This month's pcap is a Trickbot infection in an Active Directory (AD) environment where the infection spreads to the Domain Controller (DC).

Based on the Trickbot infection's HTTP POST traffic, what is the IP address, host name, and user account name for the infected Windows client?

  1. http.request.method == POST → first source = 10.5.28.229

  2. Follow TCP stream 10.5.28.229→203.176.135.102 → sending system info

    https://s3-us-west-2.amazonaws.com/secure.notion-static.com/ddc241af-23c1-4a98-a45a-34f9b8ddad6c/Untitled.png

What is the other user account name and other Windows client host name found in the Trickbot HTTP POST traffic?

  1. Previous search
    1. Second TCP stream (10.5.28.8→203.176.135.102) → it's the DC, nope

    2. First TCP stream

      https://s3-us-west-2.amazonaws.com/secure.notion-static.com/39b608ed-40ed-4035-b4a8-3893ea9e4ab8/Untitled.png

What is the infected user's email password?

  1. frame contains password → 1 result, follow TCP stream

    https://s3-us-west-2.amazonaws.com/secure.notion-static.com/a0839d63-dd4d-4f86-8b37-0e7a88bc38e5/Untitled.png

Two Window s executable files are sent in the network traffic. What are the SHA256 file hashes for these files?

  1. frame contains "DOS mode"→ 2 TCP results (162.216.0.163→10.5.28.229), follow TCP steam

    https://s3-us-west-2.amazonaws.com/secure.notion-static.com/36136ded-da31-4041-b6f3-2d063e16954b/Untitled.png

  2. Cross-reference with Export HTTP Objects

    https://s3-us-west-2.amazonaws.com/secure.notion-static.com/7a7a65b9-b4f4-47c7-8830-863b3104900f/Untitled.png

  3. Download and hash:

    1. 4E76D73F3B303E481036ADA80C2EEBA8DB2F306CBC9323748560843C80B2FED1
    2. 934C84524389ECFB3B1DFCB28F9697A2B52EA0EBCAA510469F0D2D9086BCC79A

Post-Analysis

Checking with official answers from MTA: