2018-05-24 - QUICK POST: TRICKBOT MALSPAM (INFECTION FROM CLIENT TO DOMAIN CONTROLLER)

ASSOCIATED FILES:

NOTES:

 


Shown above:  Infection traffic from a single Windows host (for example, a home user) filtered in Wireshark.

 


Shown above:  Infection traffic from a Windows client (like a work computer) in an AD environment filtered in Wireshark.

 


Shown above:  You can extract these Trickbot malware samples sent over SMB from the pcap in Wireshark by using File --> Export Objects --> SMB...

 


Shown above:  The malware binaries ent over SMB (additional file hashes were also found from the HTTP objects).

 


Shown above:  Malware objects from a folder in the infected user's AppData\Roaming directory.

 


Shown above:  An additional file, the same size as the downloaded Trickbot binary, but with a different file hash.

 


Shown above:  Scheduled task to keep the Trickbot infection persistent.

 


Shown above:  Windows registry update for the additional malware binary.

 

Click here to return to the main page.