Malspam Delivers Pony and Loki-Bot

Sender: [email protected]
Subject: RE: Payment IN-2716 – MPA-PI17045 – USD
Attachment(s): Payment_001.doc and Payment_002.doc

Screenshot of email

Both Payment_001.doc and Payment_002.doc are malicious RTF documents triggering detections for CVE-2017-11882.

Payment_001.doc:

Traffic:

Traffic 1 doc 1User-Agent: Windows Installer Traffic 2 doc 1User Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)

Pony Panel:

Panel hxxp://paclficinsight.com GET /new1/pony/china.jpg
IOCs

Network:

  • 94.102.1.194 – hxxps://agahguner.com GET /44.msi
  • 94.102.60.3 – hxxp://paclficinsight.com POST /new1/pony/gate.php

File System:

bat file in TEMP created by Ponybatch script created in %TEMP% is meant to delete Pony Loader after execution


Hashes and Reports:

SHA256: 788884332fc1c199107310ff5b6af4d8605ff3bdd5e67f6a4bc5db55a03321b1
File name: Payment_001.doc
Sandbox: Hybrid-Analysis and Any.Run

SHA256: c9f16df9b26cafefc4ca3fc58cbcee621b7ffe49a4e702b0e73f5604f27aec87
File name: 44.msi
Sandbox: Hybrid-Analysis

SHA256: 8e1c9cf4466e9cd09d19d491855f1285f7bf711c452afe1f674ef0d1a9e056dd
File name: MSI50AC.tmp.exe
Sandbox: Hybrid-Analysis

 

Payment_002.doc:

Traffic:

Traffic 1 doc 2User-Agent: Windows Installer Traffic 2 doc 2User-Agent: Mozilla/4.08 (Charon; Inferno)

Loki-Bot Panel:

LokiBot Panel

IOCs

Network:

  • 94.102.1.194 – hxxps://agahguner.com GET /55.msi
  • 94.102.60.3 – hxxp://paclficinsight.com POST /new/Panel/five/fre.php

File System:


Registry:

Used for persistence

Hashes and Reports:

SHA256: 2fdc22d8926db1b04dc3d62ff6da72236cb1c052b23553b644c7f18ea8496d8a
File name: Payment_002.doc
Sandbox: Hybrid-Analysis and Any.Run

SHA256: 6bfa353f905c0fc5ded87e7f35dc939e7b757ea3f2f8372f81f0ac40edadd619
File name: 55.msi
Sandbox: Hybrid-Analysis

SHA256: 3f5240c924074995651c4ccac15ddfd0070beff93625dcea9db118ab32bad61d
File name: B23EAF.exe
Sandbox: Hybrid-Analysis

Samples

Malspam Delivers Pony and LokiBot 031818

Password is “infected”

Article Link: https://malwarebreakdown.com/2018/03/19/malspam-delivers-pony-and-loki-bot/