pinksawtooth · March 13, 2019 01:13
diff --git a/2019-03-12-TrickBot_string_decode.txt b/2019-03-12-TrickBot_string_decode.txt
 checkip.amazonaws.com
 ipecho.net
 ipinfo.io
 api.ipify.org
 icanhazip.com
 myexternalip.com
 wtfismyip.com
 ip.anysrc.net
 api.ipify.org
 api.ip.sb
 ident.me
 www.myexternalip.com
 /plain
 /ip
 /raw
 /text
 /?format=text
 zen.spamhaus.org
 cbl.abuseat.org
 b.barracudacentral.org
 dnsbl-1.uceprotect.net
 spam.dnsbl.sorbs.net
 Data\
 %s%s_configs\
 %s%s
 POST
 %d%d%d.
 pIT connect failed, 0x%x
 pIT GetFolder failed, 0x%x
 Create xml failed
 Create xml2 failed
 SYSTEM
 Windows Network
 Register u failed, 0x%x
 Register s failed, 0x%x
 user
 Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.2228.0 Safari/537.36
 GET
 cmd.exe
 fifty
 SINJ
 .onion
 /%s/%s/1/%s/
 pIT NULL
 D:(A;;GA;;;WD)(A;;GA;;;BA)(A;;GA;;;SY)(A;;GA;;;RC)
 kernel32.dll
 GetProcAddress
 %s %s
 shlwapi
 UrlEscapeW
 Microsoft Software Key Storage Provider
 ECCPUBLICBLOB
 wtsapi32
 WTSEnumerateSessionsA
 WTSFreeMemory
 WTSGetActiveConsoleSessionId
 WTSQueryUserToken
 %s/%s/63/%s/%s/%s/%s/
 noname
 ModuleQuery
 WantRelease
 VERS
 tmp
 /%s/%s/25/%s/
 SeTcbPrivilege
 explorer.exe
 /%s/%s/23/%d/
 ECDSA_P384
 SignatureLength
 E: 0x%x A: 0x%p
 exc
 Global\First
 Global\%08lX%04lX%lu
 /%s/%s/5/%s/
 svchost.exe
 %s.%s.%s.%s
 <LogonType>InteractiveToken</LogonType>
 <RunLevel>LeastPrivilege</RunLevel>
 <RunLevel>HighestAvailable</RunLevel>
 <GroupId>NT AUTHORITY\SYSTEM</GroupId>
 <LogonType>InteractiveToken</LogonType>

 <?xml version="1.0" encoding="UTF-16"?>
 <Task version="1.2"
 xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">
 <RegistrationInfo>
 <Version>1.0.0</Version>
 <Author>AuthorName</Author><Description>Windows Network App</Description>
 </RegistrationInfo>
 <Triggers>

 <BootTrigger>
 <Enabled>true</Enabled>

 <LogonTrigger>
 <Enabled>true</Enabled>

 <UserId>
 </UserId>
 </LogonTrigger>

 </BootTrigger>

 <TimeTrigger>
 <Repetition>
 <Interval>PT9M</Interval>
 <Duration>P415DT14H23M</Duration>
 <StopAtDurationEnd>false</StopAtDurationEnd>
 </Repetition>
 <StartBoundary>
 %04d-%02d-%02dT%02d:%02d:%02d
 </StartBoundary>
 <Enabled>true</Enabled>
 </TimeTrigger>
 </Triggers>
 <Principals>
 <Principal id="Author">

 </Principal>
 </Principals>
 <Settings>
 <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy>
 <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>
 <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>
 <AllowHardTerminate>false</AllowHardTerminate>
 <StartWhenAvailable>true</StartWhenAvailable>
 <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>
 <IdleSettings>
 <StopOnIdleEnd>true</StopOnIdleEnd>
 <RestartOnIdle>false</RestartOnIdle>
 </IdleSettings>
 <AllowStartOnDemand>true</AllowStartOnDemand>
 <Enabled>true</Enabled>
 <Hidden>true</Hidden>
 <RunOnlyIfIdle>false</RunOnlyIfIdle>
 <WakeToRun>false</WakeToRun>
 <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>
 </Settings>
 <Actions Context="Author">
 <Exec>
 <Command>
 </Command>
 </Exec>
 </Actions>
 </Task>

 Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36
 NAT status
 failed
 client is behind NAT
 client is not behind NAT
 DNSBL
 listed
 not listed
 winsta0\default
 SignalObjectAndWait
 WaitForSingleObject
 CloseHandle
 ResetEvent
 ExitProcess
 InitializeCriticalSection
 EnterCriticalSection
 LeaveCriticalSection
 /%s/%s/0/%s/%s/%s/%s/%s/
 %s.%s
 start
 release
 Module already unloaded
 GetParentInfo error
 Win32 error
 Decode from BASE64 error
 Process was unloaded
 Start failed
 working
 Process has been finished

 Invalid params count
 Unable to load module from server
 No params
 0.0.0.0
 <moduleconfig>*</moduleconfig>
 autorun
 ------Boundary%08X
 Content-Type: multipart/form-data; boundary=%s
 Content-Length: %d


 --%s
 Content-Disposition: form-data; name="%S"


 --%s--


 spk
 LoadLibraryW
 1058
 ver.txt
 %02X
 %s sTart
 settings.ini
 %u %u %u %u
 Control failed
 Start
 Control
 FreeBuffer
 Release
 /%s/%s/14/%s/%s/0/
 Module is not valid
 .tmp
 %s/%s/64/%s/%s/%s/
 data
 info
 /%s/%s/10/%s/%s/%d/
 S-1-5-18
 Load to M failed
 Run D failed
 Find P failed
 Create ZP failed
 Launch USER failed
 Load to P failed
 Module has already been loaded
 CI failed, 0x%x
 Unknown
 Windows 2000
 Windows XP
 Windows Server 2003
 Windows Vista
 Windows Server 2008
 Windows 7
 Windows Server 2008 R2
 Windows 8
 Windows Server 2012
 Windows 8.1
 Windows Server 2012 R2
 Windows 10
 Windows 10 Server
 x86
 x64
 %s %s SP%d
 path
 OLEAUT32.dll
 ole32.dll
 WS2_32.dll
 SHLWAPI.dll
 CRYPT32.dll
 ncrypt.dll
 ntdll.dll
 ADVAPI32.dll
 bcrypt.dll
 SHELL32.dll
 USERENV.dll
 WINHTTP.dll
 USER32.dll
 IPHLPAPI.DLL
	checkip.amazonaws.com
	ipecho.net
	ipinfo.io
	api.ipify.org
	icanhazip.com
	myexternalip.com
	wtfismyip.com
	ip.anysrc.net
	api.ipify.org
	api.ip.sb
	ident.me
	www.myexternalip.com
	/plain
	/ip
	/raw
	/text
	/?format=text
	zen.spamhaus.org
	cbl.abuseat.org
	b.barracudacentral.org
	dnsbl-1.uceprotect.net
	spam.dnsbl.sorbs.net
	Data\
	%s%s_configs\
	%s%s
	POST
	%d%d%d.
	pIT connect failed, 0x%x
	pIT GetFolder failed, 0x%x
	Create xml failed
	Create xml2 failed
	SYSTEM
	Windows Network
	Register u failed, 0x%x
	Register s failed, 0x%x
	user
	Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.2228.0 Safari/537.36
	GET
	cmd.exe
	fifty
	SINJ
	.onion
	/%s/%s/1/%s/
	pIT NULL
	D:(A;;GA;;;WD)(A;;GA;;;BA)(A;;GA;;;SY)(A;;GA;;;RC)
	kernel32.dll
	GetProcAddress
	%s %s
	shlwapi
	UrlEscapeW
	Microsoft Software Key Storage Provider
	ECCPUBLICBLOB
	wtsapi32
	WTSEnumerateSessionsA
	WTSFreeMemory
	WTSGetActiveConsoleSessionId
	WTSQueryUserToken
	%s/%s/63/%s/%s/%s/%s/
	noname
	ModuleQuery
	WantRelease
	VERS
	tmp
	/%s/%s/25/%s/
	SeTcbPrivilege
	explorer.exe
	/%s/%s/23/%d/
	ECDSA_P384
	SignatureLength
	E: 0x%x A: 0x%p
	exc
	Global\First
	Global\%08lX%04lX%lu
	/%s/%s/5/%s/
	svchost.exe
	%s.%s.%s.%s
	<LogonType>InteractiveToken</LogonType>
	<RunLevel>LeastPrivilege</RunLevel>
	<RunLevel>HighestAvailable</RunLevel>
	<GroupId>NT AUTHORITY\SYSTEM</GroupId>
	<LogonType>InteractiveToken</LogonType>

