2018-02-20 - HANCITOR MALSPAM - FAKE ADP PAYROLL INVOICE

ASSOCIATED FILES:

  • 2018-02-20-Hancitor-JS-file-download-and-infection-traffic.pcap   (2,173,787 bytes)
  • 2018-02-20-Hancitor-maldoc-download-only.pcap   (376,904 bytes)
  • 2018-02-20-Hancitor-malspam-30-email-examples.txt   (30,105 bytes)
  • 2018-02-20-Hancitor-binary.exe   (61,440 bytes)
  • 2018-02-20-Hancitor-downloader-invoice_311706.js   (35,396 bytes)
  • 2018-02-20-Hancitor-maldoc-invoice_143264.doc   (346,624 bytes)
  • 2018-02-20-Zeus-Panda-Banker.exe   (169,984 bytes)

NOTES:


Shown above:  Flowchart for today's Hancitor infection traffic.

 

WEB TRAFFIC BLOCK LIST

Indicators are not a block list.  If you feel the need to block web traffic, I suggest the following domains and URLs:

 

EMAILS


Shown above:  Screenshot from one of the emails with link to a .js file.

 


Shown above:  Downloading a .js file from one of the emails.

 


Shown above:  Screenshot from one of the emails with link to a Word document.

 


Shown above:  Downloading a Word document from one of the emails.

 

EMAIL HEADERS:

 

TRAFFIC


Shown above:  Traffic from an .js-based Hancitor infection filtered in Wireshark.

 

LINKS IN THE EMAILS TO THE WORD DOCUMENT:

NETWORK TRAFFIC FROM MY INFECTED LAB HOST (.JS-BASED INFECTION):

 

FILE HASHES

MALWARE RETRIEVED FROM MY INFECTED HOSTS:

 

IMAGES


Shown above:  Malware persistent on the infected Windows host through the Windows Registry.

 

FINAL NOTES

Once again, here are the associated files:

Zip archives are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.