New Dridex Banking Trojan Malware Spam Campaign Traffic Analysis and PCAP

By | January 29, 2016

Download :Dridex Pcap Sample One

This is a sample of the above pcap from the new Dridex campaign, you can see a few key elements:

 

Hostile IP:

119.160.223.115

Port: 1143

Crafted X.509 SSL Certificate:

Gofonfee Airehas Corp.1.0…U….ichetitssore.re0

 

2016-01-27 07:07:50.343095 IP 119.160.223.115.1143 > 192.168.56.17.49160: Flags [.], ack 96, win 115, length 0
EH.(.s@.0..Gw..s..8..w…<.F.Av.P..s……….
2016-01-27 07:07:50.344446 IP 119.160.223.115.1143 > 192.168.56.17.49160: Flags [P.], seq 1:982, ack 96, win 115, length 981
EH…t@.0..qw..s..8..w…<.F.Av.P..sd
……Q…M..V…Q.iq…V…..dq.I..MW…)-.. …s..*..4.m”.r….7.”2.Wj..c.87./…………q…m..j..g0..c0..K…… …a..H.H0.. *.H……..0H1.0 ..U….BW1.0…U.
..Gofonfee Airehas Corp.1.0…U….ichetitssore.re0…160125235310Z..170124235310Z0H1.0 ..U….BW1.0…U.
..Gofonfee Airehas Corp.1.0…U….ichetitssore.re0..”0.. *.H………….0..
……).M.},.*$……=……z.HO
/.1:…GH…………go.9d.h+..P.6.Rm<..:..7..zr…x./..F….Y>…M…8…..;H..N..WU.)q..&……!…..O……m.!(/..DP….1..r..m…,R………..&*`… .:.gJ.s.c..&..c..36t)d2…..\.bMe…..pDm………….~…..k……b….P.m……P0N0…U………*.I…..]k.T..`..0…U.#..0……*.I…..]k.T..`..0…U….0….0.. *.H…………..}..Tg………?.SmA2S..IN….m..Y!..N..>…7……Yn…n……..U[`.%fR..5..40r5)… .1/z…..0…Jj……%…&….^.k.O..XgD…^t……d.l.k…v…d..k+|…….2…………..` ;…d…nI…….m.F…………..sf..$.’w.lX…..J..m…NY,}.M.r:…..AJL.$ ………
2016-01-27 07:07:50.350551 IP 192.168.56.17.49160 > 119.160.223.115.1143: Flags [P.], seq 96:422, ack 982, win 16179, length 326
E..n.p@….L..8.w..s…w.Av..<..P.?3……………L..-……..{..yC./..>,..).s.^…_h6.r\=y….H…..O.[#2.o.D.I……_u.9.|.b.d=.Z./y…o ..’Za…t5.@..L….R.`…C..>H….u…*..g)…..SC.KBR…..r……v….*8`=`..1…..!l..j…….x…d.,..Ixg:.+…sn:….l…………….^Q@……..]..y..x.~…..xL…………0q{r….Zq……AP…..9….]H…(…7=.w.{……
2016-01-27 07:07:50.653404 IP 119.160.223.115.1143 > 192.168.56.17.49160: Flags [P.], seq 982:1041, ack 422, win 123, length 59
EH.c.u@.0..
w..s..8..w…<…Aw.P..{.4…………0.q-…q*.z…..Q*@.o..}..e.K…<z@….^.8….f5.
2016-01-27 07:07:50.860541 IP 192.168.56.17.49160 > 119.160.223.115.1143: Flags [.], ack 1041, win 16165, length 0
E..(.r@…….8.w..s…w.Aw..<.VP.?%….
2016-01-27 07:07:54.966996 ARP, Request who-has 192.168.56.17 tell 192.168.56.1, length 46
……..
.’…..8………8……………….
2016-01-27 07:07:54.967057 ARP, Reply 192.168.56.17 is-at 0a:00:27:5a:e1:03, length 28
……..
.’Z….8.
.’…..8.

