2018-06-29 - MORE TRICKBOT MOVING FROM CLIENT (GTAG: SER0629) TO DC (GTAG: LIB257)

ASSOCIATED FILES:

 

NOTES:

 

TRAFFIC

 

MALWARE

 

IMAGES


Shown above:  Traffic from the infection filtered in Wireshark.

 


Shown above:  TCP stream showing data on the infected host sent via HTTP to 188.124.167.132 over TCP port 8082 (part 1 of 3).

 


Shown above:  TCP stream showing data on the infected host sent via HTTP to 188.124.167.132 over TCP port 8082 (part 2 of 3).

 


Shown above:  TCP stream showing data on the infected host sent via HTTP to 188.124.167.132 over TCP port 8082 (part 3 of 3).

 


Shown above:  More data exfiltration via HTTP to 188.124.167.132 over TCP port 8082.

 


Shown above:  More data exfiltration via HTTP to 188.124.167.132 over TCP port 8082.

 


Shown above:  More data exfiltration via HTTP to 188.124.167.132 over TCP port 8082.

 


Shown above:  More data exfiltration via HTTP to 188.124.167.132 over TCP port 8082.

 


Shown above:  Malware sent from the infected client to the Domain Controller over SMB.

 


Shown above:  Malware on the infected Domain Controller (part 1 of 2).

 


Shown above:  Malware on the infected Domain Controller (part 1 of 2).

 


Shown above:  Scheduled task on the Domain Controller to keep this infection persistent.

 


Shown above:  Exporting malware in HTTP traffic from the pcap.

 


Shown above:  Exporting malware in SMB traffic from the pcap.

 

FINAL WORDS

Once again, here are the associated files:

All zip archives on this site are password-protected with a standard password.  If you don't know it, see the "about" page of this website.

Click here to return to the main page.