2017-01-30 - HANCITOR/PONY MALSPAM - SUBJECT: PARCEL DELIVERY INFORMATION

ASSOCIATED FILES:

• ZIP archive of the pcaps:  2017-01-30-UPS-malspam-pcaps.zip   7.8 MB (7,847,063 bytes)

• 2017-01-30-UPS-malspam-traffic-part-1-retreiving-Word-doc.pcap   (206,094 bytes)
• 2017-01-30-UPS-malspam-traffic-part-2-post-infection-activity.pcap   (8,403,581 bytes)

• ZIP archive of the malware:  2017-01-30-UPS-malspam-artifacts.zip   (256 kB (255,501 bytes)

• 2017-01-30-UPS-malspam-1713-UTC.eml   (1,192 bytes)
• 2017-01-30-possible-Terdot.A-Zloader-from-UPS-malspam.exe   (190,976 bytes)
• UPS_leonard.doc   (190,464 bytes)

NOTES:

• More malspam similar to something I posted in an ISC diary I wrote covering Hancitor/Pony/Vawtrak malspam from 2017-01-10 (link).
• Today it's a fake parcel information message.
• I'm seeing artifacts on the infected host, like it's downloaded Vawtrak, but I'm getting alerts for Zloader.

Shown above:  Flowchart for this infection traffic.

 

EMAIL

Shown above:  Screenshot of the email.

 

EMAIL HEADERS:

• Date:  Monday 2017-01-30 at 17:13 UTC
• From:   UPS Quantum View  <ups@ups-quantumview.com>
• Subject:  Parcel #6173176 Delivery Information
• Message-ID:  <964F02DE.2937FEE2@ups-quantumview.com>

 

Shown above:  Word document downloaded from link in the email.

 

TRAFFIC

Shown above:  Traffic from the infection filtere in Wireshark.

Shown above:  Some alerts on the post-infection traffic from the Emerging Threats and ETPRO rulesets using Sguil on Security Onion.

 

ASSOCIATED DOMAINS:

• 111.223.52.185 port 80 - moohin.in.th - GET /dara/api/get.php?id=[base64 characters representing recipient's email address]
• api.ipify.org - GET /   [IP address check by the infected host]
• 78.24.223.16 port 80 - repterkinmo.com - POST /ls5/forum.php   [Hancitor check-in]
• 210.224.185.17 port 80 - leavingworld.com - GET /wp-content/plugins/wp-multibyte-patch/pm1   [Download Pony DLL]
• 78.24.223.16 port 80 - repterkinmo.com - POST /klu/forum.php   [Hancitor check-in]
• 210.224.185.17 port 80 - leavingworld.com - GET /wp-content/plugins/wp-multibyte-patch/a123   [follow-up download]
• 91.217.91.136 port 80 - dintlachertsu.com - POST /bdk/gate.php   [Terdot.a/Zloader checkin]

 

FILE HASHES

WORD DOCUMENT:

• SHA256 hash:  5a3c843bfcf31c2f2f2a2e4d5f5967800a2474e07323e8baa46ff3ac64d60d4a   (190,464 bytes)
  File description:  Hancitor maldoc (Word document) on 2017-01-30

FOLLOW-UP MALWARE DOWNLOADED BY PONY:

• SHA256 hash:  ed0876f34632254c783ae99b34dde1103e345d1168133f4e3a756454f6845bb0   (190,976 bytes)
  File description:  Follow-up malware (EXE file) on 2017-01-30, probable Terdot.A/Zloader

 

FINAL NOTES

Once again, here are the associated files:

• ZIP archive of the pcaps:  2017-01-30-UPS-malspam-pcaps.zip   7.8 MB (7,847,063 bytes)
• ZIP archive of the malware:  2017-01-30-UPS-malspam-artifacts.zip   (256 kB (255,501 bytes)

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.