2017-06-02 - DRIDEX INFECTION

NOTICE:

ASSOCIATED FILES:

NOTES:

 

EMAIL


Shown above:  An example of emails from the first wave.

 


Shown above:  An example of emails from the second wave.

 

14 EMAIL EXAMPLES:

READ: DATE/TIME -- SENDING ADDRESS (SPOOFED) -- SUBJECT -- ATTACHMENT NAME

 

MALWARE


Shown above:  As usual, the PDF attachment contains an embedded Word document with malicious macros.

 


Shown above:  The malicious Word document.

 

SHA256 HASHES FOR THE PDF ATTACHMENTS:

SHA256 HASHES FOR THE EMBEDDED WORD DOCUMENTS:

FILES RETRIEVED FROM INFECTED HOST:

WINDOWS REGISTRY ENTRY ON THE INFECTED HOST:

 

TRAFFIC

URLS FROM THE WORD MACROS TO DOWNLOAD DRIDEX:

 

DRIDEX POST-INFECTION TRAFFIC:

 


Shown above:  Traffic from the infection filtered in Wireshark.

 


Shown above:  HTTP request for the Dridex EXE.

 


Shown above:  SSL/TLS certificate data associated with Dridex.

 

Click here to return to the main page.