'212.47.246.229:9003'
b'84.40.112.70:9001'
b'2.137.16.245:9001'
b'199.249.223.62:443'
b'185.22.172.237:443'
b'88.99.216.194:9001'
b'185.13.39.197:443'
b'162.247.72.201:443'
b'174.127.217.73:55554'

B. External IP Resolution

b'www.myexternalip.com'
b'ident.me'
b'api.ip.sb'
b'ip.anysrc.net'
b'wtfismyip.com'
b'myexternalip.com'
b'icanhazip.com'
b'api.ipify.org'
b'ipinfo.io'
b'ipecho.net'
b'checkip.amazonaws.com'

C. Task Scheduler XML Struct

b''
b''
b'InteractiveToken\nLeastPrivilege'
b'HighestAvailable\nNT AUTHORITY\\SYSTEM\nInteractiveToken\n'
b'\n'
b'\ntrue\n'
b'\n\n\n\n'
b'\n\n\nIgnoreNew\nfalse\nfalse\nfalse\ntrue\nfalse\n\ntrue\nfalse\n\ntrue\ntrue\ntrue\nfalse\nfalse\nPT0S\n7\n\n\n\n'
b'\ntrue\n\n1\n\n\n\n\n\n'
b'\n\nPT10M\nP1D\nfalse\n\n'
b'\n<Task version="1.2"\nxmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">\n\n1.0.1\nMs System watcher\n\n\n\n'

D. Bot IP Check for Spam Blocklist

b'spam.dnsbl.sorbs.net'
b'dnsbl-1.uceprotect.net'
b'b.barracudacentral.org'
b'cbl.abuseat.org'
b'zen.spamhaus.org'

Let’s Learn: Preparing Shellcode in NASM

Goal: Create a neat shellcode without padded “00” in NASM for exploit bundling
Source: OpenSecurityTraining “Software Exploits”
Attempt I:

; ;;;;;;;;;;;;;;;;;;;;;;;; 
basic ‘Hello World’ in nasm
; compile with nasm -f elf hello.asm; ld -o hello hello.o
; ;;;;;;;;;;;;;;;;;;;;;;;;
section .data
; ;;;;;;;;;;;;;;;;;;;;;;;;
msg db ‘Hello World’, 0xa
; ;;;;;;;;;;;;;;;;;;;;;;;;
section .text
; ;;;;;;;;;;;;;;;;;;;;;;;;
global _start
; ;;;;;;;;;;;;;;;;;;;;;;;;
start:
; ;;;;;;;;;;;;;;;;;;;;;;;;
; write(int fd, char *msg, unsigned int len)
; ;;;;;;;;;;;;;;;;;;;;;;;;
mov eax, 4
mov ebx, 1
mov ecx, msg
mov edx, 8
int 0x80
; ;;;;;;;;;;;;;;;;;;;;;;;;
; exit(int ret)
; ;;;;;;;;;;;;;;;;;;;;;;;;
mov eax, 1
mov ebx, 0
int 0x80

Attempt II (change extended to lower byte register values):

; ;;;;;;;;;;;;;;;;;;;;;;;;
section .data
; ;;;;;;;;;;;;;;;;;;;;;;;;
msg db ‘Hello World’, 0xa
; ;;;;;;;;;;;;;;;;;;;;;;;;
section .text
; ;;;;;;;;;;;;;;;;;;;;;;;;
global _start
; ;;;;;;;;;;;;;;;;;;;;;;;;
start:
; ;;;;;;;;;;;;;;;;;;;;;;;;
mov al, 4
mov bl, 1
mov ecx, msg
mov dl, 8
int 0x80
; ;;;;;;;;;;;;;;;;;;;;;;;;
mov al, 1
mov bl, 0
int 0x80

Attempt III (achieve code independence):
; ;;;;;;;;;;;;;;;;;;;;;;;;
section .text
; ;;;;;;;;;;;;;;;;;;;;;;;;
global _start
; ;;;;;;;;;;;;;;;;;;;;;;;;
_start:
; ;;;;;;;;;;;;;;;;;;;;;;;;
; clear out the registers we need
xor eax, eax
xor ebx, ebx
xor ecx, ecx
xor edx, edx
; write(int fd, char *msg, unsigned int len)
mov al, 4
mov bl, 1
; Owned!! = 4f,77,6e,65,64,21,21,0xa
; push \n,!,!,d
push 0x0a212164
; push e,n,w,O
push 0x656e774f
mov dl, 8
int 0x80
; ;;;;;;;;;;;;;;;;;;;;;;;;
mov al, 1
mov bl, 0
int 0x80

Attempt IV (remove 0xa newline):

; ;;;;;;;;;;;;;;;;;;;;;;;;
section .text
; ;;;;;;;;;;;;;;;;;;;;;;;;
global _start
; ;;;;;;;;;;;;;;;;;;;;;;;;
_start:
; ;;;;;;;;;;;;;;;;;;;;;;;;
; clear out the registers we need
xor eax, eax
xor ebx, ebx
xor ecx, ecx
xor edx, edx
; write(int fd, char *msg, unsigned int len)
mov al, 4
mov bl, 1
; Owned!! = 4f,77,6e,65,64,21,21,0xa
; push \n,!,!,d
push 0x21212164
; push e,n,w,O
push 0x656e774f
mov dl, 8
int 0x80
; ;;;;;;;;;;;;;;;;;;;;;;;;
mov al, 1
mov bl, 0
int 0x80

Elasticsearch

Elasticsearch Concept
Goal: Document and annotate some quick notes on learning elasticsearch.

