2017-06-02 - DRIDEX MALSPAM

ASSOCIATED FILES:

NOTES:

 

EMAIL


Shown above:  An example of emails from the first wave.

 


Shown above:  An example of emails from the second wave.

 

14 EMAIL EXAMPLES:

READ: DATE/TIME -- SENDING ADDRESS (SPOOFED) -- SUBJECT -- ATTACHMENT NAME

 

MALWARE


Shown above:  As usual, the PDF attachment contains an embedded Word document with malicious macros.

 


Shown above:  The malicious Word document.

 

SHA256 HASHES FOR THE PDF ATTACHMENTS:

SHA256 HASHES FOR THE EMBEDDED WORD DOCUMENTS:

FILES RETRIEVED FROM INFECTED HOST:

WINDOWS REGISTRY ENTRY ON THE INFECTED HOST:

 

TRAFFIC

URLS FROM THE WORD MACROS TO DOWNLOAD DRIDEX:

 

DRIDEX POST-INFECTION TRAFFIC:

 


Shown above:  Traffic from the infection filtered in Wireshark.

 


Shown above:  HTTP request for the Dridex binary.

 


Shown above:  SSL/TLS certificate data associated with Dridex.

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.