2017-06-02 - DRIDEX INFECTION
NOTICE:
- The zip archives on this page have been updated, and they now use the new password scheme. For the new password, see the "about" page of this website.
ASSOCIATED FILES:
- 2017-06-02-Dridex-infection-traffic.pcap.zip 435 kB (434,708 bytes)
- 2017-06-02-Dridex-malspam-tracker.csv.zip 1.4 kB (1,414 bytes)
- 2017-06-02-Dridex-emails-and-malware.zip 3.0 MB (3,007,958 bytes)
NOTES:
- From 2017-05-11 through yesterday, this type of malspam from the Necurs botnet was pushing Jaff ransomware.
- Today, it's pushing Dridex.
Shown above: An example of emails from the first wave.
Shown above: An example of emails from the second wave.
14 EMAIL EXAMPLES:
READ: DATE/TIME -- SENDING ADDRESS (SPOOFED) -- SUBJECT -- ATTACHMENT NAME
- 2017-06-02 09:31:08 UTC -- Jocelyn kelland <messaging-service@southstarcomputers[.]co[.]uk> -- Invoice INV-0771 -- Invoice INV-0771.pdf
- 2017-06-02 09:36:47 UTC -- Willis lagerstom <messaging-service@jordanholidays[.]co[.]uk> -- Invoice INV-0151 -- Invoice INV-0151.pdf
- 2017-06-02 09:37:37 UTC -- Valarie marquet <messaging-service@n6drains[.]co[.]uk> -- Invoice INV-0007 -- Invoice INV-0007.pdf
- 2017-06-02 09:40:08 UTC -- Kelli clowes <messaging-service@tatlersrestaurant[.]co[.]uk> -- Invoice INV-0416 -- Invoice INV-0416.pdf
- 2017-06-02 09:40:28 UTC -- Hattie coggan? <messaging-service@gazandvic.worldonline[.]co[.]uk> -- Invoice INV-0578 -- Invoice INV-0578.pdf
- 2017-06-02 09:41:25 UTC -- Spencer de insula <messaging-service@familieswork[.]co[.]uk> -- Invoice INV-0373 -- Invoice INV-0373.pdf
- 2017-06-02 09:51:56 UTC -- Jame cholmley <messaging-service@geb1.worldonline[.]co[.]uk> -- Invoice INV-0948 -- Invoice INV-0948.pdf
- 2017-06-02 10:06:38 UTC -- copier@[recipient's email domain] -- Message from KM_C224e -- SKM_C224e27127577722.pdf
- 2017-06-02 10:08:08 UTC -- copier@[recipient's email domain] -- Message from KM_C224e -- SKM_C224e85088058540.pdf
- 2017-06-02 10:12:02 UTC -- copier@[recipient's email domain] -- Message from KM_C224e -- SKM_C224e33730651761.pdf
- 2017-06-02 10:12:21 UTC -- copier@[recipient's email domain] -- Message from KM_C224e -- SKM_C224e47704213294.pdf
- 2017-06-02 10:13:17 UTC -- copier@[recipient's email domain] -- Message from KM_C224e -- SKM_C224e31729375367.pdf
- 2017-06-02 10:13:34 UTC -- copier@[recipient's email domain] -- Message from KM_C224e -- SKM_C224e24647053158.pdf
- 2017-06-02 10:44:27 UTC -- copier@[recipient's email domain] -- Message from KM_C224e -- SKM_C224e97135190699.pdf
MALWARE
Shown above: As usual, the PDF attachment contains an embedded Word document with malicious macros.
Shown above: The malicious Word document.
SHA256 HASHES FOR THE PDF ATTACHMENTS:
- cd0223374553dd88ef8a7e74866e8b24e9a531603c4b88d208da82b4ea8200e3 - Invoice INV-0007.pdf
- 11b249fa0d3079a978e7642a7079443a165cfe45ab6e1623b6fac8c6f51cb868 - Invoice INV-0151.pdf
- eaafb7d9c7cdb094930dfcaee17b722658153ebece944e8169ee32598f17834c - Invoice INV-0373.pdf
- b53bd04d4e65ecdcb29cd2ec5946a1b374da2fcfce2b40df8794d1d68f231b65 - Invoice INV-0416.pdf
- 546a787a4f7df13720f89afde13623fbe21d65267e4178b2c395c43c1fcd2c7e - Invoice INV-0578.pdf
- 377757b54790ef841def258c1f7f8580e7aa49813ecc5390a485b7a1c3029296 - Invoice INV-0771.pdf
- 1a7d9cd1b454d372d6afa9438879cbe98a5da52a801bd2385dcb1255fccfc37d - Invoice INV-0948.pdf
- 311be869af4bc6a7aaacd6e848cfb66a5844ea2b14bb29d0efa2b6cf3ccd99ca - SKM_C224e24647053158.pdf
- 377757b54790ef841def258c1f7f8580e7aa49813ecc5390a485b7a1c3029296 - SKM_C224e27127577722.pdf
- 311be869af4bc6a7aaacd6e848cfb66a5844ea2b14bb29d0efa2b6cf3ccd99ca - SKM_C224e31729375367.pdf
- a543eacf9634b3c105d63b0f71823c8b4b281a57e44283c301c0caad3b697ca4 - SKM_C224e33730651761.pdf
- 5fefc595155fd79022cc772503f994d5b144e8a933ac95ea15fe1d58c5088e50 - SKM_C224e47704213294.pdf
- 2e3768b4c924e0826c928afb1c2664be99b32bcde80a688464f6546ea9181fdb - SKM_C224e85088058540.pdf
- 21638d2d5b29a22d627a05b82e87b670aca216c93d5513015e33d6a476abb1e9 - SKM_C224e97135190699.pdf
SHA256 HASHES FOR THE EMBEDDED WORD DOCUMENTS:
- bb2e4d6d92c3863d7a7a867cbaca6807c8cec713e67f866e280d26525434e897 - 111DJV54NRB118.docm
- b08d15ffedade365ae8a5c9eefa273714bdc02b5bcd8903ccd3cfb5f42936ce4 - 307AKH56YVU512.docm
- 49aa6809b45720d0cb0f90eb79bca70af66acf11ff62cfc70266b55954ef7459 - 381DKNVX6TT814.docm
- 1fd5764500ff4e06cf332571c2b51ac0352c2df2228abd842816f0a7024806f9 - 513IF28PILG272.docm
- 7abef7558692083009f0e763fe591a20268e62c8a35f88a17dee9c4b57b69900 - 610ASHHEIXYH688.docm
- 42151ca743c29fd64d927d2cee9cafa7e67609aaa7f1ec29390bd481fab56079 - 651X2WTXGJM419.docm
- 9f5541acd2d0ba325de21763aa5eac78dcdb6afbd7790532a0d9697d398bec83 - 656NVMPNEQM829.docm
- d79d3fe06f91a0b4974cf4346e62624deb1c8f47634eb60a7e16b7fd086fcbdb - 745FVHCXUFN614.docm
- 153b01882dafadd73f73d3343a583b981b01e6ad12cf74418b251296bf537da9 - 783PNCDQX7893.docm
- 2ee58f175bc8ebe984fed80a333bfc7d66b439a1158e8a2d3f950485acf47f7e - 806M6QN9PXB210.docm
- d32f40221b575a31d9eb627c01e5cc97e5337fb16621dd152e1d2aa34730142e - 810FY6KLZEW4739.docm
- ddd20e67c4b959054b8fe69ffd719ff235e909bf651d026208802eb4d6887154 - 869X5YEUYBV798.docm
FILES RETRIEVED FROM INFECTED HOST:
- SHA256 hash: ffb6cf0788bc9fef9314085cf23fbdf87bfde9c3b78f014d5fd3e76d769cc82c
File size: 135,168 bytes
File location: C:\User\[username]\AppData\Local\Temp\miniramon8.exe
File description: Dridex
- SHA256 hash: b938375b07461535976dcbf316d3587faafdbeedfd6efe70752f27373188bd25
File size: 192 bytes
File location: C:\User\[username]\AppData\Local\Temp\OF6.cmd
File type: Batch file
- SHA256 hash: 80c10ee5f21f92f89cbc293a59d2fd4c01c7958aacad15642558db700943fa22
File size: 776,192 bytes
File location: C:\Users\[username]\AppData\Roaming\4AXMka1\calc.exe
File description: appears to be a copy of legitimate Microsoft file calc.exe
- SHA256 hash: b39797252e05301fa28a94811b105f5ea7d6e6be066ffc71be9a25baf543b862
File size: 348,160 bytes
File location: C:\Users\[username]\AppData\Roaming\4AXMka1\UxTheme.dll
File description: Likely Dridex DLL side-loaded by above calc.exe file
WINDOWS REGISTRY ENTRY ON THE INFECTED HOST:
- Registry key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Value name: Msgqwid
Value type: REG_SZ
Value Data: C:\Users\[username]\AppData\Roaming\4AXMka1\calc.exe
TRAFFIC
URLS FROM THE WORD MACROS TO DOWNLOAD DRIDEX:
- eselink[.]com[.]my - GET /hH60bd
- lanphuong[.]vn - GET /hH60bd
- lordheals[.]com - GET /hH60bd
- meiyizixun[.]com - GET /hH60bd
- midiconcept[.]com - GET /hH60bd
- mountmary[.]ca - GET /hH60bd
- newserniggrofg[.]net - GET /af/hH60bd
- orhangazitur[.]com - GET /hH60bd
- resevesssetornument[.]com - GET /af/hH60bd
- shrideva[.]co[.]in - GET /hH60bd
- strassensammler[.]de - GET /hH60bd
- systemalu[.]com - GET /hH60bd
- yoyogi[.]com[.]au - GET /hH60bd
- zvezda-k[.]ru - GET /hH60bd
DRIDEX POST-INFECTION TRAFFIC:
- 147.32.5[.]111 port 8043 - SSL/TLS traffic
- 200.119.46[.]10 port 443 - SSL/TLS traffic
- 203.206.230[.]127 port 443 - SSL/TLS traffic
- 80.229.36[.]165 port 443 - attempted TCP connection (no response from the server)
- 81.170.50[.]252 port 443 - attempted TCP connection (no response from the server)
- 94.226.67[.]55 port 443 - attempted TCP connection (no response from the server)
- 185.141.25[.]23 port 443 - attempted TCP connection (no response from the server)
- 216.165.249[.]150 port 443 - attempted TCP connection (no response from the server)
Shown above: Traffic from the infection filtered in Wireshark.
Shown above: HTTP request for the Dridex EXE.
Shown above: SSL/TLS certificate data associated with Dridex.
Click here to return to the main page.