2018-04-30 - EXAMPLE OF TRICKBOT MOVING FROM CLIENT TO DOMAIN CONTROLLER

ASSOCIATED FILE:

NOTES:


Shown above:  Flowchart for this activity.

 

IMAGES:


Shown above:  HTTP and SSL traffic from the infection filtered in Wireshark. Note how 10.4.30.101 (the Windows client) and 10.4.30.5 (the domain controller) are both
generating post-infection traffic for Trickbot.

 


Shown above:  One of the Trickbot malware files pushed from 10.4.30.101 to 10.4.30. over SMB

 


Shown above:  You can extract these Trickbot malware samples from the pcap in Wireshark by using File --> Export Objects --> SMB...

 


Shown above:  Artifacts seen on the infected Windows client at 10.4.30.101.

 

FINAL NOTES:

Once again, here is the associated file:

Zip archives are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

 

Click here to return to the main page.