2017-03-30 - DRIDEX MALSPAM (TWO WAVES)
ASSOCIATED FILES:
- ZIP archive of the pcaps: 2017-03-30-Dridex-malspam-pcaps.zip 1.1 MB (1,050,688 bytes)
- 2017-03-30-Dridex-confirmation-letter-Dridex-traffic.pcap (1,022,706 bytes)
- 2017-03-30-booking-malspam-Dridex-traffic.pcap (188,871 bytes)
- ZIP archive of the spreadsheet trackers: 2017-03-30-Dridex-malspam-tracking-spreadsheets.zip 3.4 kB (3,371 bytes)
- 2017-03-30-Dridex-confirmation-letter-malspam-tracker.csv (10,679 bytes)
- 2017-03-30-Dridex-travel-booking-malspam-tracker.csv (3,321 bytes)
- ZIP archive of the emails and malware - 1st wave: 2017-03-30-Dridex-travel-booking-malspam-and-malware.zip 173 kB (173,244 bytes)
- ZIP archive of the emails and malware - 2nd wave: 2017-03-30-Dridex-confirmation-letter-malspam-and-malware.zip 5.4 MB (5,447,987 bytes)
NOTES:
- After a 6-month hiatus, Dridex malspam came back in January 2017 (link), but I hadn't personally run across any Dridex until Thursday 2017-03-30.
EMAILS
Shown above: Screen shot from the spreadsheet tracker for the first wave.
Shown above: Screen shot from the spreadsheet tracker for the second wave.
FIRST WAVE:
- Date/Time: Thursday 2017-03-30 from 09:24 thru 10:29 UTC
- From: "Low Cost Travel Group" <customerservices@[various domains]>
- Subject: Your Booking [6 to 8 digits]
- Attachment name: Direct-Documentation [6 to 8 digits]-1.zip
- Extracted file name (in all cases): Direct-Documentation 1530219.vbs
SECOND WAVE:
- Date/Time: Thursday 2017-03-30 from 11:12 thru at least 14:10 UTC (when I stopped collecting samples)
- From: info@[various domains]
- Subject: uk_confirmation_ph[9 digits].pdf
- Attachment name: uk_confirmation_ph[9 digits].zip
- Extracted file name (in all cases): uk_confirmation_ph954869378.exe
TRAFFIC
Shown above: Infection traffic from the first wave filtered in Wireshark.
Shown above: SSL certificate info associated with Dridex.
HTTP REQUESTS TO DOWNLOAD THE DRIDEX BINARY FROM FIRST WAVE'S VBS FILES:
- 162.210.101.93 port 80 - kapil.50webs.com - GET /76gbce?
- 93.184.165.10 port 80 - mkcslava.ru - GET /76gbce?
- 208.113.152.209 port 80 - newohioreview.com - GET /76gbce?
- 159.253.37.153 port 80 - omurongen.com - GET /76gbce?
- 47.90.77.250 port 80 - pk10kaijiang.com - GET /76gbce?
- 208.109.181.224 port 80 - roylgrafix.com - GET /76gbce?
- 192.107.41.200 port 80 - signwaves.net - GET /76gbce?
- 162.210.102.98 port 80 - testsite.prosun.com - GET /76gbce?
- 158.69.245.78 port 80 - trumppsdetroit.com - GET /76gbce?
- 95.131.50.14 port 80 - ww.visual.hu - GET /76gbce?
- 115.29.10.230 port 80 - www.yuechiwang.com - GET /76gbce?
- NOTE: The binaries are encrypted when sent over the network and decrypted on the local host.
POST-INFECTION HTTPS/SSL/TLS TRAFFIC - DRIDEX FROM FIRST WAVE:
- 8.8.247.36 port 443
- 37.120.172.171 port 4143
- 81.12.229.190 port 8043
- 107.170.0.14 port 8043
ADDITIONAL CONNECTIONS OR ATTEMPTED CONNECTIONS - DRIDEX FROM SECOND WAVE:
- 23.95.23.219 port 443
- 66.214.155.189 port 443
- 86.3.169.110 port 443
- 86.4.149.217 port 443
- 88.177.240.182 port 443
- 90.219.218.80 port 443
- 95.145.161.76 port 443
- 101.165.141.2 port 443
- 109.170.219.19 port 443
- 110.143.61.115 port 443
- 117.120.7.82 port 443
- 134.170.165.249 port 443
- 174.104.208.57 port 443
- 175.32.140.13 port 443
- 179.108.87.11 port 443
- 213.214.50.60 port 443
SHA256 HASHES
VBS FILES:
- 34884ec18d6bbc8262812ee5ecc8803b771fcd4c554d76bee9254278effe0b48
- 84c9028a1d25e5f171c170179f2f1ea3e1eab9514812ab9e4b617de822b46e69
- d21c83b527627d0a64beb28a5a72ca21228c438861de893618ffdf46d7ef8d1c
DRIDEX BINAIRES (PE FILES):
- 1814d47adfe7a34cd2e5b2a9d6841a32677764c8498012f3ff13a5772ba9107e
- 6adda664e3ab2936a8dbe8e95e10d33e34d13fbe375123c69abf3ac5fbf52fcd
- 898e44e0ebb73dcf8fc3b667baa6db930119d1979d8269437ab89e49633ff983
- ac4d02637e1e01b16062f368658275cb8400b21f6592819d3a09dbee31cb5cc1
FINAL NOTES
Once again, here are the associated files:
- ZIP archive of the pcaps: 2017-03-30-Dridex-malspam-pcaps.zip 1.1 MB (1,050,688 bytes)
- ZIP archive of the spreadsheet trackers: 2017-03-30-Dridex-malspam-tracking-spreadsheets.zip 3.4 kB (3,371 bytes)
- ZIP archive of the emails and malware - 1st wave: 2017-03-30-Dridex-travel-booking-malspam-and-malware.zip 173 kB (173,244 bytes)
- ZIP archive of the emails and malware - 2nd wave: 2017-03-30-Dridex-confirmation-letter-malspam-and-malware.zip 5.4 MB (5,447,987 bytes)
ZIP files are password-protected with the standard password. If you don't know it, look at the "about" page of this website.
Click here to return to the main page.