	<?xml version="1.0" encoding="UTF-16"?>
	<Task version="1.2"
	xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">
	<RegistrationInfo>
	<Version>1.0.0</Version>
	<Author>AuthorName</Author><Description>Windows Network App</Description>
	</RegistrationInfo>
	<Triggers>

	<BootTrigger>
	<Enabled>true</Enabled>

	<LogonTrigger>
	<Enabled>true</Enabled>

	<UserId>
	</UserId>
	</LogonTrigger>

	</BootTrigger>

	<TimeTrigger>
	<Repetition>
	<Interval>PT9M</Interval>
	<Duration>P415DT14H23M</Duration>
	<StopAtDurationEnd>false</StopAtDurationEnd>
	</Repetition>
	<StartBoundary>
	%04d-%02d-%02dT%02d:%02d:%02d
	</StartBoundary>
	<Enabled>true</Enabled>
	</TimeTrigger>
	</Triggers>
	<Principals>
	<Principal id="Author">

	</Principal>
	</Principals>
	<Settings>
	<MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy>
	<DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>
	<StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>
	<AllowHardTerminate>false</AllowHardTerminate>
	<StartWhenAvailable>true</StartWhenAvailable>
	<RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>
	<IdleSettings>
	<StopOnIdleEnd>true</StopOnIdleEnd>
	<RestartOnIdle>false</RestartOnIdle>
	</IdleSettings>
	<AllowStartOnDemand>true</AllowStartOnDemand>
	<Enabled>true</Enabled>
	<Hidden>true</Hidden>
	<RunOnlyIfIdle>false</RunOnlyIfIdle>
	<WakeToRun>false</WakeToRun>
	<ExecutionTimeLimit>PT0S</ExecutionTimeLimit>
	</Settings>
	<Actions Context="Author">
	<Exec>
	<Command>
	</Command>
	</Exec>
	</Actions>
	</Task>

	Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36
	NAT status
	failed
	client is behind NAT
	client is not behind NAT
	DNSBL
	listed
	not listed
	winsta0\default
	SignalObjectAndWait
	WaitForSingleObject
	CloseHandle
	ResetEvent
	ExitProcess
	InitializeCriticalSection
	EnterCriticalSection
	LeaveCriticalSection
	/%s/%s/0/%s/%s/%s/%s/%s/
	%s.%s
	start
	release
	Module already unloaded
	GetParentInfo error
	Win32 error
	Decode from BASE64 error
	Process was unloaded
	Start failed
	working
	Process has been finished

	Invalid params count
	Unable to load module from server
	No params
	0.0.0.0
	<moduleconfig>*</moduleconfig>
	autorun
	------Boundary%08X
	Content-Type: multipart/form-data; boundary=%s
	Content-Length: %d


	--%s
	Content-Disposition: form-data; name="%S"


	--%s--


	spk
	LoadLibraryW
	1058
	ver.txt
	%02X
	%s sTart
	settings.ini
	%u %u %u %u
	Control failed
	Start
	Control
	FreeBuffer
	Release
	/%s/%s/14/%s/%s/0/
	Module is not valid
	.tmp
	%s/%s/64/%s/%s/%s/
	data
	info
	/%s/%s/10/%s/%s/%d/
	S-1-5-18
	Load to M failed
	Run D failed
	Find P failed
	Create ZP failed
	Launch USER failed
	Load to P failed
	Module has already been loaded
	CI failed, 0x%x
	Unknown
	Windows 2000
	Windows XP
	Windows Server 2003
	Windows Vista
	Windows Server 2008
	Windows 7
	Windows Server 2008 R2
	Windows 8
	Windows Server 2012
	Windows 8.1
	Windows Server 2012 R2
	Windows 10
	Windows 10 Server
	x86
	x64
	%s %s SP%d
	path
	OLEAUT32.dll
	ole32.dll
	WS2_32.dll
	SHLWAPI.dll
	CRYPT32.dll
	ncrypt.dll
	ntdll.dll
	ADVAPI32.dll
	bcrypt.dll
	SHELL32.dll
	USERENV.dll
	WINHTTP.dll
	USER32.dll
	IPHLPAPI.DLL