2018-05-24 - QUICK POST: TRICKBOT MALSPAM (INFECTION FROM CLIENT TO DOMAIN CONTROLLER)

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• 2018-05-24-Trickbot-malspam-1140-UTC.eml.zip   67 kB (67,214 bytes)
• 2018-05-24-Trickbot-infection-on-single-host.pcap.zip   5.4 MB (5,425,948 bytes)
• 2018-05-24-Trickbot-infection-in-AD-environment.pcap.zip   18.9 MB (18,852,733 bytes)
• 2018-05-24-malware-and-artifacts-from-Trickbot-infection.zip   956 kB (955,622 bytes)

NOTES:

• I did 2 runs for this infection traffic: One for a single Windows host, and one for a Windows client in an Active Directory environment logged in to a domain controller.
• Like I posted last month on 2018-04-30, today's infection went from the Windows client to the domain controller over SMB.
• Unlike last time, there's additional HTTP traffic over port 8082 with information from the infected Windows hosts (something I don't remember seeing before).

 

Shown above:  Infection traffic from a single Windows host (for example, a home user) filtered in Wireshark.

 

Shown above:  Infection traffic from a Windows client (like a work computer) in an AD environment filtered in Wireshark.

 

Shown above:  You can extract these Trickbot malware samples sent over SMB from the pcap in Wireshark by using File --> Export Objects --> SMB...

 

Shown above:  The malware binaries ent over SMB (additional file hashes were also found from the HTTP objects).

 

Shown above:  Malware objects from a folder in the infected user's AppData\Roaming directory.

 

Shown above:  An additional file, the same size as the downloaded Trickbot binary, but with a different file hash.

 

Shown above:  Scheduled task to keep the Trickbot infection persistent.

 

Shown above:  Windows registry update for the additional malware binary.

 

Click here to return to the main page.