[Mal Series#19] Trickbot payload analysis

Trickbot loader using Heaven’s gate technique to inject its final payload into a 64 bit process wermgr.exe.

It is difficult to analyze it, but i will try my best ✌.

Version: 1106

I’m created annotation script for both IDA pro and Ghidra to make my life easier 😌, you can get it here 😏.

Main flow

Trickbot bot graph flow (64 bit)

Create Scheduled Task

This time the task name called Hdd info application .

The target binary is placed in appdata\roaming\HddInfo<RandNum>

The scheduled task create via COM API.

Create file with unknown extension

Create file endswith .sut in folder path %APPDATA%


Getting system info

Getting system privilege

Using typical AdjustTokenPrivilege or ConvertSecurityDescriptorToStringSecurityDescriptor with specific SSDL -> AllocateAndInitializeSid and EqualSid .

General format: (A;;Access;;;SID)SSDL Found in the sample:
D:(A;;GA;;; # WD)(A;;GA;;;BA)(A;;GA;;;SY)(A;;GA;;;RC)
Translated meaning:
Generic_All for World, Administrators, System and Restricted Code

Create mutex, Global\{CLSID}

Typical mutex generator using clsid if the StringFromCLSID is success,

Settings.ini base64 custom key

Hardcoded base64 custom key is used and it is same with the one mentioned in Malwarebyte blog. The only difference is the ‘n’ value in shuffle key function, it is 10 in the this sample. The xor function still the same.

Module’s export name

It’s export name with the previous version here.

IP blocklist check via DNS service

It will iterate through these DNS checker to identify whether the resolved IP is blocked or not.


Check is behind NAT

Using gethostname and getaddrinfo to check whether the system IP is a private or not.

Download Trickbot module

Different value will determine which request to be send and also the requested module. These most of the value is hardcoded in the 3rd paramter of download module function.

Download module from based on 3rd parameter
Seems like only 9 modules available
dl_module function overview
w_win_http_open_request: Query response headers
w_win_http_read_data: Read http response data

Module decryption

Based on the analysis, the decryption module should be similar with hasherezade script.

2 round of sha256 with aes decryption
AES decrypt

Inject module into svchost.exe

Create a svchost.exe process with suspended mode 0x4, and the overall process injection technique has been well explained in VIPRE blog.

Also it seems like getting the explorer.exe with SeTcbPrivilege if the something wrong when execute the module payload.

Create child process with unknown command

Seems like it runs something like rundll32.exe <file path>,<export name>

RDP attack similar with Wanncry (Good analysis from Panda blog)

Mainly compromise RDP connection by enumerating through the user session via WTSapi32.dll, advapi32.dll and kernel32.dll related function.

Create process cmd.exe /c cscript

It seems like it targets some file in tmp folder.

Set environment variable PROMPT

Get External IP

It can be see that it loop through index between 0x1 to 0xc, plus it followed by some http related function call. So, the decode_string function is targeting some url. Then, it matches the output of the decode script created earlier.

0x1): checkip.amazonaws.com
0x2): ipecho.net
0x3): ipinfo.io
0x4): api.ipify.org
0x5): icanhazip.com
0x6): myexternalip.com
0x7): wtfismyip.com
0x8): ip.anysrc.net
0x9): api.ipify.org
0xa): api.ip.sb
0xb): ident.me
0xc): www.myexternalip.com


Using blockchian-dns to get DNS resolution from .bazar domain. Some reading on bdns can be found here.

bdns.at                           bdns.by                           bdns.co                           bdns.im                           bdns.link                         bdns.nu                           bdns.pro                          b-dns.se

It still have something that I didn’t cover (e.g. encrypted config files with lots of c2 as it is already common in every Trickbot sample since the beginning), and I hope it helps other people when analyzing Trickbot 😃


Panda WannaCry Report

Github code



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store