2016-01-27 07:08:00.127344 IP 192.168.56.17.57681 > 224.0.0.252.5355: UDP, length 28
E..8.z……..8……Q…$…………..
6MoL4SrVmJ…..
2016-01-27 07:08:02.586874 IP 192.168.56.17.60830 > 8.8.8.8.53: 8557+ A? www.download.windowsupdate.com. (48)
E..L.~….1Z..8……..5.8..!m………..www.download.windowsupdate.com…..
2016-01-27 07:08:02.625455 IP 8.8.8.8.53 > 192.168.56.17.60830: 8557 5/0/0 CNAME 2-01-3cf7-0009.cdx.cedexis.net., CNAME b1ns.au-msedge.net., CNAME b1ns.c-0001.c-msedge.net., CNAME c-0001.c-msedge.net., A 13.107.4.50 (186)
E….*..0..#……8..5….?.!m………..www.download.windowsupdate.com……………. .2-01-3cf7-0009.cdx.cedexis.net..<………..b1ns au-msedge.W.h………..b1ns.c-0001.c-msedge.W………………………k.2
2016-01-27 07:08:02.644031 IP 192.168.56.17.49161 > 13.107.4.50.80: Flags [S], seq 1204200818, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4..@…….8..k.2. .PG..r…… ..’…………..
2016-01-27 07:08:02.675803 IP 13.107.4.50.80 > 192.168.56.17.49161: Flags [S.], seq 1532820762, ack 1204200819, win 8192, options [mss 1440,nop,wscale 8,nop,nop,sackOK], length 0
E(.4}=@.u.~..k.2..8..P. [\..G..s.. .>……………
2016-01-27 07:08:02.675914 IP 192.168.56.17.49161 > 13.107.4.50.80: Flags [.], ack 1, win 258, length 0
E..(..@…….8..k.2. .PG..s[\..P….p..
2016-01-27 07:08:02.680764 IP 192.168.56.17.49161 > 13.107.4.50.80: Flags [P.], seq 1:302, ack 1, win 258, length 301: HTTP: GET /msdownload/update/v3/static/trustedr/en/authrootstl.cab HTTP/1.1
E..U..@…….8..k.2. .PG..s[\..P…….GET /msdownload/update/v3/static/trustedr/en/authrootstl.cab HTTP/1.1
Cache-Control: max-age = 2523
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Tue, 24 Feb 2015 00:37:01 GMT
If-None-Match: “80b4d90ca4fd01:0”
User-Agent: Microsoft-CryptoAPI/6.1
Host: www.download.windowsupdate.com
2016-01-27 07:08:02.712523 IP 13.107.4.50.80 > 192.168.56.17.49161: Flags [.], ack 302, win 513, length 0
E(.(}>@.u.~..k.2..8..P. [\..G…P….D……..
2016-01-27 07:08:02.713978 IP 13.107.4.50.80 > 192.168.56.17.49161: Flags [.], seq 1:1461, ack 302, win 513, length 1460: HTTP: HTTP/1.1 200 OK
E(..}?@.u.x^.k.2..8..P. [\..G…P…….HTTP/1.1 200 OK
Cache-Control: max-age=604800
Content-Length: 49660
Content-Type: application/octet-stream
Last-Modified: Sat, 23 Jan 2016 01:05:39 GMT
Accept-Ranges: bytes
ETag: “80736a2c7a55d11:0″
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
X-CID: 7
X-CCC: US
X-MSEdge-Ref: Ref A: A72A411077B14CCAB4F0EFC1FAFEB559 Ref B: 86F8E6FB69D394A4704A0238C8335262 Ref C: Wed Jan 27 04:08:02 2016 PST
Date: Wed, 27 Jan 2016 12:08:02 GMT

