2017-03-07 - SUNDOWN EK

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• 2017-03-07-Sundown-EK.pcap.zip   404 kB (403,524 bytes)

• 2017-03-07-Sundown-EK.pcap   (431,448 bytes)

• 2017-03-07-Sundown-EK-malware-and-artifacts.zip   326.1 kB (326,121 bytes)

• 2017-03-07-Sundown-EK-artifact-mxl3sfDs.tmp.txt   (1,279 bytes)
• 2017-03-07-Sundown-EK-flash-exploit-1-of-2.swf   (49,754 bytes)
• 2017-03-07-Sundown-EK-flash-exploit-2-of-2.swf   (22,693 bytes)
• 2017-03-07-Sundown-EK-landing-page.txt   (58,051 bytes)
• 2017-03-07-Sundown-EK-payload-bqekbms2.exe   (310,304 bytes)

NOTES:

• Generated this traffic thanks to a tweet by @thlnk3r and follow-up comments by @criznash   ( link )

 

Shown above:  Traffic from the infection filtered in Wireshark.

 

ASSOCIATED DOMAINS AND URLS:

• 66.11.117[.]44 port 80 - dns.cheapghost[.]pw - GET /   [gate leading to Sundown EK]
• 217.23.15[.]183 port 80 - gly.ytlzz[.]xyz - GET /index.php?[long string]   [Sundown EK landing page]
• 217.23.15[.]183 port 80 - gly.ytlzz[.]xyz - GET /0E2/?9643522803
• 217.23.15[.]183 port 80 - gly.ytlzz[.]xyz - GET /0E2/?947545190441
• 217.23.15[.]195 port 80 - fbm.ytlyt[.]xyz - GET /d.php   [Sundown EK payload]

 

FILE HASHES

SUNDOWN EK FLASH EXPLOIT (1 OF 2):

• SHA256 hash:  31261c6679e8cade97cff741dd89a6d29835fa648087bd88da851f31d9deb817
  
• File size:  49,754 bytes

SUNDOWN EK FLASH EXPLOIT (2 OF 2):

• SHA256 hash:  3fbcf07c30d6f9ebc13716790d0c3ce5f58985b815e348d7032d039ccbb122f1
  
• File size:  22,693 bytes

SUNDOWN EK PAYLOAD (UNKNOWN MALWARE, DIDN'T WORK IN MY LAB):

• SHA256 hash:  e9f6edb73eb7cf8dcc40458f59d13ca2e236efc043d4bc913e113bd3a6af19a2
  
• File location:  C:\Users\[username]\AppData\Local\Temp\rn9f8hyz.exe
  
• File size:  310,304 bytes

 

Click here to return to the main page.