2017-01-30 - HANCITOR INFECTION

NOTICE:

ASSOCIATED FILES:

  • 2017-01-30-Hancitor-infection-traffic-1-of-2-retreiving-Word-doc.pcap   (206,094 bytes)
  • 2017-01-30-Hancitor-infection-traffic-2-of-2-post-infection-activity.pcap   (8,403,581 bytes)
  • 2017-01-30-UPS-malspam-1713-UTC.eml   (1,192 bytes)
  • 2017-01-30-possible-Terdot.A-Zloader-from-UPS-malspam.exe   (190,976 bytes)
  • UPS_leonard.doc   (190,464 bytes)

NOTES:


Shown above:  Flowchart for this infection traffic.

 

EMAIL


Shown above:  Screenshot of the email.

 

EMAIL HEADERS:

 


Shown above:  Word document downloaded from link in the email.

 

TRAFFIC


Shown above:  Traffic from the infection filtere in Wireshark.


Shown above:  Some alerts on the post-infection traffic from the Emerging Threats and ETPRO rulesets using Sguil on Security Onion.

 

ASSOCIATED NETWORK TRAFFIC:

 

FILE HASHES

WORD DOCUMENT:

FOLLOW-UP MALWARE DOWNLOADED BY PONY:

 

Click here to return to the main page.