Update TrickBot sig and comment out absent 64-bit Extraction DLL.

ctxis · Dec 29, 2017 · db33916 · db33916
1 parent 49bf2e6
commit db33916
Show file tree

Hide file tree

Showing 6 changed files with 8 additions and 7 deletions.
diff --git a/analyzer/windows/modules/packages/Extraction.py b/analyzer/windows/modules/packages/Extraction.py
@@ -19,7 +19,7 @@ def __init__(self, options={}, config=None):
         self.options = options
         self.pids = []
         self.options["dll"] = "Extraction.dll"
-        self.options["dll_64"] = "Extraction_x64.dll"
+        #self.options["dll_64"] = "Extraction_x64.dll"
 
     def start(self, path):
         arguments = self.options.get("arguments")

diff --git a/analyzer/windows/modules/packages/Extraction_dll.py b/analyzer/windows/modules/packages/Extraction_dll.py
@@ -18,7 +18,7 @@ def __init__(self, options={}, config=None):
         self.config = config
         self.options = options
         self.options["dll"] = "Extraction.dll"
-        self.options["dll_64"] = "Extraction_x64.dll"
+        #self.options["dll_64"] = "Extraction_x64.dll"
 
     def start(self, path):
         rundll32 = self.get_path("rundll32.exe")

diff --git a/analyzer/windows/modules/packages/Extraction_ps1.py b/analyzer/windows/modules/packages/Extraction_ps1.py
@@ -17,7 +17,7 @@ def __init__(self, options={}, config=None):
         self.config = config
         self.options = options
         self.options["dll"] = "Extraction.dll"
-        self.options["dll_64"] = "Extraction_x64.dll"
+        #self.options["dll_64"] = "Extraction_x64.dll"
 
     def start(self, path):
         powershell = self.get_path_glob("PowerShell")

diff --git a/analyzer/windows/modules/packages/Extraction_regsvr.py b/analyzer/windows/modules/packages/Extraction_regsvr.py
@@ -18,7 +18,7 @@ def __init__(self, options={}, config=None):
         self.config = config
         self.options = options
         self.options["dll"] = "Extraction.dll"
-        self.options["dll_64"] = "Extraction_x64.dll"
+        #self.options["dll_64"] = "Extraction_x64.dll"
 
     def start(self, path):
         regsvr32 = self.get_path("regsvr32.exe")

diff --git a/analyzer/windows/modules/packages/Extraction_zip.py b/analyzer/windows/modules/packages/Extraction_zip.py
@@ -33,7 +33,7 @@ def __init__(self, options={}, config=None):
         self.options = options
         self.pids = []
         self.options["dll"] = "Extraction.dll"
-        self.options["dll_64"] = "Extraction_x64.dll"
+        #self.options["dll_64"] = "Extraction_x64.dll"
 
         log.info("Timeout: " + str(self.config.timeout))
 

diff --git a/data/yara/CAPE/TrickBot.yar b/data/yara/CAPE/TrickBot.yar
@@ -1,7 +1,7 @@
 rule TrickBot
 {
     meta:
-        author = "sysopfb"
+        author = "sysopfb & kevoreilly"
         description = "TrickBot Payload"
         cape_type = "TrickBot Payload"
     strings:
@@ -12,6 +12,7 @@ rule TrickBot
         $str2 = "group_tag" ascii wide
         $str3 = "client_id" ascii wide
         $code1 = {8A 11 88 54 35 F8 46 41 4F 89 4D F0 83 FE 04 0F 85 7E 00 00 00 8A 1D ?? ?? ?? ?? 33 F6 8D 49 00 33 C9 84 DB 74 1F 8A 54 35 F8 8A C3 8D 64 24 00}
+        $code2 = {0F B6 54 24 49 0F B6 44 24 48 48 83 C6 03 C0 E0 02 0F B6 CA C0 E2 04 C0 F9 04 33 DB 80 E1 03 02 C8 88 4C 24 40 0F B6 4C 24 4A 0F B6 C1 C0 E1 06 02 4C 24 4B C0 F8 02 88 4C 24 42 24 0F}
     condition:
-        any of ($ua*) or all of ($str*) or all of ($code*)
+        any of ($ua*) or all of ($str*) or any of ($code*)
 }