2017-06-05 - DRIDEX MALSPAM (WORD DOCS IN PDF ATTACHMENTS)
ASSOCIATED FILES:
- Zip archive of the pcap: 2017-06-05-Dridex-malspam-traffic.pcap.zip 73 kB (72,892 bytes)
- Zip archive of the spreadsheet tracker: 2017-06-05-Dridex-malspam-tracker.csv.zip 1.1 kB (1,073 bytes)
- Zip archive of the malware and artifacts: 2017-06-05-Dridex-malware-and-artifacts.zip 965 kB (965,070 bytes)
OTHER REPORTS ON TODAY'S MALSPAM WITH MORE INDICATORS AT:
- Dynamoo's Blog: Malware spam: "John Miller Limited" / "Invoice"
- My Online Security: Spoofed John Miller invoice pretending to come from somebody named Holmes delivers Dridex banking Trojan
EMAILS
Shown above: Spreadsheet on the 8 emails I collected.
MALWARE
Shown above: As usual, the PDF attachment contains an embedded Word document with malicious macros.
Shown above: Another shot of the PDF attachment from the second wave.
Shown above: No picture or instructions this time. Just a blank Word document with macros.
SHA256 HASHES FOR THE PDF ATTACHMENTS:
- 0e3adf0314c28862e2ebbb80e985734afef46f41155891b31d75d095aa2d2e24
- 2793481cba97250c877ab15789ce851c7da360ca9a5602a2f86fdef8e842471d
- 2ba45f9e37a6db042f1b6492e2b92eb2decaa8b0b18508affa79f72c2a51bf04
- 7a11a65f347bbfb2c6865b90e1373cfdf4085468864953ec59d7412512256d36
- b2fc044e9e49f5c539d13705548b0adf822d5a5f431c61f083cc2c59ba08aac9
SHA256 HASHES FOR THE EMBEDDED WORD DOCUMENTS:
- 011bf13d75adfd98c1e60aec9e3470be4e89f9c56263e511ab30aa2c69f132c2
- 564be1d40296c09cd7247fbd396158d9bcad443f2bd627f53a7e3672fffa361e
- b865826fdd7ef22cb5621f92d9391fbacfe10e9c75402b571e1484597d25b49c
- bdb3b5081a31d6b10a2602af6aee5c4eaa3722c17b4d5c90b4874968454c9654
- df2bc524fafb759eae77e3053c6f7d7dacdf6b5be43048d9c849529d749c61f7
FILES RETRIEVED FROM INFECTED HOST:
- SHA256 hash: c7dc1e2d1dbda6e287675160f1e96f6514b8a6f10017a1e4b76c7591c3785e97
File size: 118.784 bytes
File location: C:\User\[username]\AppData\Local\Temp\miniramon8.exe
File description: Dridex
TRAFFIC
URLS FROM THE WORD MACROS TO DOWNLOAD DRIDEX:
- multielectricos.com - GET /8yfh4gfff
- newserniggrofg.net - GET /af/8yfh4gfff
- resevesssetornument.com - GET /af/8yfh4gfff
- salonpalmareal.com - GET /8yfh4gfff
- select-hire.com - GET /8yfh4gfff
- sukko-diona.ru - GET /8yfh4gfff
- ymcaonline.net - GET /8yfh4gfff
- zhongjianbao.com - GET /8yfh4gfff
DRIDEX POST-INFECTION TRAFFIC:
- 46.101.154.177 port 4743 - SSL/TLS traffic
- 85.214.126.182 port 4743 - SSL/TLS traffic
- 89.110.157.78 port 4743 - SSL/TLS traffic
FINAL NOTES
Once again, here are the associated files:
- Zip archive of the pcap: 2017-06-05-Dridex-malspam-traffic.pcap.zip 73 kB (72,892 bytes)
- Zip archive of the spreadsheet tracker: 2017-06-05-Dridex-malspam-tracker.csv.zip 1.1 kB (1,073 bytes)
- Zip archive of the malware and artifacts: 2017-06-05-Dridex-malware-and-artifacts.zip 965 kB (965,070 bytes)
ZIP files are password-protected with the standard password. If you don't know it, look at the "about" page of this website.
Click here to return to the main page.