2018-11-09 - PCAP OF WEEK-LONG TRICKBOT INFECTION

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• 2018-11-09-one-week-of-a-Trickbot-infection.pcap.zip   239.8 MB (239,826,176 bytes)

• 2018-11-09-malware-and-artifacts-from-week-long-Trickbot-infection.zip   29.5 MB (29,491,429 bytes)

NOTES:

• If anyone is curious about what Trickbot infection traffic looks like over the course of a week, here you go!
• I started the infection on Friday 2018-11-02 at 00:05 UTC and ended it on Friday 2018-11-09 at 3:53 UTC.
• The pcap is slightly larger than 271 MB, which tends to slow down Wireshark, but any recent version of Wireshark should handle it (I've tested it on version 2.2.6).
• This infection was run in an Active Directory environment, and the infection spread from the client at 172.16.9[.]233 to the Domain Controller at 172.16.9[.]5.

 

Shown above:  Some of the traffic filtered in Wireshark from day 1.

 

Shown above:  Trickbot modules noted on the infected Windows client by day 7.

 

Click here to return to the main page.