2016-02-01 - DRIDEX ACTIVITY

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• 2016-02-01-Dridex-infection-traffic.pcap.zip   1.5 MB (1,489,009 bytes)
• 2016-02-01-Dridex-email-and-malware-samples.zip   246.0 kB (245,971 bytes)
• 2016-02-01-Dridex-email-tracker.csv.zip   28.2 kB (28,237 bytes)

 

NOTES:

• Today, I saw more Dridex similar to the activity documented here:  https://isc.sans.edu/diary/Dridex+malspam+example+from+January+2016/20663

 

MESSAGE EXAMPLES

Shown above:  The first email from this wave of malicious spam (malspam).

 

Shown above:  The last email from this wave of malspam.

 

------Original Message------
From: Isaiah Bridges <BridgesIsaiah253@[removed][.]co[.]uk>
Date: Monday, 2016-02-01 at 10:08 UTC
To: [removed]
Subject: Transaction and Payment Confirmation from C.G.I.S. GROUP

Hello,

The attached document is a transaction payment confirmation from C.G.I.S. GROUP in the amount of GBP 1,436.13.

Your transaction reference number is 9BCAB5.

Kind Regards,

Isaiah Bridges

C.G.I.S. GROUP

Attachment:  INV19 - 74039.doc

 

------Original Message------
From: Clarence Kemp <KempClarence4789@[removed][.]co[.]uk>
Date: Monday, 2016-02-01 at 11:27 UTC
To: [removed]
Subject: Transaction and Payment Confirmation from LEWIS(JOHN)

Hello,

The attached document is a transaction payment confirmation from LEWIS(JOHN) in the amount of GBP 1,885.80.

Your transaction reference number is 98FD41.

Kind Regards,

Clarence Kemp

LEWIS(JOHN)

Attachment:  Payment Confirmation 98FD41.doc

 

TRAFFIC

Shown above:  Infection traffic (filtered in Wireshark) after opening the Word doc and enabling macros.

 

Shown above:  Some of the SSL certificates seen.

 

FINAL NOTES

Word document taken from the last email we saw at 11:27 UTC:

File name:  Payment Confirmation 98FD41.doc
File size:  24,322 bytes
MD5 hash:  a6844f8480e641ed8fb0933061947587
SHA1 hash:  ed3c06cde10baa8c2d08248e1e45ed20a8d84330
SHA256 hash:  8300b5ae6753c58e79def2bfdd6cfc0ff78b7a98846662e7f05cb1a159ab127a
Detection ratio:  5 / 53
First submission:  2016-02-01 11:37:00 UTC

 

Dropped the following malware:

File name:  yFUYIdsf.exe
File size:  323,584 bytes
MD5 hash:  ebb1562e4b0ed5db8a646710f3cd2eb8
SHA1 hash:  b9200273e01f4b77ac7574a393ebab988b87c260
SHA256 hash:  72f72023f3db57359b7b94f1a80883eaf76d6b7fc72a0a99df8a2bc7135351af
Detection ratio:  2 / 54
First submission:  2016-02-01 14:32:07 UTC

 

Click here to return to the main page.