This month's pcap is a Trickbot infection in an Active Directory (AD) environment where the infection spreads to the Domain Controller (DC).
Based on the Trickbot infection's HTTP POST traffic, what is the IP address, host name, and user account name for the infected Windows client?
-
http.request.method == POST
→ first source = 10.5.28.229
-
Follow TCP stream 10.5.28.229→203.176.135.102 → sending system info
What is the other user account name and other Windows client host name found in the Trickbot HTTP POST traffic?
- Previous search
-
Second TCP stream (10.5.28.8→203.176.135.102) → it's the DC, nope
-
First TCP stream
What is the infected user's email password?
-
frame contains password
→ 1 result, follow TCP stream
Two Window s executable files are sent in the network traffic. What are the SHA256 file hashes for these files?
-
frame contains "DOS mode"
→ 2 TCP results (162.216.0.163→10.5.28.229), follow TCP steam
-
Cross-reference with Export HTTP Objects
-
Download and hash:
- 4E76D73F3B303E481036ADA80C2EEBA8DB2F306CBC9323748560843C80B2FED1
- 934C84524389ECFB3B1DFCB28F9697A2B52EA0EBCAA510469F0D2D9086BCC79A
Post-Analysis
Checking with official answers from MTA:
- When Trickbot successfully infects a Windows host, it sends an HTTP POST request with the system data, usually over TCP port 8082. The URL ends with /90, so use the following Wireshark filter to find that URL and follow the TCP stream:
http.request.uri contains "/90"
- HTTP POST requests that end in "/81" is where we find password data exfiltrated from an infected Windows host. Use the following Wireshark filters to find email passwords:
http.request.uri contains "/81" and ip contains mail
http.request.uri contains "/81" and ip contains smtp
- They suggest "This program" not "DOS mode"