In Figure 4, you can also see the name of the file contained in the zip archive, InvoiceAndStatement.lnk.
#Wireshark for mac 10.9 download archive
In the HTTP stream, you will find indicators that a zip archive was returned as shown in Figure 4.įigure 3: Following the HTTP stream for the request to Figure 4: Indicators the HTTP request returned a zip archive. Follow the HTTP stream for the request to as shown in Figure 3 to review the traffic. Unique to this Trickbot infection is an HTTP request to that returned a zip archive and an HTTP request to 15 that returned a Windows executable file. HTTPS/SSL/TLS traffic over TCP ports 447 and 449.An IP address check by the infected Windows host.Review the traffic, and you will find the following activity common in recent Trickbot infections: Use your basic filter to review the web-based infection traffic as shown in Figure 2.įigure 2: Pcap of the Trickbot infection viewed in Wireshark. Extract the pcap from the zip archive using the password infected and open it in Wireshark. The pcap is contained in a password-protected zip archive named. A pcap for the associated Trickbot infection is available here.įigure 1: Flowchart from a Trickbot infection from malspam in September 2019.ĭownload the pcap from this page. The zip archive contained a Windows shortcut file that downloaded a Trickbot executable.
In this example, the email contained a link that returned a zip archive. In some cases, links from these emails return a zip archive that contains a Trickbot executable or downloader.įigure 1 shows an example from September 2019. These files may be Windows executable files for Trickbot, or they may be some sort of downloader for the Trickbot executable. Emails from these campaigns contain links to download malicious files disguised as invoices or documents. Trickbot is often distributed through malspam. You should already have implemented Wireshark display filters as described here.
Note: Today’s tutorial requires Wireshark with a column display customized according to this previous tutorial. This tutorial reviews pcaps of Trickbot infections caused by two different methods: a Trickbot infection from malspam and Trickbot when it is distributed through other malware. Trickbot is distributed through malicious spam (malspam), and it is also distributed by other malware such as Emotet, IcedID, or Ursnif.
#Wireshark for mac 10.9 download how to
This tutorial offers tips on how to identify Trickbot, an information stealer and banking malware that has been infecting victims since 2016. When a host is infected or otherwise compromised, security professionals with access to packet captures (pcaps) of the network traffic need to understand the activity and identify the type of infection.