Malicious Word Doc with Pony down-loader sends Vawtrak

NOTES:
This malicious Word document was uploaded to malwr.com by @Techhelplistcom. Below is the traffic associated with this malware infection.

 

ASSOCIATED DOMAINS:

  • 198.105.244.228 – sithettetold.comzapoy – POST /gate.php Pony CHECK_IN
  • 162.210.100.159 – POST /zapoy/gate.php – Pony CHECK_IN
  • 80.93.62.220 – lecotta.ru – GET /system/logs/mx.exe – Vawtrak DOWNLOAD
  • 217.12.223.70 – minitoons01.asia – POST /rss/feed/stream – Vawtrak POST INFECTION TRAFFIC

 

IMAGES and DETAILS:

Shown above: Malicious Word document attempting to get user to Enable Content [MACROS]

 

Shown above: Numerous attempts by Pony to Check-in “POST /gate.php”

 

Shown above: Pony check-in attempt shows HTTP “301 Moved Permanently”

 

Shown above: Pony successful check-in via a tcp connection

 

Shown above: Vawtrak downloaded from lecotta.ru “mx.exe”

 

Shown above: Vawtrak post infection traffic “POST /rss/feed”

 

Shown above: Using msconfig shows Vawtrak start-up location

 

Shown above: Using regedit shows Vawtrak masked start-up location in registry

 

MALICIOUS DOC AND PAYLOAD: