2017-03-30 - DRIDEX INFECTION

NOTICE:

ASSOCIATED FILES:

  • 2017-03-30-confirmation-letter-Dridex-infection.pcap   (1,022,706 bytes)
  • 2017-03-30-travel-booking-Dridex-infection.pcap   (188,871 bytes)
  • 2017-03-30-Dridex-confirmation-letter-malspam-tracker.csv   (10,679 bytes)
  • 2017-03-30-Dridex-travel-booking-malspam-tracker.csv   (3,321 bytes)

 

NOTES:

 

EMAILS


Shown above:  Screen shot from the spreadsheet tracker for the first wave.

 


Shown above:  Screen shot from the spreadsheet tracker for the second wave.

 

FIRST WAVE:

SECOND WAVE:

 

TRAFFIC


Shown above:  Infection traffic from the first wave filtered in Wireshark.

 


Shown above:  SSL certificate info associated with Dridex.

 

HTTP REQUESTS TO DOWNLOAD THE DRIDEX BINARY FROM FIRST WAVE'S VBS FILES:

POST-INFECTION HTTPS/SSL/TLS TRAFFIC - DRIDEX FROM FIRST WAVE:

ADDITIONAL CONNECTIONS OR ATTEMPTED CONNECTIONS - DRIDEX FROM SECOND WAVE:

 

SHA256 HASHES

VBS FILES:

DRIDEX BINAIRES (PE FILES):

 

Click here to return to the main page.