2017-01-30 - HANCITOR/PONY MALSPAM - SUBJECT: PARCEL DELIVERY INFORMATION

ASSOCIATED FILES:

  • 2017-01-30-UPS-malspam-traffic-part-1-retreiving-Word-doc.pcap   (206,094 bytes)
  • 2017-01-30-UPS-malspam-traffic-part-2-post-infection-activity.pcap   (8,403,581 bytes)
  • 2017-01-30-UPS-malspam-1713-UTC.eml   (1,192 bytes)
  • 2017-01-30-possible-Terdot.A-Zloader-from-UPS-malspam.exe   (190,976 bytes)
  • UPS_leonard.doc   (190,464 bytes)

NOTES:


Shown above:  Flowchart for this infection traffic.

 

EMAIL


Shown above:  Screenshot of the email.

 

EMAIL HEADERS:

 


Shown above:  Word document downloaded from link in the email.

 

TRAFFIC


Shown above:  Traffic from the infection filtere in Wireshark.


Shown above:  Some alerts on the post-infection traffic from the Emerging Threats and ETPRO rulesets using Sguil on Security Onion.

 

ASSOCIATED DOMAINS:

 

FILE HASHES

WORD DOCUMENT:

FOLLOW-UP MALWARE DOWNLOADED BY PONY:

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.