I. CREATING YOUR OWN ANALYZER: SET UP ANALYZER SETTINGS

curl -X PUT "http://localhost:9200/wiki" -d '{
"index" : {
"number_of_shards" : 4,
"number_of_replicas" : 1,
"analysis" : {
"analyzer" : {
"content" : {
"type" : "custom",
"tokenizer" : "standard",
"filter" : ["lowercase", "stop", "kstem"],
"char_filter" : ["html_strip"]
}
}
}
}

}'

II. PUT (CREATE) MAPPING":
CREATE MAPPING (STRING -> TEXT) for INDEX

curl -X PUT "http://localhost:9200/wiki/articles/_mapping" -d '{
"articles" : {
"_all" : { "enabled" : true } ,
"properties" : {
"Title" : { "type" : "text" , "analyzer" : "content" , "include_in_all" : false, "index" : "no" },
"link" : { "type" : "text" , "include_in_all" : false, "index" : "no" },
"Author" : { "type" : "text" , "include_in_all" : false },
"timestamp" : { "type" : "date" , "format" : "dd-MM-yyyy HH:mm:ss", "include_in_all" : false },
"html" : { "type" : "text" , "analyzer" : "content", "include_in_all" : true }
}
}
}'

A. GENERATE JSON OBJECT FOR ELASTICSEARCH

python json_generator.py https://en.wikipedia.org/wiki/France > France.json
'''
# Python module script
/*import urllib2
import json
import sys

link = sys.argv[2]
htmlObj = { "link" : link,
"Author" : "anomymous",
"timestamp" : "12-12-2018 14:16:00",
"Title" : sys.argv[1]
}
response = urllib2.urlopen(link)
htmlObj['html'] = response.read()
print json.dumps(htmlObj, indent=4)
*/
'''

III. XPOST (PUSH) JSON FILE TO ELASTICSEARCH WIKI ARTICLES

curl -XPOST "http://localhost:9200/wiki/articles/" -d @France.json

IV. USING PHRASE QUERY TO SEARCH: SEARCH ELASTICSEARCH INDEX FOR CONTENT

curl -X POST "http://localhost:9200/wiki/_search?pretty" -d '{
"_source" : [
"Title"
],
"query" : {
"query_string": {
"query" : "mobile"
}
}
}'

V. USING THE HIGHLIGHTING FEATURE: SEARCH ELASTICSEARCH INDEX FOR CONTENT (HIGHLIGHTED)

# Query highlighted content
curl -X POST "http://localhost:9200/wiki/_search?pretty" -d '{
"_source" : [
"Title"
],
"query" : {
"query_string": {
"query" : "mobile"
}
}
"highlight" : {
"pre_tags" : [""],
"post_tags" : ["
"],
"fields" : {
"Content" : {}
}
}
}
}'


VI. PAGINATION

curl -X POST "http://localhost:9200/wiki/_search?pretty" -d '{
"from" : 0,
"size" : 10,
"query" : {
"simple_query_string" : {
"query" : "mobile",
"fields" : [
"_all"
]
}
},
"highlight" : {
"fields" : {
"html" : {
"pre_tags" : [
"

"
],
"post_tags" : [
"

"
],
"fragment_size" : 10,
"number_of_fragments" :3
}
}
}
}'

CHAPTER 2: BUILDING YOUR OWN E-COMMERCE SOLUTION

type
String
Integer
Long
Float
Double
Boolean
Date
geo_point
Null
Ipv4

I. CREATE (PUT) INDEX "products"

curl -X PUT "http://localhost:9200/products" -d '{
"index" : {
"number_of_shards" : 1,
"number_of_replicas" : 1
}
}'

II. CREATING MAPPING: Put "product" as the type for "products" index

curl -X PUT "http://localhost:9200/products/product/_mapping" -d '{
"product" : {
"properties" : {
"name" : {
"type" : "text"
},
"description" : {
"type" : "text"
},
"dateOfManufactering" : {
"type" : "date",
"format" : "YYYY-MM-dd"
},
"price" : {
"type" : "long"
},
"productType" : {
"type" : "text",
"include_in_all" : "false",
"index" : "not_analyzed"
},
"totalBuy" : {
"type" : "long",
"include_in_all": "false",
},
"imageURL" : {
"type" : "text",
"include_in_all": "false",
"index" : "no"
},
}
}
}'

Let’s Learn (DIY): Sophisticated Cobalt Strike Gang’s CVE-2017-0199 Loader

Goal: Reverse the first stage loader RTF CVE-2017-0199 loader used by Cobalt Strike gang targeting Russian-speaking financial institutions. This loader’s been seen in conjunction with the Microsoft Word Intruder 8.0.
Source@xdxdxdxdoa
Tool: rtfdump 0.5, ILspy
CVE-2017-0199: Exploit that allows “remote attackers to execute arbitrary code via a crafted document, aka “Microsoft Office/WordPad Remote Code Execution Vulnerability w/Windows API” [source].
Observed unique filename:

  • Пеня по задолженности.doc -> “Debt collection notification.doc” (from Russian to English)
  • Заявление на расторжение договора.doc -> “Application for contract closure.doc” (from Russian to English)

SHA-256: c5d7c5c94468ba74211e08d7c2ad9d0274011d432edc1af8cdf2215b2c9d9291
Type
  • Rich Text Format (CVE-2017-0199 exploit) 
  • Objects OLE embedded (Package)
  • OLE Autolink (Package)

Here are the steps:
  • I. Command: python2.7 rtfdump.py file.rtf


  • II. Command: python2.7 rtfdump.py -f O file.rtf
OLE 1.0 objects embedded within this RTF file with the “-f O” command
  • III. Command: python2.7 rtfdump.py -s 8 file.rtf | more (on the 8 field found in the previous step)
The section 01050000 02000000 indicates an OLE 1.0 object. As the line starts with 9f330500 contains an OLE file.

With option -H, we can convert the hexadecimal characters to binary:

  • IV. Command: python2.7 rtfdump.py -s 8 -H file.rtf 

With option -i, we can obtain more information about the binary (embedded object):
    • V. Command: python2.7 rtfdump.py -s 8 -H -i file.rtf 

    Name: ‘Package\x00’ Position embedded: 00000020 Size embedded: 0005339f md5: a9039264caf3285bf968849bf84ad951 magic: 02007e57

    With option -E, we can extract the embedded object:

    • VI. Command: python2.7 rtfdump.py -s 8 -H -E -d file.rtf > binary.exe

    The payload is written in Microsoft Visual C# / Basic .NET titled “ExecPS.” Using ILspy, we decompile the embedded binary. The embedded binary has a PDF icon and an internal name as “ExecPS[.]exe.”



    Checks for Dr. Web anti-virus process and breaks if they exist.
    • ProcessName = “dwengine” || “spidergate” || “spidernt” | “spideragent”
    Moreover, the embedded binary is digitally signed by “Elektro, OOO” from Nizhni Novgorod, Russia.

