2017-03-30 - DRIDEX INFECTION
NOTICE:
- The zip archives on this page have been updated, and they now use the new password scheme. For the new password, see the "about" page of this website.
ASSOCIATED FILES:
- 2017-03-30-Dridex-activity-2-pcaps.zip 1.1 MB (1,051,018 bytes)
- 2017-03-30-confirmation-letter-Dridex-infection.pcap (1,022,706 bytes)
- 2017-03-30-travel-booking-Dridex-infection.pcap (188,871 bytes)
- 2017-03-30-Dridex-malspam-tracking-spreadsheets.zip 3.8 kB (3,787 bytes)
- 2017-03-30-Dridex-confirmation-letter-malspam-tracker.csv (10,679 bytes)
- 2017-03-30-Dridex-travel-booking-malspam-tracker.csv (3,321 bytes)
- 2017-03-30-Dridex-travel-booking-emails-and-malware.zip 175.3 kB (175,348 bytes)
- 2017-03-30-Dridex-confirmation-letter-emails-and-malware.zip 5.5 MB (5,454,043 bytes)
NOTES:
- After a 6-month hiatus, Dridex malspam came back in January 2017 (link), but I hadn't personally run across any Dridex until Thursday 2017-03-30.
EMAILS
Shown above: Screen shot from the spreadsheet tracker for the first wave.
Shown above: Screen shot from the spreadsheet tracker for the second wave.
FIRST WAVE:
- Date/Time: Thursday 2017-03-30 from 09:24 thru 10:29 UTC
- From: "Low Cost Travel Group" <customerservices@[various domains]>
- Subject: Your Booking [6 to 8 digits]
- Attachment name: Direct-Documentation [6 to 8 digits]-1.zip
- Extracted file name (in all cases): Direct-Documentation 1530219.vbs
SECOND WAVE:
- Date/Time: Thursday 2017-03-30 from 11:12 thru at least 14:10 UTC (when I stopped collecting samples)
- From: info@[various domains]
- Subject: uk_confirmation_ph[9 digits].pdf
- Attachment name: uk_confirmation_ph[9 digits].zip
- Extracted file name (in all cases): uk_confirmation_ph954869378.exe
TRAFFIC
Shown above: Infection traffic from the first wave filtered in Wireshark.
Shown above: SSL certificate info associated with Dridex.
HTTP REQUESTS TO DOWNLOAD THE DRIDEX BINARY FROM FIRST WAVE'S VBS FILES:
- 162.210.101[.]93 port 80 - kapil.50webs[.]com - GET /76gbce?
- 93.184.165[.]10 port 80 - mkcslava[.]ru - GET /76gbce?
- 208.113.152[.]209 port 80 - newohioreview[.]com - GET /76gbce?
- 159.253.37[.]153 port 80 - omurongen[.]com - GET /76gbce?
- 47.90.77[.]250 port 80 - pk10kaijiang[.]com - GET /76gbce?
- 208.109.181[.]224 port 80 - roylgrafix[.]com - GET /76gbce?
- 192.107.41[.]200 port 80 - signwaves[.]net - GET /76gbce?
- 162.210.102[.]98 port 80 - testsite.prosun[.]com - GET /76gbce?
- 158.69.245[.]78 port 80 - trumppsdetroit[.]com - GET /76gbce?
- 95.131.50[.]14 port 80 - ww.visual[.]hu - GET /76gbce?
- 115.29.10[.]230 port 80 - www.yuechiwang[.]com - GET /76gbce?
- NOTE: The binaries are encrypted when sent over the network and decrypted on the local host.
POST-INFECTION HTTPS/SSL/TLS TRAFFIC - DRIDEX FROM FIRST WAVE:
- 8.8.247[.]36 port 443
- 37.120.172[.]171 port 4143
- 81.12.229[.]190 port 8043
- 107.170.0[.]14 port 8043
ADDITIONAL CONNECTIONS OR ATTEMPTED CONNECTIONS - DRIDEX FROM SECOND WAVE:
- 23.95.23[.]219 port 443
- 66.214.155[.]189 port 443
- 86.3.169[.]110 port 443
- 86.4.149[.]217 port 443
- 88.177.240[.]182 port 443
- 90.219.218[.]80 port 443
- 95.145.161[.]76 port 443
- 101.165.141[.]2 port 443
- 109.170.219[.]19 port 443
- 110.143.61[.]115 port 443
- 117.120.7[.]82 port 443
- 134.170.165[.]249 port 443
- 174.104.208[.]57 port 443
- 175.32.140[.]13 port 443
- 179.108.87[.]11 port 443
- 213.214.50[.]60 port 443
SHA256 HASHES
VBS FILES:
- 34884ec18d6bbc8262812ee5ecc8803b771fcd4c554d76bee9254278effe0b48
- 84c9028a1d25e5f171c170179f2f1ea3e1eab9514812ab9e4b617de822b46e69
- d21c83b527627d0a64beb28a5a72ca21228c438861de893618ffdf46d7ef8d1c
DRIDEX BINAIRES (PE FILES):
- 1814d47adfe7a34cd2e5b2a9d6841a32677764c8498012f3ff13a5772ba9107e
- 6adda664e3ab2936a8dbe8e95e10d33e34d13fbe375123c69abf3ac5fbf52fcd
- 898e44e0ebb73dcf8fc3b667baa6db930119d1979d8269437ab89e49633ff983
- ac4d02637e1e01b16062f368658275cb8400b21f6592819d3a09dbee31cb5cc1
Click here to return to the main page.