2019-03-15 - QUICK POST: CHANGE IN PATTERNS FOR EMOTET POST-INFECTION TRAFFIC
- 2019-03-08-thru-15-Emotet-malspam-8-examples.zip 1.3 MB (1,317,517 bytes)
- 2019-03-08-thru-15-attachments-from-Emotet-malspam.zip 1.2 MB (1,226,749 bytes)
- 2019-03-14-Emotet-with-Trickbot-infection-traffic.pcap.zip 15.8 MB (15,772,047 bytes)
- 2019-03-14-Emotet-and-Trickbot-malware-and-artifacts.zip 12.2 MB (12,235,382 bytes)
- 2019-03-15-1st-run-Emotet-infection-traffic-no-follow-up-malware.pcap.zip 1.8 MB (1,833,232 bytes)
- 2019-03-15-1st-run-Emotet-malware.zip 545 kB (544,614 bytes)
- 2019-03-15-2nd-run-Emotet-infection-traffic-with-Trickbot.pcap.zip 4.6 MB (4,604,520 bytes)
- 2019-03-15-2nd-run-Emotet-and-Trickbot-malware-and-artifacts.zip 4.0 MB (3,998,161 bytes)
- Zip archives are password-protected with the standard password. If you don't know it, look at the "about" page of this website.
- On 2019-03-14 as early as 21:43 UTC, Emotet started generated new post-infection traffic patterns, with HTTP POST requests instead of GET requests.
- The pcap from 2019-03-14 starts out with the previous post-infection traffic patterns for Emotet, but these patterns change at 21:43 UTC.
Shown above: Example of current Emotet post-infection traffic as seen in Wireshark.
Shown above: TCP stream showing an example of current Emotet post-infection traffic.
Click here to return to the main page.