    • CN = Elektro, OOO
    • O = Elektro, OOO
    • STREET = d. 13 kv. 11, prospekt Soyuzny
    • L = Nizhni Novgorod
    • S = Nizhegorodskaya oblast
    • PostalCode = 603040
    • C = RU

    p.p1 {margin: 0.0px 0.0px 0.0px 0.0px; font: 12.0px ‘Andale Mono’; color: #28fe14; background-color: #000000; background-color: rgba(0, 0, 0, 0.9)} span.s1 {font-variant-ligatures: no-common-ligatures} p.p1 {margin: 0.0px 0.0px 0.0px 0.0px; font: 12.0px ‘Andale Mono’; color: #28fe14; background-color: #000000; background-color: rgba(0, 0, 0, 0.9)} span.s1 {font-variant-ligatures: no-common-ligatures} p.p1 {margin: 0.0px 0.0px 0.0px 0.0px; font: 12.0px ‘Andale Mono’; color: #28fe14; background-color: #000000; background-color: rgba(0, 0, 0, 0.9)} span.s1 {font-variant-ligatures: no-common-ligatures}

    p.p1 {margin: 0.0px 0.0px 0.0px 0.0px; font: 8.5px Helvetica}

    06-21-2017 Locky Ransomware: Config Analysis

    Sourcehttps://www.virustotal.com/en/file/b546fad0209bbf800c11565c4720fdb2685966242d2ff162f7be556dd037a6a1/analysis/
    Confighttps://github.com/vkremez/MalwareConfigurations/blob/master/crime_win32_locky_conf_June21-2017.txt


    Locky extension

    .loptr

    POST requests:

    • &length=..&failed=..&encrypted=
    • &act=stats&path=
    • &v=2..&x64=..&sp=..&os=…&serv=..&corp=..&lang=..&act=getkey&affid=..
    • &act=gethtml&lang=..&act=gettext&lang=..

    Registry

    • Software\Microsoft\Windows\CurrentVersion\Run 

    Self-kill routine: 

    cmd.exe /C del /Q /F

    Blacklist

    tmp;winnt;Application Data;AppData;Program Files (x86);Program Files;temp;thumbs.db;$Recycle.Bin;System Volume Information;Boot;Windows

    Locky instructions: 

    /_HELP_instructions.html._HELP_instructions.bmp.._HELP_instructions.txt.._Locky_recover_instructions.bmp._Locky_recover_instructions.txt

    Delete shadow copy:

    vssadmin.exe Delete Shadows /Quiet /All 

    C2:

    hxxp://185[.]115[.]140[.]170/checkupdate

    Targeted extensions:

    ..yuv…ycbcra..xis…x3f…x11…wpd…tex…sxg…stx…st8…st5…srw…srf…sr2…sqlitedb..sqlite3…sqlite..sdf…sda…sd0…s3db..rwz…rwl…rdb…rat…raf…qby…qbx…qbw…qbr…qba…py..psafe3..plc…plus_muhd…pdd…p7c…p7b…oth…orf…odm…odf…nyf…nxl…nx2…nwb…ns4…ns3…ns2…nrw…nop…nk2…nef…ndd…myd…mrw…moneywell…mny…mmw…mfw…mef…mdc…lua…kpdx..kdc…kdbx..kc2…jpe…incpas..iiq…ibz…ibank…hbk…gry…grey..gray..fhd…fh..ffd…exf…erf…erbsql..eml…dxg…drf…dng…dgc…des…der…ddrw..ddoc..dcs…dc2…db_journal..csl…csh…crw…craw..cib…ce2…ce1…cdrw..cdr6..cdr5..cdr4..cdr3..bpw…bgt…bdb…bay…bank..backupdb..backup..back..awg…apj…ait…agdl..ads…adb…acr…ach…accdt…accdr…accde…ab4…3pr…3fr…vmxf..vmsd..vhdx..vhd…vbox..stm…st7…rvt…qcow..qed…pif…pdb…pab…ost…ogg…nvram…ndf…m4p…m2ts..log…hpp…hdd…groups..flvv..edb…dit…dat…cmt…bin…aiff..xlk…wad…tlg…st6…st4…say…sas7bdat..qbm…qbb…ptx…pfx…pef…pat…oil…odc…nsh…nsg…nsf…nsd…nd..mos…indd..iif…fpx…fff…fdb…dtd…design..ddd…dcr…dac…cr2…cdx…cdf…blend…bkp…al..adp…act…xlr…xlam..xla…wps…tga…rw2…r3d…pspimage..ps..pct…pcd…m4v…m…fxg…flac..eps…dxb…drw…dot…db3…cpi…cls…cdr…arw…ai..aac…thm…srt…save..safe..rm..pwm…pages…obj…mlb…md..mbx…lit…laccdb..kwm…idx…html..flf…dxf…dwg…dds…csv…css…config..cfg…cer…asx…aspx..aoi…accdb…7zip..1cd…xls…wab…rtf…prf…ppt…oab…msg…mapimail..jnt…doc…dbx…contact…n64…m4a…m4u…m3u…mid…wma…flv…3g2…mkv…3gp…mp4…mov…avi…asf…mpeg..vob…mpg…wmv…fla…swf…wav…mp3…qcow2…vdi…vmdk..vmx…wallet..upk…sav…re4…ltx…litesql…litemod…lbf…iwi…forge…das…d3dbsp..bsa…bik…asset…apk…gpg…aes…ARC…PAQ…tar.bz2…tbk…bak…tar…tgz…gz..7z..rar…zip…djv…djvu..svg…bmp…png…gif…raw…cgm…jpeg..jpg…tif…tiff..NEF…psd…cmd…bat…sh..class…jar…java..rb..asp…cs..brd…sch…dch…dip…pl..vbs…vb..js..h…asm…pas…cpp…c…php…ldf…mdf…ibd…MYI…MYD…frm…odb…dbf…db..mdb…sql…SQLITEDB..SQLITE3…011…010…009…008…007…006…005…004…003…002…001…pst…onetoc2…asc…lay6..lay…ms11(Securitycopy)..ms11..sldm..sldx..ppsm..ppsx..ppam..docb..mml…sxm…otg…odg…uop…potx..pom..pptx..pptm..std…sxd…pot…pps…sti…sxi…otp…odp…wb2…123…wks…wk1…xltx..xltm..xlsx..xlsm..xlsb..slk…xlw…xlt…xlm…xlc…dif…stc…sxc…ots…ods…hwp…602…dotm..dotx..docm..docx..DOT…3dm…max…3ds…xml…txt…CSV…uot…RTF…pdf…XLS…PPT…stw…sxw…ott…odt…DOC…pem…p12…csr…crt…key..wallet.dat..

