Trickbot 2017-07-21 MalSpam

Sender: vm@unlimitedhorizon.co.uk [SPOOFED EMAIL]
Subject: Voice Message Attached from 01368800610 – name unavailable

I have added a zipped pcap file for your analysis. The password for the zipped pcap is infected all lowercase.

PCAP file of the infection traffic:
2017-07-22-TrickBot-pcap.zip

 

Shown above: Email with zip file containing wsf file

 

Shown above: Windows script file calling out to atelier-kreft.de to start infection chain

 

ASSOCIATED DOMAINS AND IP ADDRESSES:

  • 62.75.175.174 – atelier-kreft.de GET /sdfgdsg1? – REDIRECT SCRIPT
  • 207.7.94.54 – aprendersalsa.com GET /nhg67r? – TRICKBOT DOWNLOAD
  • 158.69.26.138 – wtfismyip.com GET /text – IP ADDRESS CHECK
  • 95.213.251.135 – Dst Port 443 – TRICKBOT C2
  • 91.206.4.216 – Dst Port 447 – TRICKBOT C2

ADDITIONAL TRICKBOT DOWNLOAD SITES:

  • artegraf.org/nhg67r?
  • asheardontheradiogreens.com/nhg67r?
  • asuntomaailma.com/nhg67r?

 

IMAGES AND DETAILS OF INFECTION CHAIN:

Shown above: Network traffic  associated with Trickbot

 

Shown above:  Redirect script to Trickbot download sites found on atelier-kreft.de

 

Shown above:  Trickbot creates scheduled task to remain persistant

 

MALICIOUS PAYLOAD ASSOCIATED WITH MALSPAM: