2018-09-03 - QUICK POST: TRICKBOT MALSPAM AND INFECTION TRAFFIC

ASSOCIATED FILES:

NOTES:

 


Shown above:  Start of traffic from the infection filtered in Wireshark.  Saw some Tor traffic, which is sometimes seen with Trickbot post-infection activity.

 


Shown above:  End of pcap from the infection filtered in Wireshark.  Saw several "500 Internal Server Error" messages when the infected host was trying to exfiltrate
password data stolen from the browser cache.

 


Shown above:  Example of password data stolen from the browser cache.

 

Click here to return to the main page.