    p.p1 {margin: 0.0px 0.0px 0.0px 0.0px; font: 12.0px Helvetica} p.p2 {margin: 0.0px 0.0px 0.0px 0.0px; font: 12.0px Helvetica; min-height: 14.0px}

    Python WinAppDbg Template Constructs

    Source: https://gitlab.com/vitali.kremez/winappdbg_contruct
    Credit: WinappDbg; Parsia
    ###########################
    #### WinAppDbg  ###########
    ##########################

    I.  GetRunnerProcess

        if (args.run):
    # Concat all arguments into a string
    myargs = " ".join(args.run)

    if win32.PathFileExists(args.run[0]) is True:
    # File exists
    # Create a Debug object
    debug = winappdbg.Debug()

    try:
    # Debug the app
    # First item is program and the rest are arguments
    # execl: https://github.com/MarioVilas/winappdbg/blob/master/winappdbg/debug.py#L358
    my_process = debug.execl(myargs)

    print("Attached to {0} - {1}".format(my_process.get_pid(),
    my_process.get_filename()))

    # Keep debugging until the debugger stops
    debug.loop()

    finally:
    # Stop the debugger
    debug.stop()
    print("[*] Debugger stopped.")

    else:
    print("{0} not found.".format(args.run[0]))
    exit()

    II. GetSystemInformation()
        if(args.sysinfo):
    # Create a System object
    # https://github.com/MarioVilas/winappdbg/blob/master/winappdbg/system.py#L66
    system = winappdbg.System()

    # Use the built-in WinAppDbg table
    # https://github.com/MarioVilas/winappdbg/blob/master/winappdbg/textio.py#L1094
    table = winappdbg.Table("\t")

    # New line
    table.addRow("", "")

    # Header
    title = ("System Information", "")
    table.addRow(*title)

    # Add system information
    table.addRow("------------------")
    table.addRow("Bits", system.bits)
    table.addRow("OS", system.os)
    table.addRow("Architecture", system.arch)
    table.addRow("32-bit Emulation", system.wow64)
    table.addRow("Admin", system.is_admin())
    table.addRow("WinAppDbg", winappdbg.version)
    table.addRow("Process Count", system.get_process_count())

    print table.getOutput()
    exit()

    III. GetProcessList
        if (args.getprocesses):

    system = winappdbg.System()

    # We can reuse example 02 from the docs
    # https://winappdbg.readthedocs.io/en/latest/Instrumentation.html#example-2-enumerating-running-processes
    table = winappdbg.Table("\t")
    table.addRow("", "")

    header = ("pid", "process")
    table.addRow(*header)

    table.addRow("----", "----------")

    processes = {}

    # Add all processes to a dictionary then sort them by pid
    for process in system:
    processes[process.get_pid()] = process.get_filename()

    # Iterate through processes sorted by pid
    for key in sorted(processes.iterkeys()):
    table.addRow(key, processes[key])

    print table.getOutput()
    exit()

    IV.AttachByProcessID
        if (args.pid):
    system = winappdbg.System()

    # Get all pids
    pids = system.get_process_ids()

    if args.pid in pids:
    # pid exists

    # Create a Debug object
    debug = winappdbg.Debug()

    try:
    # Attach to pid
    # attach: https://github.com/MarioVilas/winappdbg/blob/master/winappdbg/debug.py#L219
    my_process = debug.attach(args.pid)

    print "Attached to %d - %s" % (my_process.get_pid(),
    my_process.get_filename())

    # Keep debugging until the debugger stops
    debug.loop()

    finally:
    # Stop the debugger
    debug.stop()
    print "Debugger stopped."

    else:
    print "pid %d not found." % (args.pid)

    exit()

    V. AttachByProcessName
        if (args.pname):
    debug = winappdbg.Debug()

    # example 3:
    # https://winappdbg.readthedocs.io/en/latest/_downloads/03_find_and_attach.py

    try:
    debug.system.scan()
    for (process, name) in debug.system.find_processes_by_filename(args.pname):
    print "Found %d, %s" % (process.get_pid(),
    process.get_filename())

    debug.attach(process.get_pid())

    print "Attached to %d-%s" % (process.get_pid(),
    process.get_filename())

    debug.loop()

    finally:
    # Stop the debugger
    debug.stop()
    print "Debugger stopped."
    exit()

    VI. WriteLoggerOutput
        global logger
    if args.output:
    # verbose=False disables printing to stdout
    logger = winappdbg.Logger(args.output, verbose=False)
    else:
    logger = winappdbg.Logger()

    # Example
    # logger.log_text("Started %d - %s" % (my_process.get_pid(), my_process.get_filename()))

    VII. GetLoadedModules
    class DebugEvents(winappdbg.EventHandler):
    """
    Event handler class.
    event: https://github.com/MarioVilas/winappdbg/blob/master/winappdbg/event.py
    """

    def load_dll(self, event):
    """
    Called when a new module is loaded.
    """
    # https://github.com/MarioVilas/winappdbg/blob/master/winappdbg/module.py#L71

    """
    Module object methods:
    get_base, get_filename, get_name, get_size, get_entry_point,
    get_process, set_process, get_pid,
    get_handle, set_handle, open_handle, close_handle

    get_size and get_entry_point do not work because WinAppDbg internally
    uses GetModuleInformation.
    https://msdn.microsoft.com/en-us/library/ms683201(v=VS.85).aspx
    And it cannot get info on files with "that were loaded with the
    LOAD_LIBRARY_AS_DATAFILE flag.""

