From db33916cdd508744b447e9d2d9aad13b7685121f Mon Sep 17 00:00:00 2001
From: unknown <kevoreilly@gmail.com>
Date: Fri, 29 Dec 2017 14:55:56 +0000
Subject: [PATCH] Update TrickBot sig and comment out absent 64-bit Extraction
 DLL.

---
 analyzer/windows/modules/packages/Extraction.py        | 2 +-
 analyzer/windows/modules/packages/Extraction_dll.py    | 2 +-
 analyzer/windows/modules/packages/Extraction_ps1.py    | 2 +-
 analyzer/windows/modules/packages/Extraction_regsvr.py | 2 +-
 analyzer/windows/modules/packages/Extraction_zip.py    | 2 +-
 data/yara/CAPE/TrickBot.yar                            | 5 +++--
 6 files changed, 8 insertions(+), 7 deletions(-)

diff --git a/analyzer/windows/modules/packages/Extraction.py b/analyzer/windows/modules/packages/Extraction.py
index adabf88ca..5bfcbc0fd 100644
--- a/analyzer/windows/modules/packages/Extraction.py
+++ b/analyzer/windows/modules/packages/Extraction.py
@@ -19,7 +19,7 @@ def __init__(self, options={}, config=None):
         self.options = options
         self.pids = []
         self.options["dll"] = "Extraction.dll"
-        self.options["dll_64"] = "Extraction_x64.dll"
+        #self.options["dll_64"] = "Extraction_x64.dll"
 
     def start(self, path):
         arguments = self.options.get("arguments")
diff --git a/analyzer/windows/modules/packages/Extraction_dll.py b/analyzer/windows/modules/packages/Extraction_dll.py
index 6a0ed7ba0..8e7e4b7ce 100644
--- a/analyzer/windows/modules/packages/Extraction_dll.py
+++ b/analyzer/windows/modules/packages/Extraction_dll.py
@@ -18,7 +18,7 @@ def __init__(self, options={}, config=None):
         self.config = config
         self.options = options
         self.options["dll"] = "Extraction.dll"
-        self.options["dll_64"] = "Extraction_x64.dll"
+        #self.options["dll_64"] = "Extraction_x64.dll"
 
     def start(self, path):
         rundll32 = self.get_path("rundll32.exe")
diff --git a/analyzer/windows/modules/packages/Extraction_ps1.py b/analyzer/windows/modules/packages/Extraction_ps1.py
index 66a7b563a..658cb20f7 100644
--- a/analyzer/windows/modules/packages/Extraction_ps1.py
+++ b/analyzer/windows/modules/packages/Extraction_ps1.py
@@ -17,7 +17,7 @@ def __init__(self, options={}, config=None):
         self.config = config
         self.options = options
         self.options["dll"] = "Extraction.dll"
-        self.options["dll_64"] = "Extraction_x64.dll"
+        #self.options["dll_64"] = "Extraction_x64.dll"
 
     def start(self, path):
         powershell = self.get_path_glob("PowerShell")
diff --git a/analyzer/windows/modules/packages/Extraction_regsvr.py b/analyzer/windows/modules/packages/Extraction_regsvr.py
index bbfa38dc2..55c643958 100644
--- a/analyzer/windows/modules/packages/Extraction_regsvr.py
+++ b/analyzer/windows/modules/packages/Extraction_regsvr.py
@@ -18,7 +18,7 @@ def __init__(self, options={}, config=None):
         self.config = config
         self.options = options
         self.options["dll"] = "Extraction.dll"
-        self.options["dll_64"] = "Extraction_x64.dll"
+        #self.options["dll_64"] = "Extraction_x64.dll"
 
     def start(self, path):
         regsvr32 = self.get_path("regsvr32.exe")
diff --git a/analyzer/windows/modules/packages/Extraction_zip.py b/analyzer/windows/modules/packages/Extraction_zip.py
index 3fb6a2a9b..1558b8109 100644
--- a/analyzer/windows/modules/packages/Extraction_zip.py
+++ b/analyzer/windows/modules/packages/Extraction_zip.py
@@ -33,7 +33,7 @@ def __init__(self, options={}, config=None):
         self.options = options
         self.pids = []
         self.options["dll"] = "Extraction.dll"
-        self.options["dll_64"] = "Extraction_x64.dll"
+        #self.options["dll_64"] = "Extraction_x64.dll"
 
         log.info("Timeout: " + str(self.config.timeout))
         
diff --git a/data/yara/CAPE/TrickBot.yar b/data/yara/CAPE/TrickBot.yar
index 344932280..1a001f87e 100644
--- a/data/yara/CAPE/TrickBot.yar
+++ b/data/yara/CAPE/TrickBot.yar
@@ -1,7 +1,7 @@
 rule TrickBot
 {
     meta:
-        author = "sysopfb"
+        author = "sysopfb & kevoreilly"
         description = "TrickBot Payload"
         cape_type = "TrickBot Payload"
     strings:
@@ -12,6 +12,7 @@ rule TrickBot
         $str2 = "group_tag" ascii wide
         $str3 = "client_id" ascii wide
         $code1 = {8A 11 88 54 35 F8 46 41 4F 89 4D F0 83 FE 04 0F 85 7E 00 00 00 8A 1D ?? ?? ?? ?? 33 F6 8D 49 00 33 C9 84 DB 74 1F 8A 54 35 F8 8A C3 8D 64 24 00}
+        $code2 = {0F B6 54 24 49 0F B6 44 24 48 48 83 C6 03 C0 E0 02 0F B6 CA C0 E2 04 C0 F9 04 33 DB 80 E1 03 02 C8 88 4C 24 40 0F B6 4C 24 4A 0F B6 C1 C0 E1 06 02 4C 24 4B C0 F8 02 88 4C 24 42 24 0F}
     condition:
-        any of ($ua*) or all of ($str*) or all of ($code*)
+        any of ($ua*) or all of ($str*) or any of ($code*)
 }