Malware Traffic Analysis Exercise - DYNACCOUNTIC

This challenge is from MALWARE-TRAFFIC-ANALYSIS.NET. Download the PCAP ZIP yourself here. Check their about page for the password.


Someone at Dynaccountic has infected their Windows computer. Your manager has tasked you to write an incident report.

Here’s a brief outline of associated network traffic:

  • LAN segment: ( through
  • Broadcast address:
  • Domain controller: (DYNACCOUNTIC-DC)
  • Domain:


The incident report should include:

  • Date/Time of the infection
  • Who was infected (IP address, host name, MAC address, and user account name)
  • What malware is involved
  • The likely source of this infection
  • Indicators associated with this infection (IP addresses, domains, URLs, and file hashes, if any)

Incident Report


On 2018-04-11 at 20:14:26 UTC, a Windows computer used by winford.batiste was infected with Trickbot malware. This infection probably originated from an malicious, spam email. The infected computer was sent to our help desk to be wiped and re-imaged. The user changed all of his associated passwords.


Infected user’s IP address: Infected user’s MAC addres: 00:30:67:f1:2d:63 Infected user’s host name: BATISTE-PC Infected user’s account name: winford.batiste


  • - - GET /ser0410.bin - Trickbot binary download
  • - - GET /raw - check IP
  • - SSL/TLS traffic
  • - SSL/TLS traffic
  • Malware File
    • Name: ser0410.bin
    • SHA256 Hash: c2c1e2c22f67dda6553cbcc173694b68677b77319243684925e8dc3f78b3dbf8
    • File size: 364,544 bytes
    • File description: Trickbot binary, from


I used Wireshark to examine the PCAP file. There are a lot of TCP connections between and Following the stream, there is a suspicious HTTP GET request for a binary file located here: I also noticed a suspicious call to I went to File->Export Objects->HTTP to download the bin.

Packet Hostname Content Type Size Filename
420 text/plain 14 bytes ncsi.txt
1035 application/octet-stream 364 kB ser0410.bin
1053 text/plain 16 bytes raw

I saved the file, checked its type, and grabbed its SHA256 hash to run through VirusTotal.

root@kali:~# file ser0410.bin
ser0410.bin: PE32 executable (GUI) Intel 80386, for MS Windows
root@kali:~# shasum -a 256 ser0410.bin
c2c1e2c22f67dda6553cbcc173694b68677b77319243684925e8dc3f78b3dbf8  ser0410.bin

Comments on VirusTotal for this hash say that this is Trickbot malware, likely delivered by an invoice scam email.

I filtered by http.request or ssl.handshake.type==1 and confirmed that after the binary is downloaded, the computer’s IP is checked with a GET request to And after the external IP determination, communicated over TLSv1 to and on ports 449 and 447, respectively.

I checked the NetBIOS Name Service (NBNS) protocol by filtering with nbns and found BATISTE-PC to be at, with MAC address 00:30:67:f1:2d:63. To find the user account name, I looked at this Wireshark Guide which told be to filter on kerberos.CNameString.

I ended up filtering on ip.addr == and kerberos.CNameString, and selecting the CNameString in the body of a packet and selected Apply as Column. Along with BATISTE-PC$ and batiste-pc$, I found our user winford.batiste.