MSCF…………,……………….I……………..6HA. .authroot.stl…..A8..CK.. <T……….[………%Q….J…..,!)*.Ei/.^*..K..!..JI…h1.z^……s..3.u~..~.t3\7….l.<..3.
..W..>…XQf.zE.:. =.&.H….0.’…..2.2…1.|..c.1….D…… D…….*q%..J..I0’……k..DR.&%>Q.. ..A .@E.?…..p..3Zt8T|..”.n.k..7L.*=~M.P.S..’Tz..x./..(OZCr….Y8…b…S..3..$H”.)n}.j.:G…E…9M…U..^.T:y.K…]9.7X …%..yA.P(. ..P.$…Q(u…….=k..y…………….8..P.(….1Q….t-[.,.m.s………w. …….f……<.G;..&S..x~i.u..O,..Ny….”.^iKwm.k.*.=…..o..Zz.m.^!.X……….b…F…P…DD..*.?d.._(….F.T…..`..fB…>._%/VK….d….pR..g..J………:.}.{“.k..;f$..f..%….3._.mu..h.h..V.w[.zI….*K.3.ys…uK…
.g:…&.z4..!*s…:O….r.I…r.k…..U*”..6..`h..onb.y….Q…e..m……w..Z..w_{o.kkc..-V.N..1.C……w’..?Y.?……Ft0T.W……q.Y~ ..@(D….%.g7x.Sk…s.7.%.b..3.B..U..n>…cx…”…k..J..\G+C.z9…;…V.”.:.d.].. D..A…}.l0.r.\…0………y…5…_….’4-……..N.2.L1.B.K….n…..C..J…R.
2016-01-27 07:08:02.713984 IP 13.107.4.50.80 > 192.168.56.17.49161: Flags [.], seq 1461:2921, ack 302, win 513, length 1460: HTTP
E(..}@@.u.x].k.2..8..P. []..G…P….T….qy.D.%}sy….m.|..3b22c.6.4……..nN…….!Oyg…7.I……….r.a.n.o..6x.m…L..u…X.~.._…Xko..v-…….}….n.U.}.D.@.|…{@..|..j..I.Fx.X……..7.P.,P…..=..f..z)….@…,X{_i:!.~%aU.w.b.X>..wWot…k..k>.$~.*.i…..E?….|i..3%O.&?(+……..M..{wd….(…….ms0…../.h.N…..E..Q$xQ<_…<…….c….3……5..!x…….D[.o!G….j.7..g,`i+……GR~w.H……|……..KZx:..v….E4…^.?…….z..={.&…….l.J…..*…Y…….. …].\…h……. D..i…!1.

2016-01-27 07:08:06.187497 IP 119.160.223.115.1143 > 192.168.56.17.49162: Flags [P.], seq 1:982, ack 128, win 115, length 981
EH….@.0…w..s..8..w.
7{..4..]P..s\…….Q…M..V..#..:M.m.E2…NG…2.JH|*…z. ]…G#.D.U.”p…..S.k.. …..x…/…………q…m..j..g0..c0..K…… …a..H.H0.. *.H……..0H1.0 ..U….BW1.0…U.
..Gofonfee Airehas Corp.1.0…U….ichetitssore.re0…160125235310Z..170124235310Z0H1.0 ..U….BW1.0…U.
..Gofonfee Airehas Corp.1.0…U….ichetitssore.re0..”0.. *.H………….0..
……).M.},.*$……=……z.HO
/.1:…GH…………go.9d.h+..P.6.Rm<..:..7..zr…x./..F….Y>…M…8…..;H..N..WU.)q..&……!…..O……m.!(/..DP….1..r..m…,R………..&*`… .:.gJ.s.c..&..c..36t)d2…..\.bMe…..pDm………….~…..k……b….P.m……P0N0…U………*.I…..]k.T..`..0…U.#..0……*.I…..]k.T..`..0…U….0….0.. *.H…………..}..Tg………?.SmA2S..IN….m..Y!..N..>…7……Yn…n……..U[`.%fR..5..40r5)… .1/z…..0…Jj……%…&….^.k.O..XgD…^t……d.l.k…v…d..k+|…….2…………..` ;…d…nI…….m.F…………..sf..$.’w.lX…..J..m…NY,}.M.r:…..AJL.$ ………
2016-01-27 07:08:06.189884 IP 192.168.56.17.49162 > 119.160.223.115.1143: Flags [P.], seq 128:454, ack 982, win 16179, length 326
E..n..@….+..8.w..s.
.w4..]7{!sP.?3.5………….0..
._..p]?.Q7.6@.[Bc…………….b……Q…b..P..E.n~V..M….@.^…Mz..W.$.$..C…w’c………`.Ow….>..~h.{O….l..o4…a:. ..%..0.nx..A..J4h\…….M>..{..+.$~..d.wf7..TS..=-.Y..]<..m……..W………….S……Gp.8 .A..pxk.Bu.V. ..2.%.
.??..(..r(……….0V…$.WMe..d.+.!…’.y97….9..h3…(^..9+..B…

 

Share Button

One thought on “New Dridex Banking Trojan Malware Spam Campaign Traffic Analysis and PCAP

  1. Pingback: Joseph de Saram#Rhodium

Leave a Reply

Your email address will not be published. Required fields are marked *