hancitor | 4984ec3568630ce614a2296bd459f96f66f9fb935c3f0f89118e0c8a9bb6cdc8

General

Target

4cbd18ecf3f934d6a8db9c3fe9245f81_JaffaCakes118.doc
Size

534KB
MD5

4cbd18ecf3f934d6a8db9c3fe9245f81
SHA1

c9bae2c8ce062ad9ba0495bbce6983824bb950e8
SHA256

4984ec3568630ce614a2296bd459f96f66f9fb935c3f0f89118e0c8a9bb6cdc8
SHA512

6045af24b187aba4c67f8629d2809a6f9a9d2bb13439ca35ff95c6471b4ea0ae282717a1ac684fe9392f9b95b232aa35f0dd4e58e972883413b0ec6ea87c6562
SSDEEP

12288:a8CmEKY7gpWMBbxoM6scG2u302l0HwbsG7kWunEDXm/zjH8BV:a8CmEj6BbOMDn2u3049HSn+Xm/y

Score

10^/10

hancitor 1910_nsw downloader

Malware Config

Extracted

Family

hancitor

Botnet

1910_nsw

C2

http://newnucapi.com/8/forum.php

http://gintlyba.ru/8/forum.php

http://stralonz.ru/8/forum.php

Signatures

Hancitor
Hancitor is downloader used to deliver other malware families.
downloader hancitor

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

rundll32.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process	5020	1792	rundll32.exe	WINWORD.EXE

Blocklisted process makes network request 1 IoCs

Processes:

rundll32.exe

flow pid process

34 4416 rundll32.exe
Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

4416 rundll32.exe
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

33 api.ipify.org

flow	pid	process
34	4416	rundll32.exe

pid	process
4416	rundll32.exe

flow	ioc
33	api.ipify.org

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

NTFS ADS 2 IoCs

Processes:

WINWORD.EXE

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\{78CE9C98-EB83-4C4F-88F6-F05DCDF1A3DE}\zoro.kl:Zone.Identifier	WINWORD.EXE
File opened for modification	C:\Users\Admin\AppData\Local\Temp\{78CE9C98-EB83-4C4F-88F6-F05DCDF1A3DE}\gelfor.dap:Zone.Identifier	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

1792 WINWORD.EXE
1792 WINWORD.EXE
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

rundll32.exe

pid process

4416 rundll32.exe
4416 rundll32.exe
4416 rundll32.exe
4416 rundll32.exe

pid	process
4416	rundll32.exe
4416	rundll32.exe
4416	rundll32.exe
4416	rundll32.exe

Suspicious use of SetWindowsHookEx 16 IoCs

Processes:

WINWORD.EXE

pid	process
1792	WINWORD.EXE
1792	WINWORD.EXE
1792	WINWORD.EXE
1792	WINWORD.EXE
1792	WINWORD.EXE
1792	WINWORD.EXE
1792	WINWORD.EXE
1792	WINWORD.EXE
1792	WINWORD.EXE
1792	WINWORD.EXE
1792	WINWORD.EXE
1792	WINWORD.EXE
1792	WINWORD.EXE
1792	WINWORD.EXE
1792	WINWORD.EXE
1792	WINWORD.EXE

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

WINWORD.EXErundll32.exe

description	pid	process	target process
PID 1792 wrote to memory of 3440	1792	WINWORD.EXE	splwow64.exe
PID 1792 wrote to memory of 3440	1792	WINWORD.EXE	splwow64.exe
PID 1792 wrote to memory of 5020	1792	WINWORD.EXE	rundll32.exe
PID 1792 wrote to memory of 5020	1792	WINWORD.EXE	rundll32.exe
PID 5020 wrote to memory of 4416	5020	rundll32.exe	rundll32.exe
PID 5020 wrote to memory of 4416	5020	rundll32.exe	rundll32.exe
PID 5020 wrote to memory of 4416	5020	rundll32.exe	rundll32.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\4cbd18ecf3f934d6a8db9c3fe9245f81_JaffaCakes118.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1792

