2017-01-12 - HANCITOR/PONY/VAWTRAK MALSPAM - SUBJECT: RE: RE: YOUR IPHONE ORDER
ASSOCIATED FILES:
- ZIP archive of the pcaps: 2017-01-12-Hancitor-Pony-Vawtrak-malspam-traffic.pcap.zip 1.1 MB (1,139,654 bytes)
- 2017-01-12-Hancitor-Pony-Vawtrak-malspam-traffic.pcap (1,398,569 bytes)
- ZIP archive of the malware: 2017-01-12-Hancitor-Pony-Vawtrak-malspam-and-malware.zip 440 kB (440,479 bytes)
- 2017-01-12-Hancitor-example.doc (190,464 bytes)
- 2017-01-12-Pony-example-pm1.dll (71,680 bytes)
- 2017-01-12-Vawtrak-example.exe (489,984 bytes)
- 2017-01-12-malspam-1652-UTC.eml (1,049 bytes)
NOTES:
- More malspam as described in an ISC diary I wrote covering Hancitor/Pony/Vawtrak malspam from Tuesday 2017-01-10 (link).
- Today it's a fake iphone order.
Shown above: Flowchart for this infection traffic.
Shown above: Screenshot of the email.
EMAIL HEADERS:
- Date: Thursday 2017-01-12 at 16:52 UTC
- From: order@cricketwireless.com <order@cricketwireless.com>
- Subject: RE: RE: your iphone order
- Message-ID: <7A60F44D.E796C0E6@cricketwireless.com>
Shown above: Word document downloaded from link in the email.
TRAFFIC
Shown above: Word document downloaded from link in the email.
ASSOCIATED DOMAINS:
- 112.78.2.137 port 80 - gship.vn - GET /api/get.php?id=[base64 characters representing recipient's email address]
- api.ipify.org - GET / [IP address check by the infected host]
- 80.78.251.134 port 80 - vertoldrighbi.com - POST /ls5/forum.php [Hancitor check-in]
- 185.58.41.77 port 80 - vetement-sport-martinique.com - GET /wp-content/plugins/duplicate-post/pm1.dll [Download Pony DLL]
- 80.78.251.134 port 80 - vertoldrighbi.com - POST /klu/forum.php [Hancitor check-in]
- 185.58.41.77 port 80 - vetement-sport-martinique.com - GET /wp-content/plugins/duplicate-post/inst2.exe [Vawtrak download]
- 51.254.39.113 port 443 - sifonwaheds.com - HTTPS/SSL/TLS traffic caused by Vawtrak
- 5.196.129.108 port 80 - 5.196.129.108 - GET /module/111392faaeebd739543430b0ce48441f [Vawtrak post-infection HTTP traffic]
- 5.196.129.108 port 80 - 5.196.129.108 - GET /module/272a5ad4a1b97a2ac874d6d3e5fff01d [Vawtrak post-infection HTTP traffic]
- 5.196.129.108 port 80 - 5.196.129.108 - GET /module/a45e040f1be6054354c7d82b58b1f40e [Vawtrak post-infection HTTP traffic]
- DNS query for efficiencyhg.ru - blank response from name server
- DNS query for monotonousfd.ru - blank response from name server
- 31.24.30.241 port 443 - agiflecnefd.com - HTTPS/SSL/TLS traffic caused by Vawtrak
FILE HASHES
WORD DOCUMENT:
- SHA256 hash: 74a649097b294bbf0ea63a521acdf37ee586ef42c56cb343680dc3b4c4fb074d (190,464 bytes)
File description: Hancitor maldoc (Word document) on 2017-01-12
PONY DLL:
- SHA256 hash: 4f64b253fa41acaedbf705a494de97cdcce293383e5cebef5a72dc264205f924 (71,680 bytes)
File description: Pony downloader (DLL file) on 2017-01-12
VAWTRAK MALWARE:
- SHA256 hash: 4c6a0d18ab824c3c497a2b3a76a2672d7f288414ae2e132b28840fb5b7e901fd (489,984 bytes)
File description: Vawtrak malware (EXE file) on 2017-01-12
FINAL NOTES
Once again, here are the associated files:
- ZIP archive of the pcaps: 2017-01-12-Hancitor-Pony-Vawtrak-malspam-traffic.pcap.zip 1.1 MB (1,139,654 bytes)
- ZIP archive of the malware: 2017-01-12-Hancitor-Pony-Vawtrak-malspam-and-malware.zip 440 kB (440,479 bytes)
ZIP files are password-protected with the standard password. If you don't know it, look at the "about" page of this website.
Click here to return to the main page.