2017-02-07 - HANCITOR/PONY MALSPAM - SUBJECT: YOU RECEIVED A NEW EFAX FROM 202-935-2034

ASSOCIATED FILES:

• ZIP archive of the pcap:  2017-02-07-Hancitor-Pony-malspam-traffic.pcap.zip   8.7 MB (8,659,442 bytes)

• 2017-02-07-Hancitor-Pony-malspam-traffic.pcap   (9,494,012 bytes)

• ZIP archive of the emails and recovered malware:  2017-02-07-Hancitor-Pony-malspam-and-malware.zip   295 kB (294,689 bytes)

• 2017-02-07-hancitor-pony-malspam-1607-UTC.eml   (3,936 bytes)
• 2017-02-07-hancitor-maldoc.doc   (194,560 bytes)
• 2017-02-07-follow-up-malware-Terdot.A-Zloader.exe   (255,488 bytes)

NOTES:

• More malspam with a link to a malicious Word document.
• Today's email was disguised as an eFax notification.

Shown above:  Flowchart for this infection traffic.

 

EMAIL

Shown above:  Screenshot from one of the emails.

 

EMAIL HEADERS:

• Date:  Tuesday, 2017-02-06 at 16:07 UTC
• From (spoofed):  "eFax" <messaging@efax.com>
• Subject:  You received a new eFax from 202-935-2034
• Message-ID:  <B7629267.F8732A87@efax.com>

 

Shown above:  Word document downloaded from link in the email.

 

TRAFFIC

Shown above:  Traffic from the infection filtered in Wireshark.

 

ASSOCIATED DOMAINS:

• 1.33.173.233 port 80 - naemura-fuel.co.jp - GET /api/get.php?id=[base64 characters representing recipient's email address]
• api.ipify.org - GET /   [IP address check by the infected host]
• 109.120.140.85 port 80 - keinketone.com - POST /ls5/forum.php   [Hancitor check-in]
• 198.58.123.24 port 80 - www.cellulaze-gr.com - /1   [Download Pony DLL]
• 109.120.140.85 port 80 - keinketone.com - POST /klu/forum.php
• 198.58.123.24 port 80 - www.cellulaze-gr.com - GET /a1   [follow-up download]
• 91.239.64.237 port 80 - suhanbutar.com - POST /bdk/gate.php
• checkip.dyndns.org - GET /   [IP address check by the infected host]

 

FILE HASHES

WORD DOCUMENT:

• SHA256 hash:  2006bc2eb231815ba3f6aaae10d29a04e52aaec3f3c2d40a7f7274828b85eb9b   (194,560 bytes)
  File description:  Hancitor maldoc (Word document) on 2017-02-07

 

TERDOT.A/ZLOADER:

• SHA256 hash:  e91f109f221072475ef853b949b55b0da4e10bb84ede29d4c7b5b6b219dd0c9b   (255,488 bytes)
  File description:  Terdot.A/Zloader on 2017-02-07

 

FINAL NOTES

Once again, here are the associated files:

• ZIP archive of the pcap:  2017-02-07-Hancitor-Pony-malspam-traffic.pcap.zip   8.7 MB (8,659,442 bytes)
• ZIP archive of the emails and recovered malware:  2017-02-07-Hancitor-Pony-malspam-and-malware.zip   295 kB (294,689 bytes)

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.