2018-11-09 - PCAP OF WEEK-LONG TRICKBOT INFECTION
ASSOCIATED FILES:
- 2018-11-02-thru-2018-11-09-one-week-of-a-Trickbot-infection.pcap.zip 240 MB (239,826,917 bytes)
- 2018-11-09-malware-and-artifacts-from-week-long-Trickbot-infection.zip 29.5 MB (29,481,653 bytes)
NOTES:
- If anyone is curious about what Trickbot infection traffic looks like over the course of a week, here you go!
- I started the infection on Friday 2018-11-02 at 00:05 UTC and ended it on Friday 2018-11-09 at 3:53 UTC.
- The pcap is slightly larger than 271 MB, which tends to slow down Wireshark, but any recent version of Wireshark should handle it (I've tested it on version 2.2.6).
- This infection was run in an Active Directory environment, and the infection spread from the client at 172.16.9.233 to the Domain Controller at 172.16.9.5.
- As always, the above zip archives are password-protected with the standard password. If you don't know it, look at the "about" page of this website.
Shown above: Some of the traffic filtered in Wireshark from day 1.
Shown above: Trickbot modules noted on the infected Windows client by day 7.
Click here to return to the main page.