2017-01-31 - HANCITOR INFECTION
NOTICE:
- The zip archives on this page have been updated, and they now use the new password scheme. For the new password, see the "about" page of this website.
ASSOCIATED FILES:
- 2017-01-31-Hancitor-infection-traffic.pcap.zip 7.9 MB (7,869,377 bytes)
- 2017-01-31-Hancitor-infection-traffic.pcap (8,709,428 bytes)
- 2017-01-31-Hancitor-email-and-downloaded-Word-doc.zip 108.5 kB (108,502 bytes)
- 2017-01-31-eFax-malspam-1604-UTC.eml (3,975 bytes)
- eFax_ronaldo14.doc (199,680 bytes)
NOTES:
- More activity similar an ISC diary I wrote covering Hancitor/Pony/Vawtrak from 2017-01-10 (link).
- Today it's a fake efax information message.
- I'm seeing the same type of activity as yesterday, so it doesn't look like there's any Vawtrak associated with this traffic.
- Still seeing Terdot.A/Zloader callback in the post-infection traffic.
Shown above: Flowchart for this infection traffic.
Shown above: Screenshot of the email.
EMAIL HEADERS:
- Date: Tuesday 2017-01-31 at 16:04 UTC
- From (spoofed): eFax <messaging@efax[.]com>
- Subject: You received a new eFax from 212-967-5288
- Message-ID: <B7D72F92.6A6487CE@efax[.]com>
Shown above: Word document downloaded from link in the email.
TRAFFIC
Shown above: Traffic from the infection filtere in Wireshark.
ASSOCIATED DOMAINS:
- 187.45.240[.]5 port 80 - agenciad1up[.]com.br - GET /api/get.php?id=[base64 characters representing recipient's email address]
- api.ipify[.]org - GET / [IP address check by the infected host]
- 46.4.145.91 port 80 - hatannaso[.]com - POST /ls5/forum.php [Hancitor check-in]
- 50.31.162[.]18 port 80 - kaligrant[.]com - GET /wp/wp-content/themes/phantomlite/pm1 [Download Pony DLL]
- 46.4.145[.]91 port 80 - hatannaso[.]com - POST /klu/forum.php
- 50.31.162[.]18 port 80 - kaligrant[.]com - GET /wp/wp-content/themes/phantomlite/a123 [follow-up download]
- 212.76.128[.]143 port 80 - thennyronren[.]ru - POST /bdk/gate.php
- checkip.dyndns[.]org - GET / [IP address check by the infected host]
- 46.4.145[.]91 port 80 - peronbifo[.]ru - POST /ls5/forum.php
- 46.4.145[.]91 port 80 - jechissoco[.]ru - POST /ls5/forum.php
FILE HASHES
WORD DOCUMENT:
- SHA256 hash: a5d793d4342073b7267db718e469007c26bd0528f538f6410a5aa02581ed14d2 (199,680 bytes)
File description: Hancitor maldoc (Word document) on 2017-01-31
Click here to return to the main page.