2017-01-25 - HANCITOR/PONY MALSPAM - SUBJECT: YOU RECEIVED A NEW EFAX

ASSOCIATED FILES:

• ZIP archive of the pcap:  2017-01-25-eFax-malspam-traffic.pcap.zip   9.8 MB (9,754,125 bytes)
• ZIP archive of the email and some of the malware:  2017-01-25-efax-malspam-and-artifacts.zip   1.7 MB (1,699,960 bytes)

 

NOTES:

• This is an email and traffic form the latest wave of apparent Hancitor/Pony/Vawtrak malspam.
• Traffic is similar to a recent ISC diary I wrote earlier this month at:  https://isc.sans.edu/forums/diary/HancitorPonyVawtrak+malspam/21919/
• No Vawtrak this time, though--It appears to be Terdot.A/Zloader instead.
• This one had additional malware downloaded, and the infected host started acting like a spambot (numerous SMTP attempts).

 

MALSPAM

Shown above:  Screenshot of the email.

 

TRAFFIC

ASSOCIATED ACTIVITY:

Shown above:  Pcap of the infection traffic filtered in Wireshark.

• 118.69.196.199 port 80 - www.lifelabs.vn - GET /api/get.php?id=[base64 string representing recipient's email address]
• api.ipify.org - GET /
• 95.169.190.104 port 80 - hedthowtorspar.com - POST /ls5/forum.php
• 95.169.190.104 port 80 - hedthowtorspar.com - POST /klu/forum.php
• 77.79.246.210 port 80 - sy-nitron.pl - GET /wp-content/themes/twentyfifteen/pm1
• 77.79.246.210 port 80 - sy-nitron.pl - GET /wp-content/themes/twentyfifteen/2501
• 62.76.89.178 port 80 - rowatterding.ru - POST /bdk/gate.php
• checkip.dyndns.org - GET /
• 219.94.192.63 port 80 - hiraso-farm.com - GET /wp-content/plugins/disable-google-fonts/84.exe
• 91.220.131.84 port 50004 - UDP post-infection traffic
• 91.220.131.84 port 50003 - TCP post-infection traffic
• several different IP addresses - port 25 - attempted SMTP traffic

 

MALWARE

MALWARE RETRIEVED FROM THE INFECTED HOST:

• 9c1ad87660e13b35fc48961f0936e9724aa763a3130e194bf67402a118d32657 - eFax_mark.doc   (201,728 bytes)
• 8e436941dc1a9892cb5ee170f16116ca0cf2e5c25abf84ed74b4a15eaee94f4e - C:\Users\[username]\AppData\Local\Temp\84.exe   (1,930,752 bytes)

 

FINAL NOTES

Once again, here are the associated files:

• ZIP archive of the pcap:  2017-01-25-eFax-malspam-traffic.pcap.zip   9.8 MB (9,754,125 bytes)
• ZIP archive of the email and some of the malware:  2017-01-25-efax-malspam-and-artifacts.zip   1.7 MB (1,699,960 bytes)

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.