    This is related:
    https://blogs.msdn.microsoft.com/oldnewthing/20150716-00/?p=45131
    """
    module = event.get_module()

    logstring = "\nLoaded DLL:\nName: %s\nFilename: %s\nBase Addr: %s\n" % \
    (module.get_name(), module.get_filename(), hex(module.get_base()))

    mylogger.log_text(logstring)

    # _ = module.get_size()

    print module.get_handle()

    # Create an instance of our eventhandler class
    myeventhandler = DebugEvents()

    VIII. GetProcessCreateProcessInfo
    class DebugEvents(winappdbg.EventHandler):
    """
    Event handler class.
    event: https://github.com/MarioVilas/winappdbg/blob/master/winappdbg/event.py
    """

    def create_process(self, event):
    process = event.get_process()
    pid = event.get_pid()
    # pid = process.get_pid()
    filename = process.get_filename()

    mylogger.log_text("CreateProcess %d - %s" % (pid, filename))

    def exit_process(self, event):
    process = event.get_process()
    pid = event.get_pid()
    # pid = process.get_pid()
    filename = process.get_filename()

    mylogger.log_text("ExitProcess %d - %s" % (pid, filename))

    def create_thread(self, event):
    process = event.get_process()
    thread = event.get_thread()

    tid = thread.get_tid()
    name = thread.get_name()

    mylogger.log_text("CreateThread %d - %s" % (tid, name))

    def exit_thread(self, event):
    process = event.get_process()
    thread = event.get_thread()

    tid = thread.get_tid()
    name = thread.get_name()

    mylogger.log_text("ExitThread %d - %s" % (tid, name))

    # Create an instance of our eventhandler class
    myeventhandler = DebugEvents()

    IX. BasicHookFunction
    class DebugEvents(winappdbg.EventHandler):
    """
    Event handler class.
    event: https://github.com/MarioVilas/winappdbg/blob/master/winappdbg/event.py
    """

    def load_dll(self, event):
    module = event.get_module()

    if module.match_name("kernel32.dll"):

    # Resolve function addresses
    address_CreateFileA = module.resolve("CreateFileA")
    address_CreateFileW = module.resolve("CreateFileW")

    # Types are here
    # https://github.com/MarioVilas/winappdbg/blob/master/winappdbg/win32/defines.py#L380
    sig_CreateFileA = (PVOID, DWORD, DWORD, PVOID, DWORD, DWORD, HANDLE)
    sig_CreateFileW = (PVOID, DWORD, DWORD, PVOID, DWORD, DWORD, HANDLE)

    pid = event.get_pid()

    # Hook function(pid, address, preCB, postCB, paramCount, signature)
    # https://github.com/MarioVilas/winappdbg/blob/master/winappdbg/breakpoint.py#L3969
    event.debug.hook_function(pid, address_CreateFileA,
    preCB=pre_CreateFileA,
    postCB=post_CreateFileA,
    signature=sig_CreateFileA)

    event.debug.hook_function(pid, address_CreateFileW,
    preCB=pre_CreateFileW,
    postCB=post_CreateFileW,
    signature=sig_CreateFileW)

    # Another way of setting up hooks without signature

    """
    event.debug.hook_function(pid, address_CreateFileA,
    preCB=pre_CreateFileA,
    postCB=post_CreateFileA,
    paramCount=7)

    event.debug.hook_function(pid, address_CreateFileW,
    preCB=pre_CreateFileW,
    postCB=post_CreateFileW,
    paramCount=7)
    """

    # Callback functions
    # -------------------

    # Callback function parameters are always
    # (event, ra (return address), then function parameters)
    # self is first if part of the eventhandler class


    def pre_CreateFileW(event, ra, lpFileName, dwDesiredAccess, dwShareMode,
    lpSecurityAttributes, dwCreationDisposition,
    dwFlagsAndAttributes, hTemplateFile):

    """
    This will be called as soon as we enter the function and before the
    function stack frame is created.
    """

    process = event.get_process()

    # Suspend the process because why not
    process.suspend()
        mylogger.log_text("Hit kernel32!CreateFileW")

    # 32-bit so all parameters are on stack

    # In case you want a pointer to the top of the stack
    # thread = event.get_thread()

    # All memory read stuff are at
    # https://github.com/MarioVilas/winappdbg/blob/master/winappdbg/process.py#L125

    # fUnicode=True because we are in the Wide or Unicode version of the API
    myFileName = process.peek_string(lpFileName, fUnicode=True)

    mylogger.log_text("lpFilename: %s" % (myFileName))

    # Resume the process
    process.resume()


    def pre_CreateFileA(event, ra, lpFileName, dwDesiredAccess, dwShareMode,
    lpSecurityAttributes, dwCreationDisposition,
    dwFlagsAndAttributes, hTemplateFile):

    process = event.get_process()

    # Suspend the process because why not
    process.suspend()

    mylogger.log_text("Hit kernel32!CreateFileA")

    # fUnicode=False because we are in the ANSI version
    myFileName = process.peek_string(lpFileName, fUnicode=False)

    mylogger.log_text("lpFilename: %s" % (myFileName))

    process.resume()


    def post_CreateFileW(event, retval):

    mylogger.log_text("Leaving kernel32!CreateFileW")
    mylogger.log_text("Return value: %x" % (retval))


    def post_CreateFileA(event, retval):

    mylogger.log_text("Leaving kernel32!CreateFileA")
    mylogger.log_text("Return value: %x" % (retval))

    # Create an instance of our eventhandler class
    myeventhandler = DebugEvents()

    X. BetterHookFunction
    class DebugEvents(winappdbg.EventHandler):
    """
    Event handler class.
    event: https://github.com/MarioVilas/winappdbg/blob/master/winappdbg/event.py
    """

    # Better hooking
    # https://winappdbg.readthedocs.io/en/latest/Debugging.html#example-9-intercepting-api-calls

    apiHooks = {

    # Hooks for the kernel32 library.
    "kernel32.dll": [

    # We have seen these before
    # Function Signature
    ("CreateFileA", (PVOID, DWORD, DWORD, PVOID, DWORD, DWORD, HANDLE)),
    ("CreateFileW", (PVOID, DWORD, DWORD, PVOID, DWORD, DWORD, HANDLE)),

    # Can also pass parameter count
    # ("CreateFileA", 6),
    # ("CreateFileW", 6),
    ],
    }

    # Now we can simply define a method for each hooked API.
    # "pre_" methods are called when entering the hooked function.
    # "post_" methods are called when returning from the hooked function.

