Wednesday 25 October 2017

Adhoc TrickBot Analysis - Discovery rate 1000032 to 1000076

The following graph shows the rate of discovery of TrickBot Banking Trojan versions in the wild, based on shared mcconfs. This graph covers versions 1000032 (04-Aug-2017) to 1000076 (25-Oct-2017).

Note: The flatter the line, the more frequently versions are discovered.


Thanks to @mpvillafranca94, @VK_Intel, @K_N1kolenko, @hasherezade, @ArnaudDlms, @StackGazer, @0bscureC0de, @voidm4p, @James_inthe_box, @MakFLwana, @spalomaresg, and @virsoz, for sharing the mcconfs.

Sunday 22 October 2017

Weekly TrickBot Analysis - End of w/c 16-Oct-2017 to 1000073

Here are the results of my analysis of TrickBot Banking Trojan mcconfs shared up to the end of the week commencing 16th October 2017. The latest version shared in this time is 1000073.

The following graph shows the number of server entries across 54 versions using ports:

  • 443 (HTTPS);
  • 445 (IBM AS Server Mapper);
  • 449 (Cray Network Semaphore Server); and 
  • 451 (SMB).



The following table shows the top 25 servers (of 618 unique) used within the 54 versions.


The 618 unique server IP addresses are allocated across a wide variety of countries according to their BGP prefix registrations. The top 5 countries are RU > US > PL > RO > FR.


Thanks to @mpvillafranca94, @VK_Intel, @K_N1kolenko, @hasherezade, @ArnaudDlms, @StackGazer, @0bscureC0de, @voidm4p, @James_inthe_box, @MakFLwana, @spalomaresg, and @virsoz, for sharing the mcconfs.

Tuesday 3 October 2017

Adhoc TrickBot Analysis - to 1000062

Following on from my initial adhoc analysis, the following graph shows the number of server entries using ports 443 and 449 across 43 versions of the TrickBot Banking Trojan, up to 1000062.


In addition, the following table shows the breakdown of detected TrickBot campaign 'gtag' (group tags) values used in the 83 mcconfs analysed. (Note: I've analysed multiple mcconfs with the same version number, and in each case the server list is the same for a particular version.)


The following table shows the IP usage across the 43 TrickBot versions.


Lastly, the following table shows the top 25 servers used within the 43 versions.


Thanks to @VK_Intel@mpvillafranca94, @ArnaudDlms, and @James_inthe_box for providing the configurations.

Sunday 1 October 2017

Initial Adhoc TrickBot Analysis - SRV port usage

Here's some initial analysis of the TrickBot Banking Trojan's command and control (C2) server entries in its 'mcconf'. The graph shows the number of server entries using ports 443 and 449 across 26 version, up to 1000062.



Thanks to @VK_Intel for providing the configurations.