2017-02-07 - HANCITOR/PONY MALSPAM - SUBJECT: YOU RECEIVED A NEW EFAX FROM 202-935-2034
ASSOCIATED FILES:
- ZIP archive of the pcap: 2017-02-07-Hancitor-Pony-malspam-traffic.pcap.zip 8.7 MB (8,659,442 bytes)
- 2017-02-07-Hancitor-Pony-malspam-traffic.pcap (9,494,012 bytes)
- ZIP archive of the emails and recovered malware: 2017-02-07-Hancitor-Pony-malspam-and-malware.zip 295 kB (294,689 bytes)
- 2017-02-07-hancitor-pony-malspam-1607-UTC.eml (3,936 bytes)
- 2017-02-07-hancitor-maldoc.doc (194,560 bytes)
- 2017-02-07-follow-up-malware-Terdot.A-Zloader.exe (255,488 bytes)
NOTES:
- More malspam with a link to a malicious Word document.
- Today's email was disguised as an eFax notification.
Shown above: Flowchart for this infection traffic.
Shown above: Screenshot from one of the emails.
EMAIL HEADERS:
- Date: Tuesday, 2017-02-06 at 16:07 UTC
- From (spoofed): "eFax" <messaging@efax.com>
- Subject: You received a new eFax from 202-935-2034
- Message-ID: <B7629267.F8732A87@efax.com>
Shown above: Word document downloaded from link in the email.
TRAFFIC
Shown above: Traffic from the infection filtered in Wireshark.
ASSOCIATED DOMAINS:
- 1.33.173.233 port 80 - naemura-fuel.co.jp - GET /api/get.php?id=[base64 characters representing recipient's email address]
- api.ipify.org - GET / [IP address check by the infected host]
- 109.120.140.85 port 80 - keinketone.com - POST /ls5/forum.php [Hancitor check-in]
- 198.58.123.24 port 80 - www.cellulaze-gr.com - /1 [Download Pony DLL]
- 109.120.140.85 port 80 - keinketone.com - POST /klu/forum.php
- 198.58.123.24 port 80 - www.cellulaze-gr.com - GET /a1 [follow-up download]
- 91.239.64.237 port 80 - suhanbutar.com - POST /bdk/gate.php
- checkip.dyndns.org - GET / [IP address check by the infected host]
FILE HASHES
WORD DOCUMENT:
- SHA256 hash: 2006bc2eb231815ba3f6aaae10d29a04e52aaec3f3c2d40a7f7274828b85eb9b (194,560 bytes)
File description: Hancitor maldoc (Word document) on 2017-02-07
TERDOT.A/ZLOADER:
- SHA256 hash: e91f109f221072475ef853b949b55b0da4e10bb84ede29d4c7b5b6b219dd0c9b (255,488 bytes)
File description: Terdot.A/Zloader on 2017-02-07
FINAL NOTES
Once again, here are the associated files:
- ZIP archive of the pcap: 2017-02-07-Hancitor-Pony-malspam-traffic.pcap.zip 8.7 MB (8,659,442 bytes)
- ZIP archive of the emails and recovered malware: 2017-02-07-Hancitor-Pony-malspam-and-malware.zip 295 kB (294,689 bytes)
ZIP files are password-protected with the standard password. If you don't know it, look at the "about" page of this website.
Click here to return to the main page.