2017-06-01 - HANCITOR MALSPAM - GOOGLE DOCS-THEMED EMAILS

ASSOCIATED FILES:

• ZIP archive of the pcap:  2017-06-01-Hancitor-malspam-traffic.pcap.zip   7.7 MB (7,726,370 bytes)

• 2017-06-01-Hancitor-malspam-traffic.pcap   (8,286,426 bytes)

• ZIP archive of the malware:  2017-06-01-Hancitor-malspam-and-artifacts.zip   263 kB (263,258 bytes)

• 2017-06-01-Hancitor-malspam-1606-UTC.eml   (3,257 bytes)
• 2017-06-01-Hancitor-malspam-1632-UTC.eml   (3,250 bytes)
• 2017-06-01-Hancitor-malspam-1720-UTC.eml   (3,246 bytes)
• 2017-06-01-Hancitor-malspam-1948-UTC.eml   (3,257 bytes)
• 2017-06-01-Hancitor-malspam-2002-UTC.eml   (3,255 bytes)
• BN5225.tmp   (179,712 bytes)
• Document_yahoo.doc   (234,496 bytes)

EMAIL

Shown above:  Screen shot from one of the emails.

 

EMAIL HEADERS:

• Date:  Thurssday 2017-06-01 as early as 16:06 UTC through at least 20:02 UTC
• From:  "Google Docs" <sales@gdoc.com>
• Subject:  You have received a new document from [some random email address]!

 

Shown above:  Malicious Word document from link in the malspam.

 

TRAFFIC

Shown above:  Traffic from the infection filtered in Wireshark.

 

HTTP REQUESTS FOR THE WORD DOCUMENT:

• 184.168.221.55 port 80 - AWESOMEINAUSTIN.COM - GET /viewdoc/file.php?document=[base64 string]
• 52.23.200.184 port 80 - f8ality.com - GET /viewdoc/file.php?document=[base64 string]
• 184.168.221.47 port 80 - HNMDEVELOPMENT.COM - GET /viewdoc/file.php?document=[base64 string]
• 50.63.202.33 port 80 - RVANDSTORAGE.US - GET /viewdoc/file.php?document=[base64 string]
• 52.23.200.184 port 80 - WALKERHOMEBUILDERS.INFO - GET /viewdoc/file.php?document=[base64 string]

NAME FOR THE MALICIOUS WORD DOCUMENTS:

• Document_[recipient's email domain, minus the suffix].doc

POST-INFECTION TRAFFIC FROM MY ONE INFECTED HOST:

• 178.170.189.193 port 80 - nyatguted.com - POST /ls5/forum.php
• 178.170.189.193 port 80 - nyatguted.com - POST /mlu/forum.php
• 178.170.189.193 port 80 - nyatguted.com - POST /d1/about.php
• 184.168.18.1 port 80 - janettelouden.com - GET /wp-content/plugins/link-manager/1
• 184.168.18.1 port 80 - janettelouden.com - GET /wp-content/plugins/link-manager/2
• 184.168.18.1 port 80 - janettelouden.com - GET /wp-content/plugins/link-manager/3
• 176.99.7.225 port 80 - soevenghappar.ru - POST /bdl/gate.php
• api.ipify.org - GET /
• checkip.dyndns.org - GET /
• Various IP addresses on various TCP ports - Tor traffic

 

FILE HASHES

WORD DOCUMENT FROM LINK IN THE EMAIL:

• SHA256 hash:  6e73879ca49b40974cce575626e31541b49c07daa12ec2e9765c432bfac07a20
  File name:  Document_yahoo.doc
  File size:  234,496 bytes
  File description:  Hancitor maldoc

MALWARE RETRIEVED FROM THE INFECTED HOST:

• SHA256 hash:  d6b2c543fa33ff6249d4832a8edebf9f74c2ee0a2b42f349c895100b48bf34c3
  File location:  C:\Users\[username]\AppData\Local\Temp\BN5225.tmp
  File size:  179,712 bytes
  File description:  DELoader/ZLoader (I think)

 

FINAL NOTES

Once again, here are the associated files:

• ZIP archive of the pcap:  2017-06-01-Hancitor-malspam-traffic.pcap.zip   7.7 MB (7,726,370 bytes)
• ZIP archive of the malware:  2017-06-01-Hancitor-malspam-and-artifacts.zip   263 kB (263,258 bytes)

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.