    def pre_CreateFileW(self, event, ra, lpFileName, dwDesiredAccess,
    dwShareMode, lpSecurityAttributes, dwCreationDisposition,
    dwFlagsAndAttributes, hTemplateFile):

    process = event.get_process()
    myFileName = process.peek_string(lpFileName, fUnicode=True)
    mylogger.log_text("pre_CreateFileW opening file %s" % (myFileName))

    def post_CreateFileW(self, event, retval):
    mylogger.log_text("Return value: %x" % retval)

    def pre_CreateFileA(self, event, ra, lpFileName, dwDesiredAccess,
    dwShareMode, lpSecurityAttributes, dwCreationDisposition,
    dwFlagsAndAttributes, hTemplateFile):

    process = event.get_process()
    myFileName = process.peek_string(lpFileName, fUnicode=False)
    mylogger.log_text("pre_CreateFileA opening file %s" % (myFileName))

    def post_CreateFileA(self, event, retval):
    mylogger.log_text("Return value: %x" % retval)

    # Create an instance of our eventhandler class
    myeventhandler = DebugEvents()

    XI. HookInternetExplorer HttpSendRequestW
    class DebugEvents(winappdbg.EventHandler):
    """
    Event handler class.
    event: https://github.com/MarioVilas/winappdbg/blob/master/winappdbg/event.py
    """

    """
    BOOL HttpSendRequest(
    _In_ HINTERNET hRequest,
    _In_ LPCTSTR lpszHeaders,
    _In_ DWORD dwHeadersLength,
    _In_ LPVOID lpOptional,
    _In_ DWORD dwOptionalLength
    );
    """

    apiHooks = {

    # Hooks for the wininet.dll library - note this is case-sensitive
    "wininet.dll": [

    # Function Signature
    ("HttpSendRequestW", (HANDLE, PVOID, DWORD, PVOID, DWORD)),
    ],
    }

    def pre_HttpSendRequestW(self, event, ra, hRequest, lpszHeaders,
    dwHeadersLength, lpOptional, dwOptionalLength):

    process = event.get_process()

    if dwHeadersLength != 0:
    mylogger.log_text(winapputil.utils.get_line())
    mylogger.log_text("HttpSendRequestW")

    headers = process.peek_string(lpszHeaders, fUnicode=True)
    mylogger.log_text("Headers %s" % (headers))

    if dwOptionalLength != 0:
    # This is not unicode - see the pointer name (lp vs. lpsz)
    # fUnicode is set to False (default) then
    optional = process.peek_string(lpOptional, fUnicode=False)

    mylogger.log_text("Optional %s" % (optional))
    mylogger.log_text(winapputil.utils.get_line())

    # Create an instance of our eventhandler class
    myeventhandler = DebugEvents()


    XII. HookInternetExplorer HttpSendRequestW/HttpOpenRequest
    class DebugEvents(winappdbg.EventHandler):
    """
    Event handler class.
    event: https://github.com/MarioVilas/winappdbg/blob/master/winappdbg/event.py
    """

    """
    BOOL HttpSendRequest(
    _In_ HINTERNET hRequest,
    _In_ LPCTSTR lpszHeaders,
    _In_ DWORD dwHeadersLength,
    _In_ LPVOID lpOptional,
    _In_ DWORD dwOptionalLength
    );

    HINTERNET HttpOpenRequest(
    _In_ HINTERNET hConnect,
    _In_ LPCTSTR lpszVerb,
    _In_ LPCTSTR lpszObjectName,
    _In_ LPCTSTR lpszVersion,
    _In_ LPCTSTR lpszReferer,
    _In_ LPCTSTR *lplpszAcceptTypes,
    _In_ DWORD dwFlags,
    _In_ DWORD_PTR dwContext
    );
    """

    apiHooks = {

    # Hooks for the wininet.dll library - note this is case-sensitive
    "wininet.dll": [

    # Function Signature
    ("HttpSendRequestW", (HANDLE, PVOID, DWORD, PVOID, DWORD)),
    ("HttpOpenRequestW", (HANDLE, PVOID, PVOID, PVOID, PVOID, PVOID,
    DWORD, PVOID)),
    ],
    }

    def pre_HttpSendRequestW(self, event, ra, hRequest, lpszHeaders,
    dwHeadersLength, lpOptional, dwOptionalLength):

    process = event.get_process()

    if dwHeadersLength != 0:
    mylogger.log_text(winapputil.utils.get_line())
    mylogger.log_text("HttpSendRequestW")

    headers = process.peek_string(lpszHeaders, fUnicode=True)
    mylogger.log_text("Headers %s" % (headers))

    if dwOptionalLength != 0:
    # This is not unicode - see the pointer name dummy (lp vs. lpsz)
    # False by default but a good idea to include it for clarity
    optional = process.peek_string(lpOptional, fUnicode=False)

    mylogger.log_text("Optional %s" % (optional))
    mylogger.log_text(winapputil.utils.get_line())

    def pre_HttpOpenRequestW(self, event, ra, hConnect, lpszVerb,
    lpszObjectName, lpszVersion, lpszReferer,
    lplpszAcceptTypes, dwFlags, dwContext):

    process = event.get_process()

    verb = process.peek_string(lpszVerb, fUnicode=True)
    if verb is None:
    verb = "GET"

    obj = process.peek_string(lpszObjectName, fUnicode=True)

    mylogger.log_text(winapputil.utils.get_line())
    mylogger.log_text("HttpOpenRequestW")
    mylogger.log_text("verb: %s" % verb)
    mylogger.log_text("obj : %s" % obj)
    mylogger.log_text(winapputil.utils.get_line())

    # Create an instance of our eventhandler class
    myeventhandler = DebugEvents()

    XIII. HoookFireFoxFunction PR_Write
    class DebugEvents(winappdbg.EventHandler):
    """
    Event handler class.
    event: https://github.com/MarioVilas/winappdbg/blob/master/winappdbg/event.py
    """

