2018-01-17 Dridex Malicious Word Document delivered via FTP

Originally reported by ForcePoint on January 18th 2018. Below is a pcap from a similar event.

I have added a zipped pcap file for your analysis. The password for the zipped pcap is infected all lowercase.

PCAP file of the infection traffic:
2018-01-20-Dridex-pcap.zip

 

ASSOCIATED DOMAINS AND IP ADDRESSES:

  • 194.116.187.130 – FTP DOWNLOAD OF POWERSHELL AND MALDOC
  • ftp://h41201:s107244@basedow-bilder.de/httpdocs/docs/scan_17.01.doc
  • 185.176.221.146 – GET /download/s/GTz – POWERSHELL
  • 75.119.200.80 – www.verdantcocktails.co.uk GET /kjhy876g – DRIDEX DOWNLOAD
  • 69.90.132.196 – Port 443 – DRIDEX C2
  • 89.171.146.30 – Port 4143 –SYN ONLY
  • 69.163.163.39 – www.takagari.com GET /kjhy876g – DRIDEX DOWNLOAD
  • 108.166.114.38 – Port 4443 – DRIDEX C2
  • 138.197.255.18 – Port 4143 – DRIDEX C2

SSL CERTIFICATES USED BY DRIDEX:

isirvisb s.m.b.a.
armasn ultd.
samanels s.p.a.

 

IMAGES AND DETAILS OF INFECTION CHAIN:

Shown above: Email with link to download malicious Word document leading to Dridex

 

Shown above: Malicious Word document using DDE exploit CVE-2017-11826 to begin infection chain

 

Shown above: Network traffic associated with Dridex infection

 

MALICIOUS PAYLOAD: