2015-01-07 - RECENT DRIDEX PHISHING CAMPAIGN

ASSOCIATED FILES:

 

NOTES:

 

PHISHING EMAILS SEEN

TUESDAY 2015-01-06:

  • MD5 hash:  2e8dc58a36806e13cd61e4a25f38c9ee
  • Callback:  194.146.109.202:80 - phaluzan.net.amis.hr - GET /js/bin.exe
  • MD5 hash:  e7d6aa728aa28487400cb2ae82051531
  • Callback:  72.214.217.229:80 - media.mystudio.net - GET /js/bin.exe

 

  • MD5 hash:  ce596594218922c9d7429e7de11de3dd
  • Callback:  213.9.95.58:8080 - no host name - GET /mans/pops.php
  • MD5 hash:  67fd8aac791e49bc90e851fa994bd525
  • Callback:  194.28.139.100:8080 - no host name - GET /mans/pops.php
  • MD5 hash:  55d6c57bdad8a1e4210c1ff89cd88f78
  • Callback:  213.174.162.126:8080 - no host name - GET /mans/pops.php
  • MD5 hash:  661e6777cc51c335835a16bb2b79f42c
  • Callback:  206.72.192.15:8080 - no host name - GET /mans/pops.php

 

  • MD5 hash:  4f8564d80c1ad702ea9ea408c8d222d8
  • Callback:  206.72.192.15:8080 - no host name - GET /mans/pops.php
  • MD5 hash:  ab6335a9f9d616f9bc767e553299898d
  • Callback:  194.28.139.100:8080 - no host name - GET /mans/pops.php
  • MD5 hash:  c12819787eb0d5949a507b50ab1d18cb
  • Callback:  213.9.95.58:8080 - no host name - GET /mans/pops.php

 

WEDNESDAY 2015-01-07:

  • MD5 hash:  a5a79e75d3bb52de745ed45a6be86cbe
  • Callback:  194.146.109.202:80 - cerovski1.net.amis.hr - GET /js/bin.exe

 

  • MD5 hash:  3a63ebdf4a0b34e38c7c1d54a6bb952e
  • Callback:  193.136.19.160:8080 - no host name - GET /mans/pops.php
  • MD5 hash:  cad6c0834c7519bcafcf6ba20eadb89a
  • Callback:  87.106.165.232:8080 - no host name - GET /mans/pops.php

 

  • MD5 hash:  ffdb737b8f1e0df7c46a62a812251992
  • Callback:  193.136.19.160:8080 - no host name - GET /mans/pops.php

 

TRAFFIC AND ALERTS - 2015-01-06 EXAMPLE

 

TRAFFIC:

 

TCP CONNECTIONS ATTEMPTED, BUT RESET BY SERVER:

 

Emerging Threats and ETPRO rulesets from Sguil on Security Onion (without ET POLICY or ET INFO events):

Sourcefire VRT ruleset from Snort 2.9.7.0 on Debian 7 (not including preprocessor events):

 

TRAFFIC AND ALERTS - 2015-01-07 EXAMPLE

 

TRAFFIC:

 

TCP CONNECTIONS ATTEMPTED, BUT RESET BY SERVER:

 

Emerging Threats and ETPRO rulesets from Sguil on Security Onion (without ET POLICY or ET INFO events):

Sourcefire VRT ruleset from Snort 2.9.7.0 on Debian 7 (not including preprocessor events):

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.