2016-02-01 - WAVE OF DRIDEX MALSPAM

PCAP AND MALWARE:

• ZIP archive of the PCAP:  2016-02-01-Dridex-infection-traffic.pcap.zip   1.5 MB (1,489,009 bytes)
• ZIP archive with two examples:  2016-02-01-Dridex-malware-and-malspam-examples.zip   245.3 kB (245,291 bytes)
• CSV spreadsheet with some data on this wave of malspam:  2016-02-01-Dridex-wave.csv   110.3 kB (110,252 bytes)

 

NOTES:

• Today, we saw more Dridex similar to this:  https://isc.sans.edu/forums/diary/Dridex+malspam+example+from+January+2016/20663/

 

MESSAGE EXAMPLES

Shown above:  The first email we saw in this wave of malicious spam (malspam).

 

Shown above:  The last email we saw in this wave of malspam.

 

------Original Message------
From: Isaiah Bridges <BridgesIsaiah253@[removed].co.uk>
Date: Monday, 2016-02-01 at 10:08 UTC
To: [removed]
Subject: Transaction and Payment Confirmation from C.G.I.S. GROUP

Hello,

The attached document is a transaction payment confirmation from C.G.I.S. GROUP in the amount of GBP 1,436.13.

Your transaction reference number is 9BCAB5.

Kind Regards,

Isaiah Bridges

C.G.I.S. GROUP

Attachment:  INV19 - 74039.doc

 

------Original Message------
From: Clarence Kemp <KempClarence4789@[removed].co.uk>
Date: Monday, 2016-02-01 at 11:27 UTC
To: [removed]
Subject: Transaction and Payment Confirmation from LEWIS(JOHN)

Hello,

The attached document is a transaction payment confirmation from LEWIS(JOHN) in the amount of GBP 1,885.80.

Your transaction reference number is 98FD41.

Kind Regards,

Clarence Kemp

LEWIS(JOHN)

Attachment:  Payment Confirmation 98FD41.doc

 

TRAFFIC

Shown above:  Infection traffic (filtered in Wireshark) after opening the Word doc and enabling macros.

 

Shown above:  Some of the SSL certificates seen.

 

FINAL NOTES

Word document taken from the last email we saw at 11:27 UTC:

File name:  Payment Confirmation 98FD41.doc
File size:  23.8 KB ( 24,322 bytes )
MD5 hash:  a6844f8480e641ed8fb0933061947587
SHA1 hash:  ed3c06cde10baa8c2d08248e1e45ed20a8d84330
SHA256 hash:  8300b5ae6753c58e79def2bfdd6cfc0ff78b7a98846662e7f05cb1a159ab127a
Detection ratio:  5 / 53
First submission:  2016-02-01 11:37:00 UTC
VirusTotal:  link  --  Malwr:  link

 

Dropped the following malware:

File name:  yFUYIdsf.exe
File size:  316.0 KB ( 323,584 bytes )
MD5 hash:  ebb1562e4b0ed5db8a646710f3cd2eb8
SHA1 hash:  b9200273e01f4b77ac7574a393ebab988b87c260
SHA256 hash:  72f72023f3db57359b7b94f1a80883eaf76d6b7fc72a0a99df8a2bc7135351af
Detection ratio:  2 / 54
First submission:  2016-02-01 14:32:07 UTC
VirusTotal:  link  --  Malwr:  link

 

FINAL NOTES

Once again, here are the associated files:

• ZIP archive of the PCAP:  2016-02-01-Dridex-infection-traffic.pcap.zip   1.5 MB (1,489,009 bytes)
• ZIP archive with two examples:  2016-02-01-Dridex-malware-and-malspam-examples.zip   245.3 kB (245,291 bytes)
• CSV spreadsheet with some data on this wave of malspam:  2016-02-01-Dridex-wave.csv   110.3 kB (110,252 bytes)

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.