2017-03-30 - DRIDEX MALSPAM (TWO WAVES)

ASSOCIATED FILES:

  • 2017-03-30-Dridex-confirmation-letter-Dridex-traffic.pcap   (1,022,706 bytes)
  • 2017-03-30-booking-malspam-Dridex-traffic.pcap   (188,871 bytes)
  • 2017-03-30-Dridex-confirmation-letter-malspam-tracker.csv   (10,679 bytes)
  • 2017-03-30-Dridex-travel-booking-malspam-tracker.csv   (3,321 bytes)

 

NOTES:

 

EMAILS


Shown above:  Screen shot from the spreadsheet tracker for the first wave.

 


Shown above:  Screen shot from the spreadsheet tracker for the second wave.

 

FIRST WAVE:

SECOND WAVE:

 

TRAFFIC


Shown above:  Infection traffic from the first wave filtered in Wireshark.

 


Shown above:  SSL certificate info associated with Dridex.

 

HTTP REQUESTS TO DOWNLOAD THE DRIDEX BINARY FROM FIRST WAVE'S VBS FILES:

POST-INFECTION HTTPS/SSL/TLS TRAFFIC - DRIDEX FROM FIRST WAVE:

ADDITIONAL CONNECTIONS OR ATTEMPTED CONNECTIONS - DRIDEX FROM SECOND WAVE:

 

SHA256 HASHES

VBS FILES:

DRIDEX BINAIRES (PE FILES):

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.