CoronaVirus Themed Malspam (Hancitor malware) | By Siddharth Sharma

CoronaVirus Themed Malspam (Hancitor malware)

Dramatic events are usually used by malicious actors when this kind of outbreak is there, yes I am talking about COVID 19, here dramatic events used by malicious actors means gaining the emotions of the people to their profits. Meanwhile I was reading about these spams, I came through this malicious tracker which we will be looking further in this article. We will be doing technical analysis of this malicious hancitor tracker, hancitor malware was created in 2014 to drop other malwares on infected machines. It’s aliases are Tordal and Chanitor. The malicious PCAP file has been taken from malware traffic website.

Nowdays using COVID 19 theme this is spreading as malspam of which a screenshot is shown below:

souce:tweet by @mesa_matt

Now lets analyze this spam, Let’s first analyze the malicious PCAP:

Technical Analysis:

1.On loading this pcap in Network Miner, below was the result:

2.On extracting this zip file for further analysis, it was found that it contained only one file named CA215720011352.vbs, it was a genuine vbs file, on checking this ,it was found to be heavily obfuscated(Junk code was there), but on scrolling down, actual intent of this file was shown:

3.As it can be seen, it uses wscript.exe for AV evasion and execution, also on running this file, below was the result i.e. temp_adobe_123452643.txt named file was dropped in temp location for persistence.

4.This was actually a DLL file as when it was viewed this in hex viewer MZ was the file header. As we saw above(in 2.) the script used regsvr32 service, to run or register this DLL.

It seems to be signed from a chinese organisation, original name of the file appears to be SystemRegistryClean.exe

5.Clearly this DLL uses RunPE technique a.k.a process hollowing as it creates svchost.exe process under the hood. As shown there is an executable code written into the process(on putting BP on WriteProcessMemory),  on following this code section in memory map and dumping it, gives no useful result so we switch to IDA for more details.

But before that while the above process(no.4) was running I thought to view the network traffic and luckily an IP address was visible establishing connection with the host as shown below:

A connection was established as it can be seen above, on checking that ip address(54.225.71.235) it was found to be malicious that is it was already reported.

6.Lets look into more details:

7.A lot of Registry apis were used, on viewing this in x64dbg below was shown:

Similar Reg Key was used in Emotet Banking Trojan, “interface\{aa5b6a80-b834-11d0-932f-00a0c90dcaa9}” which is passed as a parameter to RegOpenKeyA. This registry key is required for the Windows scripting engine interface IActiveScriptParseProcedure to function. However on digging more into this DLL, some virtual key related apis were also found as it seemed it was tracking the users activity of the clipboard as shown below:

Also:

Some analysis screenshots of app.any.run sandbox shown below:

1.First it drops(as analyzed above)

2.Then it uses WMI(Windows Management Instrumentation) mainly for defense evasion and for gathering information for Discovery and remote Execution of files as part of Lateral Movement.

3.Also It reads the Internet Cache settings, the Registry contains a significant amount of information about the operating system, configuration, software, and security.

4.Meanwhile it makes a network connection as shown:

Related IOCs

– 149.129.103.226 port 80 – new.915yzt.cn – GET /wp-includes/rmdrinkwater.php?t=TW9uLCAxNiBNYXIgMjAyMCAyMDoxNzoxNSArMDMwMA==

– 8.208.77.171 port 80 – bookkeepingpluspros.com – GET /852435_34859.php?eXYI2DfB6=eXYI2DfB6&t=TW9uLCAxNiBNYXIgMjAyMCAyMDoxNzoxNSArMDMwMA==

– port 80 – api.ipify.org – GET /

– 5.134.119.226 port 80 – bralibuda.com – POST /4/forum.php

– 5.134.119.226 port 80 – bralibuda.com – POST /mlu/forum.php

– 107.180.2.58 port 80 – primecaviar.com – GET /1

– 107.180.2.58 port 80 – primecaviar.com – GET /2

– 5.134.119.226 port 80 – greferezud.com – POST /4/forum.php

– 5.134.119.226 port 80 – deraelous.com – POST /4/forum.php

375d196227d62a95f82cf9c20657449ebea1b512d4cb19cdfe9eb8f102dd9fae

12f87dd075fc12c2b6b15a1eb5ca209ba056bb6aa2feaf3518163192a17a7a3b

81d39594ab90e9841c7df9e82e977d7a2ecd26045e80885360502e1e79957f92

0caef2718bc7130314b7f08559beba53ccf00e5ee5aba49523fb83e1d6a2a347

0e03a0e73670a94c5c1efcbf7512b0eca8ca899e58ed6dca2b12c8fcb31ccfb4

0b8800734669aa7dbc6e67f93e268d827b5e67d4f30e33734169ddc93a026d2e

About Siddharth:
  • Student currently pursuing bachelors of technology (Computer Science)
  • Interested in malware analysis,reversing and forensics.
  • Did internship at Computer Emergency Response Team,India (CERT-In)

The article was originally published here: https://threatblogs.wordpress.com/2020/03/23/coronavirus-themed-malspamhancitor-malware/

March 25, 2020

Leave a Reply

avatar

This site uses Akismet to reduce spam. Learn how your comment data is processed.

  Subscribe  
Notify of
© HAKIN9 MEDIA SP. Z O.O. SP. K. 2013