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:3440

C:\Windows\SYSTEM32\rundll32.exe
rundll32.exe c:\users\admin\appdata\roaming\microsoft\templates\gelforr.dap,MVELLJHNDSVBJLD
2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:5020

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe c:\users\admin\appdata\roaming\microsoft\templates\gelforr.dap,MVELLJHNDSVBJLD
3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:4416

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\75B76E1A.emf
Filesize
4KB

MD5
c024f2d9118240e0bfc483b9299dd6cf

SHA1
372f04b3efb4cb0a8fc3f82c7918d7478a230f80

SHA256
a23c652c83e35c3059746bbdbd71c80e2ac08535d420359cffb6e41df713dc85

SHA512
632b48760ca476cd6f01eefa2e6c516f34c822867590419351eefb8c78f6dab6eaf231feff6764d903e09c40eaca14a0b222a961d2ddec951fc8be3cabd3bf04

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\C7E0513D.emf
Filesize
4KB

MD5
bf2393dfe4576945d1f26d3595c5ef9f

SHA1
f9abbbcf4bad106e4f5c039082257357f4c28aef

SHA256
a1fa622b47a529e1064458aa0decd0c1ebc16efb621511c8cba545036ffeb00e

SHA512
bd9972b8310d1357529f62375b883ce3af01c01a56107a0cff93b8cdce43fe7931947ce10790ad5c596392ba8bab842d89e708d4999d87c9c4b858140688fdbf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat
Filesize
241B

MD5
f5310e4d57eb4bfd0514b4070f46def9

SHA1
69392ae127b33f86e844982957a6d761d5368603

SHA256
2c8c3924add47db70a6449b6b493f71f6d045b7cb156bd2112a67724e5fad50c

SHA512
489cc600baa5d96584c1f40cc9eac34138543ed1325c7b109523cbd1028a880cddbc6c49ce089c961d157890a50c1761436facf83c46d87cbf21ca1ebbb54726

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\zoro.doc
Filesize
341KB

MD5
b6487ba7cff8bd5748c8dfa1f7db100c

SHA1
a49729ba20a4ad819e890682a88c470b0056a218

SHA256
dd891db0c9eed71e1f6e2f659a9b7dc18806626480f36b1e84ef18f41cd6a57d

SHA512
8b58aa8b20035b2b4aeeee1ae909bc5245ec0a615990b1f4b9938b8507726931a142e3dde111dc0ca70b3102683305b4e63df91b197136586404e66fcec81f83

Download Submit
\??\c:\users\admin\appdata\roaming\microsoft\templates\gelforr.dap
Filesize
525KB

MD5
4198ac1dc34de77ab8ceac3c9a25480e

SHA1
f8fb1264a292aecb6c2bf5c5d4f3e199e3a822ad

SHA256
8ff43b6ddf6243bd5ee073f9987920fa223809f589d151d7e438fd8cc08ce292

SHA512
37dd3c50283daa7be1fb831820d273b7663dddce4d98c87c8d08864fac2dc00daf243ca6e50e028d4f04262160f5dea9a98000cffb67d70c07875d3fc2e4c47c