    # Better hooking
    # https://winappdbg.readthedocs.io/en/latest/Debugging.html#example-9-intercepting-api-calls

    """
    PRInt32 PR_Write(
    PRFileDesc *fd,
    const void *buf,
    PRInt32 amount);

    fd: A pointer to the PRFileDesc object for a file or socket
    buf: A pointer to the buffer holding the data to be written
    amount: The amount of data, in bytes, to be written from the buffer
    """

    apiHooks = {

    # Hooks for the nss3.dll library
    'nss3.dll': [

    ('PR_Write', (PVOID, PVOID, PVOID)),
    ],
    }

    def pre_PR_Write(self, event, ra, fd, buf, amount):

    process = event.get_process()

    if (amount > 100) and (amount < 1000):
    mylogger.log_text("PR_Write")

    # https://github.com/MarioVilas/winappdbg/blob/master/winappdbg/process.py#L1581
    contents = process.read(buf, amount)

    mylogger.log_text("%s" % str(contents))

    mylogger.log_text(winapputil.utils.get_line())

    # Create an instance of our eventhandler class
    myeventhandler = DebugEvents()

    XIV. ModifySleep on x86/X64
    class DebugEvents(winappdbg.EventHandler):
    """
    Event handler class.
    event: https://github.com/MarioVilas/winappdbg/blob/master/winappdbg/event.py
    """

    # Better hooking
    # https://winappdbg.readthedocs.io/en/latest/Debugging.html#example-9-intercepting-api-calls

    """
    VOID WINAPI Sleep(
    _In_ DWORD dwMilliseconds
    );
    https://msdn.microsoft.com/en-us/library/windows/desktop/ms686298(v=vs.85).aspx
    """

    apiHooks = {

    # Hooks for the kernel32.dll library
    "kernel32.dll": [

    # Note how are passing only one parameter
    ("Sleep", (DWORD, )),

    # We can also pass the number of arguments instead of signature
    # ("Sleep", 1),
    ],
    }

    def pre_Sleep(self, event, ra, dwMilliseconds):

    process = event.get_process()
    process.suspend()

    thread = event.get_thread()

    bits = thread.get_bits()
    emulation = thread.is_wow64()

    logstring = "Original dwMilliseconds %d" % dwMilliseconds

    mylogger.log_text(logstring)

    # If running on a 32-bit machine or 32-bit process on 64-bit machine
    if bits == 32 or emulation is True:
    top_of_stack = thread.get_sp()

    # return_address, dwMilliseconds = thread.read_stack_dwords(2)
    # logstring = "Return Address %s" % \
    # winappdbg.HexDump.address(return_address, bits)

    # mylogger.log_text(logstring)

    process.write_dword(top_of_stack+((bits/8)*1), 0)

    # AMD64 calling convention on Windows uses fastcall
    # rcx, rdx, r8, r9 then stack

    elif bits == 64:
    thread.set_register("Rcx", 10000)

    process.resume()
    # Create an instance of our eventhandler class
    myeventhandler = DebugEvents()

    XV. ModifyDomainFunction in IE InternetConnectW
    class DebugEvents(winappdbg.EventHandler):
    """
    Event handler class.
    event: https://github.com/MarioVilas/winappdbg/blob/master/winappdbg/event.py
    """

    # Better hooking
    # https://winappdbg.readthedocs.io/en/latest/Debugging.html#example-9-intercepting-api-calls

    """
    HINTERNET InternetConnect(
    _In_ HINTERNET hInternet,
    _In_ LPCTSTR lpszServerName,
    _In_ INTERNET_PORT nServerPort,
    _In_ LPCTSTR lpszUsername,
    _In_ LPCTSTR lpszPassword,
    _In_ DWORD dwService,
    _In_ DWORD dwFlags,
    _In_ DWORD_PTR dwContext
    );
    """

    apiHooks = {

    # Hooks for the wininet.dll library
    "wininet.dll": [

    # InternetConnectW
    # https://msdn.microsoft.com/en-us/library/windows/desktop/aa384363(v=vs.85).aspx
    # ("InternetConnectW", (HANDLE, PVOID, WORD, PVOID, PVOID, DWORD, DWORD, PVOID)),
    ("InternetConnectW", 8),

    ],
    }

    # Now we can simply define a method for each hooked API.
    # Methods beginning with "pre_" are called when entering the API,
    # and methods beginning with "post_" when returning from the API.

    def pre_InternetConnectW(self, event, ra, hInternet, lpszServerName,
    nServerPort, lpszUsername, lpszPassword,
    dwService, dwFlags, dwContext):

    process = event.get_process()
    process.suspend()
    thread = event.get_thread()

    server_name = process.peek_string(lpszServerName, fUnicode=True)
    print(server_name)

    if server_name == "example.com":

    # mylogger.log_text(server_name)

    # Encoding as UTF16
    new_server_name = "google.com".encode("utf-16le")

    # Get length of new payload
    payload_length = len(new_server_name)

    # Allocate memory in target process and get a pointer
    new_payload_addr = event.get_process().malloc(payload_length)

    # Write the new payload to that pointer
    process.write(new_payload_addr, new_server_name)

    top_of_stack = thread.get_sp()

    bits = thread.get_bits()
    emulation = thread.is_wow64()

    if bits == 32 or emulation is True:

    # Write the pointer to the new payload with the old one
    process.write_dword(top_of_stack + 8, new_payload_addr)

    elif bits == 64:
    thread.set_register("Rdx", new_payload_addr)

    process.resume()

    # Create an instance of our eventhandler class
    myeventhandler = DebugEvents()
    XVI. RegistryReader RegQueryValueExW
    class DebugEvents(winappdbg.EventHandler):
    """
    Event handler class.
    event: https://github.com/MarioVilas/winappdbg/blob/master/winappdbg/event.py
    """

    # Better hooking
    # https://winappdbg.readthedocs.io/en/latest/Debugging.html#example-9-intercepting-api-calls

    """
    LONG WINAPI RegQueryValueEx(
    _In_ HKEY hKey,
    _In_opt_ LPCTSTR lpValueName,
    _Reserved_ LPDWORD lpReserved,
    _Out_opt_ LPDWORD lpType,
    _Out_opt_ LPBYTE lpData,
    _Inout_opt_ LPDWORD lpcbData
    );
    """

    apiHooks = {

    # Hooks for the adviapi32.dll library
    # Can also hook kernel32.dll
    "advapi32.dll": [

    # RegQueryValueEx
    # https://msdn.microsoft.com/en-us/library/windows/desktop/ms724911(v=vs.85).aspx
    # ("RegQueryValueExW", (HANDLE, PVOID, PVOID, PVOID, PVOID, PVOID)),
    ("RegQueryValueExW", 6),

    ],
    }

    def pre_RegQueryValueExW(self, event, ra, hKey, lpValueName, lpReserved,
    lpType, lpData, lpcbData):

    # Store the pointer for later use
    self.hKey = hKey
    self.lpValueName = lpValueName
    self.lpType = lpType
    self.lpData = lpData
    self.lpcbData = lpcbData

    def post_RegQueryValueExW(self, event, retval):
    process = event.get_process()

    process.suspend()

    table = winappdbg.Table("\t")
    table.addRow("", "")

    # Need to watch out for optional parameters
    if self.lpType is not 0:
    keyType = process.read_dword(self.lpType)
    table.addRow("keyType", keyType)

    valueName = process.peek_string(self.lpValueName, fUnicode=True)
    size = process.read_dword(self.lpcbData)

    table.addRow("valueName", valueName)
    table.addRow("size", size)

    if self.lpData is not 0:
    data = process.read(self.lpData, size)
    table.addRow("data", data)
    table.addRow("data-hex", data.encode("hex"))

    mylogger.log_text(table.getOutput())
    mylogger.log_text("-"*30)

    process.resume()

    # Create an instance of our eventhandler class
    myeventhandler = DebugEvents()

    XVII RegistryWriter
    class DebugEvents(winappdbg.EventHandler):
    """
    Event handler class.
    event: https://github.com/MarioVilas/winappdbg/blob/master/winappdbg/event.py
    """

    # Better hooking
    # https://winappdbg.readthedocs.io/en/latest/Debugging.html#example-9-intercepting-api-calls

    """
    LONG WINAPI RegQueryValueEx(
    _In_ HKEY hKey,
    _In_opt_ LPCTSTR lpValueName,
    _Reserved_ LPDWORD lpReserved,
    _Out_opt_ LPDWORD lpType,
    _Out_opt_ LPBYTE lpData,
    _Inout_opt_ LPDWORD lpcbData
    );
    """

    apiHooks = {

    # Hooks for the advapi32.dll library
    "advapi32.dll": [

    # RegQueryValueEx
    # https://msdn.microsoft.com/en-us/library/windows/desktop/ms724911(v=vs.85).aspx
    # ("RegQueryValueExW", (HANDLE, PVOID, PVOID, PVOID, PVOID, PVOID)),
    ("RegQueryValueExW", 6),

    ],
    }

    def pre_RegQueryValueExW(self, event, ra, hKey, lpValueName, lpReserved,
    lpType, lpData, lpcbData):

    # Store the pointer for later use
    self.hKey = hKey
    self.lpValueName = lpValueName
    self.lpType = lpType
    self.lpData = lpData
    self.lpcbData = lpcbData

    def post_RegQueryValueExW(self, event, retval):
    process = event.get_process()

    process.suspend()

    valueName = process.peek_string(self.lpValueName, fUnicode=True)

    if valueName == "layout":
    # size = process.read_dword(self.lpcbData)
    # data = process.read(self.lpData, size)

    newLayout = 0x00

    process.write_dword(self.lpData, newLayout)

    # OR
    # process.write(self.lpData, "00".decode("hex"))

    process.resume()
    # Create an instance of our eventhandler class
    myeventhandler = DebugEvents()

    Let’s Code: Cerber Extension Finder in FASM

    Inspiration: https://twitter.com/VK_Intel/status/875247835880534017

    Goal: Identify Cerber ransomware extension on any machine based on MachineGuid’s value.

    Here is the ASM code in FASM:
    ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
    format pe gui 4.0
    include ‘win32ax.inc’
    entry cerber_ext
    ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
    ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; CERBER Extension Finder ;;;;;;;;;;;;;;;;;;
    ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; by @VK_Intel ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
    ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
    section ‘.text’ code readable executable
    cerber_ext:
       invoke RegOpenKeyExA, HKEY_LOCAL_MACHINE,CryptoReg,NULL,KEY_READ,ckey
       invoke VirtualAlloc, NULL, 24, MEM_COMMIT, PAGE_READWRITE
       mov [RegBuffer], eax
       invoke RegQueryValueExA, [ckey], MachineGuid, NULL,dword_type,[RegBuffer],RegSize
       invoke lstrlen, [RegBuffer]
       mov ebx, [RegBuffer]
       add ebx, eax
    start_find:
       dec ebx
       mov edx, [ebx]
       cmp dl, 2dh ; “-” in hex
       je one_more
       jmp start_find
    one_more:
       dec ebx
       mov edx, [ebx]
       cmp dl, 2dh ; “-” in hex
       je final
       jmp one_more
    final:
       inc ebx
       invoke VirtualAlloc, NULL, 4, MEM_COMMIT, PAGE_READWRITE
       mov [fourthGuid], eax
       invoke lstrcpyn,[fourthGuid],ebx,5
       invoke MessageBox, 0, [fourthGuid], Cerber_Ext, MB_OK
       invoke ExitProcess, 0
    ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
    section ‘.data’ data readable writable
    ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
    CryptoReg           db ‘SOFTWARE\Microsoft\Cryptography’,0
    MachineGuid      db ‘MachineGuid’,0
    ckey                    dd ?
    dword_type        dd REG_DWORD
    RegBuffer          dd ?
    RegSize              dd 256
    fourthGuid         dd ?
    Cerber_Ext        db ‘==> Your Cerber Extension <==', 0
    ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
    section ‘.itable’ import data readable
    ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
            library  kernel32,’kernel32.dll’,\
                         advapi32,’Advapi32.dll’,\
                         user32, ‘user32.dll’
            import user32,\
                     MessageBox,’MessageBoxA’
             import  kernel32,\
                     ExitProcess,’ExitProcess’,\
                     lstrlen, ‘lstrlenA’,\
                     lstrcpyn, ‘lstrcpynA’,\
                     VirtualAlloc, ‘VirtualAlloc’
             import  advapi32,\
                     RegOpenKeyExA, ‘RegOpenKeyExA’,\
                     RegQueryValueExA, ‘RegQueryValueExA’