2017-03-29 - HANCITOR MALSPAM - SUBJECT: YOUR FLIGHT TICKET ORDER

ASSOCIATED FILES:

• ZIP archive of the pcap:  2017-03-29-Hancitor-malspam-traffic.pcap.zip   14.0 MB (14,008,378 bytes)
• ZIP archive of the malware:  2017-03-29-Hancitor-malspam-emails-and-artifacts.zip   319 kB (319,008 bytes)

NOTES:

• Was busy earlier this week, so I didn't get traffic from Monday or Tuesday.  More indicators at:

• https://techhelplist.com/spam-list/1104-2017-03-27-your-amazon-com-order-has-shipped-malware
• https://techhelplist.com/spam-list/1120-2017-03-28-your-invoice-is-available-for-review-malware
• https://techhelplist.com/spam-list/1122-2017-03-29-your-flight-ticket-order-name-malware

 

EMAIL

Shown above:  Screen shot of the email.

 

EMAIL HEADERS:

• Date:  Monday 2017-03-27
• From:  (spoofed) "Amazon.com" <ship-confirm@amazon-delivery.com>
• Subject:  Your Amazon.com order has shipped (#123-12345678-1234567890)

• Date:  Tuesday 2017-03-28
• From:  (spoofed) "ADP Billing" <adp@adp-usa.com>
• Subject:  Your invoice 123456 is available for review!

• Date:  Wednesday 2017-03-29
• From:  (spoofed) "Delta Air Lines" <order@delta-tickets.com>
• Subject:  Your Flight Ticket Order 12345 - [recipient]

 

Shown above:  Malicious Word document (Hancitor) from link in the malspam.

 

TRAFFIC

Shown above:  Traffic from the infection filtered in Wireshark.

 

HTTP REQUESTS FOR THE INITIAL DOCUMENT:

• 2017-03-28 - www.oceanprosperity.com.hk - GET /stat/getnum.php?id=[base64 string]
• 2017-03-27 - www.bluedot.co.za - GET /l5afva/getnum.php?id=[base64 string]

• Today - 77.79.81.241 port 80 - kismettic.com.tr - GET /delta/getnum.php?id=[base64 string]
• Today - 52.77.44.7 port 80 - ieducate.sg - GET /delta/getnum.php?id=[base64 string]

 

POST-INFECTION TRAFFIC:

• 45.114.118.194 port 80 - astechfitnes.com - GET /wp-content/plugins/jetpack/slx.exe?showforum=14.0
• 212.158.174.64 port 80 - hedhesarbi.com - POST /ls5/forum.php
• 212.158.174.64 port 80 - hedhesarbi.com - POST /d1/about.php
• 129.121.5.169 port 80 - thechmgroup.com - GET /1
• 129.121.5.169 port 80 - thechmgroup.com - GET /2
• 129.121.5.169 port 80 - thechmgroup.com - GET /a1
• 176.114.1.227 port 80 - downhemfoso.com - POST /bdk/gate.php
• api.ipify.org - GET /
• checkip.dyndns.org - GET /
• Various IP addresses, various ports - Tor traffic

 

SOME ARTIFACTS ON THE INFECTED WINDOWS HOST:

• C:\Users\[username]\AppData\Local\Temp\42239.exe (100 kB)
• C:\Users\[username]\AppData\Local\Temp\BN53F9.tmp (180 kB)
• C:\Users\[username]\AppData\Local\Temp\beqyve.crt (2 kB)
• C:\Users\[username]\AppData\Roaming\Dueh\ymax.ute (0 kB)
• C:\Users\[username]\AppData\Roaming\Dueh\zmax.ute (0 kB)
• C:\Users\[username]\AppData\Roaming\Nyyml\ruyt.oze (21,603 kB)
• C:\Users\[username]\AppData\Roaming\tor\cached-certs (19 kB)
• C:\Users\[username]\AppData\Roaming\tor\cached-microdescs-consensus (2,194 kB)
• C:\Users\[username]\AppData\Roaming\tor\cached-microdescs.new (3,673 kB)
• C:\Users\[username]\AppData\Roaming\tor\lock (0 kB)
• C:\Users\[username]\AppData\Roaming\tor\state (2 kB)
• C:\Users\[username]\AppData\Roaming\Xeukys\epposi.php (4 kB)
• C:\Users\[username]\AppData\Roaming\Xeukys\php.exe (29 kB)
• C:\Users\[username]\AppData\Roaming\Xeukys\php5ts.dll (5,589 kB)
• C:\Users\[username]\AppData\Roaming\Zyku\acho.myu (180 kB)
• C:\Users\[username]\AppData\Roaming\libeay32.dll (1,944 kB)
• C:\Users\[username]\AppData\Roaming\libevent-2-0-5.dll (703 kB)
• C:\Users\[username]\AppData\Roaming\libgcc_s_sjlj-1.dll (511 kB)
• C:\Users\[username]\AppData\Roaming\libssp-0.dll (91 kB)
• C:\Users\[username]\AppData\Roaming\ssleay32.dll (391 kB)
• C:\Users\[username]\AppData\Roaming\tor.exe (2,898 kB)
• C:\Users\[username]\AppData\Roaming\zlib1.dll (105 kB)

 

FILE HASHES

FROM LINK IN THE EMAIL:

• SHA256 hash:  9041418337322cbdf1f6105d4ade74110b25675f00c72b0728f66faa56a73f05
  File location:  Ticket_shaun.michaels6.doc
  File description:  Hancitor maldoc

MALWARE FROM THE INFECTED HOST:

• SHA256 hash:  63733fe624b6e2ca7941a30e33f2e664a973d91c5a28abe6204aab4a0062d917
  File location:  C:\Users[username]\AppData\Local\Temp\42239.exe

• SHA256 hash:  7e059267c64b5740672872c4f860f685a9eafbc605319dbb65b45eea7359d338
  File location:  C:\Users[username]\AppData\Local\Temp\BN53F9.tmp

 

FINAL NOTES

Once again, here are the associated files:

• ZIP archive of the pcap:  2017-03-29-Hancitor-malspam-traffic.pcap.zip   14.0 MB (14,008,378 bytes)
• ZIP archive of the malware:  2017-03-29-Hancitor-malspam-emails-and-artifacts.zip   319 kB (319,008 bytes)

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.