2017-06-07 - HANCITOR MALSPAM (GOOGLE DOCS-THEMED)

ASSOCIATED FILES:

• ZIP archive of the pcap:  2017-06-07-Hancitor-malspam-traffic.pcap.zip   8.4 MB (8,448,465 bytes)

• 2017-06-07-Hancitor-malspam-traffic.pcap   (9,005,351 bytes)

• ZIP archive of the malware:  2017-06-07-Hancitor-malspam-and-artifacts.zip   249 kB (249,000 bytes)

• 2017-06-07-Hancitor-malspam-1430-UTC.eml   (3,302 bytes)
• 2017-06-07-Hancitor-malspam-1447-UTC.eml   (3,293 bytes)
• 2017-06-07-Hancitor-malspam-1513-UTC.eml   (3,300 bytes)
• BN778F.tmp   (197,120 bytes)
• Document_yahoo.doc   (203,776 bytes)

 

SOME TWITTER ACCOUNTS THAT TWEETED ABOUT TODAY'S #HANCITOR MALSPAM:

• @Artilllerie   (link)
• @fletchsec   (link)
• @James_inthe_box   (link)

 

EMAILS

Shown above:  Screen shot from one of the emails.

 

EMAIL HEADERS:

• Date:  Wednesday 2017-06-07 as early as 14:30 UTC through at least 15:13 UTC
• From:  "Google Docs" <accounting@thomewaterproofing.com>
• Subject:  accounting@[recipient's email domain] has sent you a document through Google Docs

 

Shown above:  Malicious Word document from link in the malspam.

 

TRAFFIC

Shown above:  Traffic from the infection filtered in Wireshark.

 

HTTP REQUESTS FOR THE WORD DOCUMENT:

• 93.95.97.125 port 80 - fenixconnection.com - GET /viewdoc/file.php?document=[base64 string]
• 93.95.97.125 port 80 - PAMTHELANDGAL.COM - GET /viewdoc/file.php?document=[base64 string]
• 93.95.97.125 port 80 - tee2green.org - GET /viewdoc/file.php?document=[base64 string]

NAME FOR THE MALICIOUS WORD DOCUMENTS:

• Document_[recipient's email domain, minus the suffix].doc

POST-INFECTION TRAFFIC FROM MY ONE INFECTED HOST:

• 88.214.236.156 port 80 - bettontgotbab.com - POST /ls5/forum.php
• 88.214.236.156 port 80 - bettontgotbab.com - POST /mlu/forum.php
• 88.214.236.156 port 80 - bettontgotbab.com - POST /d1/about.php
• 37.152.88.6 port 80 - www.valdelomarasesores.com - GET /1
• 37.152.88.6 port 80 - www.valdelomarasesores.com - GET /2
• 37.152.88.6 port 80 - www.valdelomarasesores.com - GET /3
• 185.17.121.22 port 80 - foonlachim.ru - POST /bdl/gate.php
• api.ipify.org - GET /
• checkip.dyndns.org - GET /
• Various IP addresses on various TCP ports - Tor traffic

 

FILE HASHES

WORD DOCUMENT FROM LINK IN THE EMAIL:

• SHA256 hash:  f0420708c417376a52121f0a83c25a8b2051fffa5b3365205c34ac56e3d0065d
  File name:  Document_yahoo.doc
  File size:  203,776 bytes
  File description:  Hancitor maldoc

MALWARE RETRIEVED FROM THE INFECTED HOST:

• SHA256 hash:  b74663fcbfa7570f86f42f7a2211ad6b2a5c4bc425a913d8733a7f2704ca7014
  File location:  C:\Users\[username]\AppData\Local\Temp\BN778F.tmp
  File size:  197,120 bytes
  File description:  DELoader/ZLoader

 

FINAL NOTES

Once again, here are the associated files:

• ZIP archive of the pcap:  2017-06-07-Hancitor-malspam-traffic.pcap.zip   8.4 MB (8,448,465 bytes)
• ZIP archive of the malware:  2017-06-07-Hancitor-malspam-and-artifacts.zip   249 kB (249,000 bytes)

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.