about 1 year ago

In this series of articles, I going to explain how the different malware families implement EternalBlue and how they take advantage of it.

EternalBlue (CVE-2017-0143)

Is an exploit developed by the NSA, leaked by the Shadow Brokers hacker group on April 14, 2017.

Was widely known when was used as part of the wordwide Wannacry ransomware attack on May 12,2017.

This exploit takes advantage of a vulnerability in Microsoft's implementation of the Server Message Block (SMB) protocol (CVE-2017-0143), sending crafted packets using SMBv1 allows arbitrary code execution into the target system.

Operative systems affected:

  • Windows XP
  • Windows Vista
  • Windows 7
  • Windows 8.1
  • Windows 10
  • Windows Server 2003
  • Windows Server 2008
  • Windows Server 2012
  • Windows Server 2016

Trickbot (Banker)

In this post, I going to analyze Trickbot's wormDll32 module, this module allows Trickbot to spreads using EternalBlue.

Worm module

This module tries to infect all the devices into the same domain of the infected machine using EternalBlue.

As it is usual in the Trickbot modules, the DLL has 4 exports:

  • Control
  • FreeBuffer
  • Release
  • Start

The export that starts the malicious operations is Control.

When the new thread is created, the module enumerates all the servers from the same domain using NetServerEnum.

Then, it obtains the IP of the hosts using gethostbyname and inet_ntoa functions.

With this info, OpenSocket_ThenEternalBlue function is called.

This function performs socket operations in order to establish communication with the targeted machine.

If everything works as expected, the EternalBlue infection starts:

First, the module checks the OS version. If the version contains one of these strings, it will try to infect the device:

  • Windows 7
  • 2008
  • Vista
  • 2003
  • Windows 5

Then, the function creates the required structures to perform the EternalBlue attack and takes advantage of the vulnerability.

The final stage of this process is to inject a shellcode into the targeted system. This module contains two shellcodes, one for 32 bits systems (left) and the other for 64 bits systems (right)

Both shellcodes contain a malicious URL from which the malicious code will be downloaded.


The examples given here come from x86 shellcode.

The shellcode is composed of two parts. The first one is the Ring 0 part that gets ready in order to perform a Ring 3 APC injection into the targeted process to execute the malicious Ring 3 code (if the injection is performed in lsass.exe or services.exe it will be executed with System priviledges)

This is the first part of the trickbot shellcode.

Doing a little research, it have found that the initial part of the shellcode corresponds to this code:

The EternalBlue POC can be found in this GitHub:

Comparing both the trickbot's shellcode and the original shellcode from GitHub, it have been noticed that the original one doesn't perform an APC injection into lsass.exe process as the original shellcode does.

_find_target_process_loop function of the original shellcode from GitHub:

LSASS_EXE_HASH    EQU    0xc1fa6a5a

    lea esi, [edi+ecx]
    call calc_hash
    cmp eax, LSASS_EXE_HASH    ; "lsass.exe"
    jz found_target_process
%ifndef COMPACT

find_target_process_loop function of Trickbot's x86 shellcode:

0xc1fa6a5a (LSSAS) != 0x388CC1E7 (Unknow process)

If the injection is performed into lsass.exe the lsass.exe hash (0xc1fa6a5a) should be find, but instead 0x388CC1E7 have been found.

And the calc_hash functions found in both shellcodes are the same:

; Calculate ASCII string hash. Useful for comparing ASCII string in shellcode.
; Argument: esi = string to hash
; Clobber: esi
; Return: eax = hash
    push edx
    xor eax, eax
    lodsb                   ; Read in the next byte of the ASCII string
    ror edx, 13             ; Rotate right our hash value
    add edx, eax            ; Add the next byte of the string
    test eax, eax           ; Stop when found NULL
    jne _calc_hash_loop
    xchg edx, eax
    pop edx

At this point, the original calc_hash function from the shellcode have been found in order to create a python script with the same functionality. The objective is to obtain the name of the process associated with the unknown hash 0x388CC1E7 that appears in the trickbot's shellcode.

Using the script it has found that the name of the process associated with the hash 0x388CC1E7 is services.exe, meaning that Trickbot's shellcode will inject its malicious code into services.exe process instead of lsass.exe.

$python trickbot_shellcode_hashcalc.py 
0xc1fa6a5a : lsass.exe
0x388cc1e7 : services.exe
0x3ee083d8 : spoolsv.exe
0xb7e02438 : svchost.exe
0x3eb272e6 : explorer.exe
0x7ab2a3f2 : taskmgr.exe
0x3ee083d8 : spoolsv.exe
0xbebc72a3 : winlogon.exe
0xc1fa247a : csrss.exe
0xc1f70bda : smss.exe

Trickbot payload Ring 3 injected into services.exe:

This is the part that Trickbot's developers have created, since the other is a copy from GitHub.

The shellcode will unxor the encoded data to obtain the name of the functions that the shellcode needs to work.

When the process is completed, it can be noticed that the buffer contains the name of the functions and the name of the payload that will be downloaded into the system setup.exe and GET string that is used as a parameter in one of the functions to download the malicious "png".

Then it loads the IAT:

It obtains the malicious URL from the end of the shellcode.

After that, it cut the malicious URL into:


Malicious exe with PNG extension:


In addition, the shellcode downloads the malicious payload into the system:

Finally the shellcode copies the payload (trickbot) from into setup.exe and then executes it using CreateProcessA, infecting the EternalBlue vulnerable system with Trickbot.

Author: @51ddh4r7h4

← Advanced Brazilian Malware Analysis