2019-02-20 - QUICK POST: EMOTET TO ICEDID (BOKBOT) TO TRICKBOT

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• Zip archive of the infection traffic:  2019-02-20-Emotet-with-IcedID-and-Trickbot.pcap.zip   21.8 MB (21,783,224 bytes)
• Zip archive of the malware/artifacts:  2019-02-20-Emotet-IcedID-Trickbot-malware-and-artifacts.zip   35.3 MB (35,315,540 bytes)

NOTES:

• For more info, see the Crowdstrike blog post "Sin"-ful Spiders: WIZARD SPIDER and LUNAR SPIDER Sharing the Same Web

NETWORK PARAMETERS:

• Domain:  pelicanworks[.]info
• LAN segment:  10.2.20[.]0/24 (10.2.20[.]0 through 10.2.20[.]255)
• Domain Controller:  PELICANWORKS-DC at 10.2.20[.]2
• Gateway:  10.2.20[.]1
• Broadcast address:  10.2.20[.]255
• Windows client:  paulette.rhodes on RHODES-WIN-PC at 10.2.20[.]101

 

IMAGES

Shown above:  Flow chart for today's events.

 

Click here to return to the main page.