Download Submit
memory/1792-22-0x00007FF960810000-0x00007FF960A05000-memory.dmp

Filesize
2.0MB

Download
memory/1792-4-0x00007FF920890000-0x00007FF9208A0000-memory.dmp

Filesize
64KB

Download
memory/1792-7-0x00007FF960810000-0x00007FF960A05000-memory.dmp

Filesize
2.0MB

Download
memory/1792-8-0x00007FF960810000-0x00007FF960A05000-memory.dmp

Filesize
2.0MB

Download
memory/1792-9-0x00007FF91E830000-0x00007FF91E840000-memory.dmp

Filesize
64KB

Download
memory/1792-10-0x00007FF960810000-0x00007FF960A05000-memory.dmp

Filesize
2.0MB

Download
memory/1792-11-0x00007FF960810000-0x00007FF960A05000-memory.dmp

Filesize
2.0MB

Download
memory/1792-12-0x00007FF960810000-0x00007FF960A05000-memory.dmp

Filesize
2.0MB

Download
memory/1792-13-0x00007FF960810000-0x00007FF960A05000-memory.dmp

Filesize
2.0MB

Download
memory/1792-15-0x00007FF960810000-0x00007FF960A05000-memory.dmp

Filesize
2.0MB

Download
memory/1792-16-0x00007FF960810000-0x00007FF960A05000-memory.dmp

Filesize
2.0MB

Download
memory/1792-17-0x00007FF960810000-0x00007FF960A05000-memory.dmp

Filesize
2.0MB

Download
memory/1792-18-0x00007FF960810000-0x00007FF960A05000-memory.dmp

Filesize
2.0MB

Download
memory/1792-19-0x00007FF960810000-0x00007FF960A05000-memory.dmp

Filesize
2.0MB

Download
memory/1792-14-0x00007FF91E830000-0x00007FF91E840000-memory.dmp

Filesize
64KB

Download
memory/1792-20-0x00007FF960810000-0x00007FF960A05000-memory.dmp

Filesize
2.0MB

Download
memory/1792-21-0x00007FF960810000-0x00007FF960A05000-memory.dmp

Filesize
2.0MB

Download
memory/1792-0-0x00007FF920890000-0x00007FF9208A0000-memory.dmp

Filesize
64KB

Download
memory/1792-23-0x00007FF960810000-0x00007FF960A05000-memory.dmp

Filesize
2.0MB

Download
memory/1792-42-0x00000183A75F0000-0x00000183A85C0000-memory.dmp

Filesize
15.8MB

Download
memory/1792-6-0x00007FF920890000-0x00007FF9208A0000-memory.dmp

Filesize
64KB

Download
memory/1792-5-0x00007FF960810000-0x00007FF960A05000-memory.dmp

Filesize
2.0MB

Download
memory/1792-3-0x00007FF960810000-0x00007FF960A05000-memory.dmp

Filesize
2.0MB

Download
memory/1792-2-0x00007FF920890000-0x00007FF9208A0000-memory.dmp

Filesize
64KB

Download
memory/1792-162-0x00000183A75F0000-0x00000183A85C0000-memory.dmp

Filesize
15.8MB

Download
memory/1792-171-0x00000183A75F0000-0x00000183A85C0000-memory.dmp

Filesize
15.8MB

Download
memory/1792-1-0x00007FF920890000-0x00007FF9208A0000-memory.dmp

Filesize
64KB

Download
memory/1792-225-0x00007FF960810000-0x00007FF960A05000-memory.dmp

Filesize
2.0MB

Download
memory/1792-224-0x00007FF920890000-0x00007FF9208A0000-memory.dmp

Filesize
64KB

Download
memory/1792-223-0x00007FF920890000-0x00007FF9208A0000-memory.dmp

Filesize
64KB

Download
memory/1792-182-0x00007FF960810000-0x00007FF960A05000-memory.dmp

Filesize
2.0MB

Download
memory/1792-222-0x00007FF920890000-0x00007FF9208A0000-memory.dmp

Filesize
64KB

Download
memory/1792-184-0x00000183A75F0000-0x00000183A85C0000-memory.dmp

Filesize
15.8MB

Download
memory/1792-185-0x00000183A75F0000-0x00000183A85C0000-memory.dmp

Filesize
15.8MB

Download
memory/1792-187-0x00000183A75F0000-0x00000183A85C0000-memory.dmp

Filesize
15.8MB

Download
memory/1792-221-0x00007FF920890000-0x00007FF9208A0000-memory.dmp

Filesize
64KB

Download
memory/4416-189-0x00000000004D0000-0x00000000004D1000-memory.dmp

Filesize
4KB

Download
memory/4416-183-0x00000000749E0000-0x0000000074A7A000-memory.dmp

Filesize
616KB

Download
memory/4416-181-0x00000000004D0000-0x00000000004D1000-memory.dmp

Filesize
4KB

Download
memory/4416-180-0x00000000749E0000-0x0000000074A7A000-memory.dmp

Filesize
616KB

Download
memory/4416-179-0x00000000749E0000-0x0000000074A7A000-memory.dmp

Filesize
616KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads