Malware-Traffic-Analysis.net - 2017-01-31

2017-01-31 - HANCITOR INFECTION

NOTICE:

The zip archives on this page have been updated, and they now use the new password scheme. For the new password, see the "about" page of this website.

ASSOCIATED FILES:

2017-01-31-Hancitor-infection-traffic.pcap (8,709,428 bytes)

2017-01-31-eFax-malspam-1604-UTC.eml (3,975 bytes)

eFax_ronaldo14.doc (199,680 bytes)

NOTES:

More activity similar an ISC diary I wrote covering Hancitor/Pony/Vawtrak from 2017-01-10 (link).
Today it's a fake efax information message.
I'm seeing the same type of activity as yesterday, so it doesn't look like there's any Vawtrak associated with this traffic.
Still seeing Terdot.A/Zloader callback in the post-infection traffic.

Shown above: Flowchart for this infection traffic.

Shown above: Screenshot of the email.

EMAIL HEADERS:

Shown above: Word document downloaded from link in the email.

Shown above: Traffic from the infection filtere in Wireshark.

ASSOCIATED DOMAINS:

187.45.240[.]5 port 80 - agenciad1up[.]com.br - GET /api/get.php?id=[base64 characters representing recipient's email address]
api.ipify[.]org - GET / [IP address check by the infected host]
46.4.145.91 port 80 - hatannaso[.]com - POST /ls5/forum.php [Hancitor check-in]
50.31.162[.]18 port 80 - kaligrant[.]com - GET /wp/wp-content/themes/phantomlite/pm1 [Download Pony DLL]
46.4.145[.]91 port 80 - hatannaso[.]com - POST /klu/forum.php
50.31.162[.]18 port 80 - kaligrant[.]com - GET /wp/wp-content/themes/phantomlite/a123 [follow-up download]
212.76.128[.]143 port 80 - thennyronren[.]ru - POST /bdk/gate.php
checkip.dyndns[.]org - GET / [IP address check by the infected host]
46.4.145[.]91 port 80 - peronbifo[.]ru - POST /ls5/forum.php
46.4.145[.]91 port 80 - jechissoco[.]ru - POST /ls5/forum.php

WORD DOCUMENT:

SHA256 hash: a5d793d4342073b7267db718e469007c26bd0528f538f6410a5aa02581ed14d2 (199,680 bytes)
File description: Hancitor maldoc (Word document) on 2017-01-31

Click here to return to the main page.