2017-05-31 - HANCITOR MALSPAM - SUBJECT: YOUR PACKAGE HAS BEEN RETURNED!
ASSOCIATED FILES:
- ZIP archive of the pcap: 2017-05-31-Hancitor-malspam-traffic.pcap.zip 13.7 MB (13,656,323 bytes)
- 2017-05-31-Hancitor-malspam-traffic.pcap (14,566,953 bytes)
- ZIP archive of the malware: 2017-05-31-Hancitor-malspam-and-artifacts.zip 292 kB (291,854 bytes)
- 2017-05-31-Hancitor-malspam-1547-UTC.eml (3,860 bytes)
- 2017-05-31-Hancitor-malspam-1558-UTC.eml (3,863 bytes)
- 2017-05-31-Hancitor-malspam-1612-UTC.eml (3,855 bytes)
- BNF842.tmp (190,464 bytes)
- USPS_invoice_yahoo.doc (269,312 bytes)
NOTES:
- Other indicators can be found from a tweet by @james_inthe_box here.
Shown above: Screen shot from one of the emails.
EMAIL HEADERS:
- Date: Wednesday 2017-05-31 as early as 15:47 UTC through at least 16:12 UTC
- From: "USPS Delivery" <usps@usdelivery.com>
- Subject: Your package 471262780 has been returned!
- Subject: Your package 482254047 has been returned!
- Subject: Your package 776322486 has been returned!
Shown above: Malicious Word document from link in the malspam.
TRAFFIC
Shown above: Traffic from the infection filtered in Wireshark.
HTTP REQUESTS FOR THE WORD DOCUMENT:
- 185.109.147.125 port 80 - gmoempartsonline.info - GET /viewdoc/file.php?document=[base64 string]
- 185.109.147.125 port 80 - GOINTROLLIN.COM - GET /viewdoc/file.php?document=[base64 string]
- 185.109.147.125 port 80 - happyhippiemaplesyrup.com - GET /viewdoc/file.php?document=[base64 string]
NAME FOR THE MALICIOUS WORD DOCUMENTS:
- USPS_invoice_[recipient's email domain, minus the suffix].doc
POST-INFECTION TRAFFIC FROM MY ONE INFECTED HOST:
- 109.234.34.154 port 80 - lingarledhes.com - POST /ls5/forum.php
- 109.234.34.154 port 80 - lingarledhes.com - POST /mlu/forum.php
- 109.234.34.154 port 80 - lingarledhes.com - POST /d1/about.php
- 108.167.180.12 port 80 - techtach.com - GET /wp-content/plugins/syntax-highlighter/1
- 108.167.180.12 port 80 - techtach.com - GET /wp-content/plugins/syntax-highlighter/2
- 108.167.180.12 port 80 - techtach.com - GET /wp-content/plugins/syntax-highlighter/3
- 176.99.7.225 port 80 - waratrolper.ru - POST /bdk/gate.php
- api.ipify.org - GET /
- Various IP addresses on various TCP ports - Tor traffic
FILE HASHES
WORD DOCUMENT FROM LINK IN THE EMAIL:
- SHA256 hash: 90bc91b499514874902cd442324f1f81347ed351dd60212c3ac238f419f755f4
File name: USPS_invoice_yahoo.doc
File size: 269,312 bytes
File description: Hancitor maldoc
MALWARE RETRIEVED FROM THE INFECTED HOST:
- SHA256 hash: 346b7d73c5a1b3700e922525e29579fa4bfeff942921bac4ae0bcb5ba856e262
File location: C:\Users\[username]\AppData\Local\Temp\BNF842.tmp
File size: 190,464 bytes
File description: DELoader/ZLoader
FINAL NOTES
Once again, here are the associated files:
- ZIP archive of the pcap: 2017-05-31-Hancitor-malspam-traffic.pcap.zip 13.7 MB (13,656,323 bytes)
- ZIP archive of the malware: 2017-05-31-Hancitor-malspam-and-artifacts.zip 292 kB (291,854 bytes)
ZIP files are password-protected with the standard password. If you don't know it, look at the "about" page of this website.
Click here to return to the main page.