2017-02-01 - HANCITOR/PONY MALSPAM - SUBJECT: INVOICE #12345678

ASSOCIATED FILES:

  • 2017-02-01-Hancitor-Pony-malspam-traffic.pcap   (12,650,233 bytes)
  • 2017-02-01-Hancitor-Pony-malspam-1641-UTC.eml   (1,638 bytes)
  • 2017-02-01-Hancitor-Pony-malspam-1642-UTC.eml   (1,640 bytes)
  • 2017-02-01-Hancitor-Pony-malspam-1812-UTC.eml   (836 bytes)
  • 2017-02-01-Hancitor-Pony-malspam-1832-UTC.eml   (811 bytes)
  • 2017-02-01-Invoice_jeremycombs.doc   (201,216 bytes)
  • 2017-02-01-follow-up-malware-Terdot.A-Zloader.exe   (258,048 bytes)
  • 2017-02-01-follow-up-malware-24c.exe   (1,938,432 bytes)

NOTES:


Shown above:  Flowchart for this infection traffic.

 

EMAIL


Shown above:  Screenshot from one of the emails.

 

EMAIL HEADERS:

 


Shown above:  Word document downloaded from link in the email.

 

TRAFFIC


Shown above:  Traffic from the infection filtered in Wireshark.

 


Shown above:  Another try using a different URL from one of the emails.

 

ASSOCIATED DOMAINS:

NOTE: No spam was sent from the infected Windows host, but it did try sending emails using the spoofed sender address gcromwell@thomaskeller.com (the same sender address from the email used to infect this particular Windows host).

 

ASSOCIATED DOMAINS NOTED FROM SECOND ATTEMPT:

 

FILE HASHES

WORD DOCUMENT:

 

TERDOT.A/ZLOADER:

 

FOLLOW-UP DOWNLOAD:

 

IMAGES


Shown above:  Some alerts on the post-infection traffic from the Emerging Threats and ETPRO rulesets using Sguil on Security Onion.

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.