2018-11-09 - PCAP OF WEEK-LONG TRICKBOT INFECTION

ASSOCIATED FILES:

• 2018-11-02-thru-2018-11-09-one-week-of-a-Trickbot-infection.pcap.zip   240 MB (239,826,917 bytes)

• 2018-11-09-malware-and-artifacts-from-week-long-Trickbot-infection.zip   29.5 MB (29,481,653 bytes)

NOTES:

• If anyone is curious about what Trickbot infection traffic looks like over the course of a week, here you go!
• I started the infection on Friday 2018-11-02 at 00:05 UTC and ended it on Friday 2018-11-09 at 3:53 UTC.
• The pcap is slightly larger than 271 MB, which tends to slow down Wireshark, but any recent version of Wireshark should handle it (I've tested it on version 2.2.6).
• This infection was run in an Active Directory environment, and the infection spread from the client at 172.16.9.233 to the Domain Controller at 172.16.9.5.
• As always, the above zip archives are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

 

Shown above:  Some of the traffic filtered in Wireshark from day 1.

 

Shown above:  Trickbot modules noted on the infected Windows client by day 7.

 

Click here to return to the main page.