2018-04-30 - EXAMPLE OF TRICKBOT MOVING FROM CLIENT TO DOMAIN CONTROLLER
ASSOCIATED FILE:
- 2018-04-30-Trickbot-goes-from-client-to-domain-controller.pcap.zip 21.1 MB (21,066,283 bytes)
NOTES:
- I grabbed an example of an RTF document pushing Trickbot today, based on info from this 2018-04-30 blog post by My Online Security.
- I normally don't test malware in an Active Directory environment, but I happened to run across this behavior from Trickbot last week.
- Don't know if there are any public examples of traffic for this, so I'm documenting it.
- The domain controller was a Windows 2008 R2 server with default security settings and no security updates.
- The client, as usual, was running Windows 7 SP1 without any security updates.
- I've stripped most, but not all, of traffic unrelated to the infection from today's pcap.
Shown above: Flowchart for this activity.
IMAGES:
Shown above: HTTP and SSL traffic from the infection filtered in Wireshark. Note how 10.4.30.101 (the Windows client) and 10.4.30.5 (the domain controller) are both
generating post-infection traffic for Trickbot.
Shown above: One of the Trickbot malware files pushed from 10.4.30.101 to 10.4.30. over SMB
Shown above: You can extract these Trickbot malware samples from the pcap in Wireshark by using File --> Export Objects --> SMB...
Shown above: Artifacts seen on the infected Windows client at 10.4.30.101.
FINAL NOTES:
Once again, here is the associated file:
- 2018-04-30-Trickbot-goes-from-client-to-domain-controller.pcap.zip 21.1 MB (21,066,283 bytes)
Zip archives are password-protected with the standard password. If you don't know it, look at the "about" page of this website.
Click here to return to the main page.