2017-03-30 - TERROR EK FROM 159.203.185[.]4

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• 2017-03-30-Terror-EK-traffic.pcap.zip   1.4 MB (1,433,570 bytes)

• 2017-03-30-Terror-EK-traffic.pcap   (1,549,974 bytes)

• 2017-03-30-Terror-EK-malware-and-artifacts.zip   329.1 kB (329,095 bytes)

• 2017-03-30-Terror-EK-SilverApp1.zip   (8,381 bytes)
• 2017-03-30-Terror-EK-artifact-zs3n.tmp.txt   (1,151 bytes)
• 2017-03-30-Terror-EK-landing-page.txt   (2,573 bytes)
• 2017-03-30-Terror-EK-more-html.txt   (1,195 bytes)
• 2017-03-30-Terror-EK-radBE65C.tmp.dll   (723,456 bytes)

BACKGROUND ON THE TERROR EK:

• 2017-01-09 - Trustwave - Terror Exploit Kit? More like Error Exploit Kit

OTHER NOTES:

• Big thanks to @Zerophage1337 tweeting about this on 2017-03-29 and providing a referrer (link).

 

TRAFFIC

Shown above:  Injected script from the EITest campaign in a page from the compromised site.

 

ASSOCIATED DOMAINS:

• 173.208.245.114 port 80 - www.sexyvideos.club - compromised site (okay when I checked later)
• 159.203.185.4 port 80 - 159.203.185.4 - Terror EK

 

FILE HASHES

EXPLOIT:

• SHA256 hash:  88cdbf79aba30f553a949fc281baaa5d2e5f887d6c3f05b617c4712a709d47a9
  File size:  8,381 bytes
  File description:  Terror EK Silverlight exploit (in zip archive form) seen on 2017-03-30

PAYLOAD:

• SHA256 hash:  71ea85fd9a93949b4a22ed0ac43caebf991f9c046318bf6a490fe1ecb95537fe
  File size:  723,456 bytes
  File location:  C:\Users\[username]\AppData\Local\Temp\radBE65C.tmp.dll
  File location:  C:\Users\[username]\AppData\Local\Temp\b6g3KwL.exe

 

IMAGES

Shown above:  Some alerts on the traffic from the Emerging Threats and ETPRO rulesets using Sguil on Security Onion.

 

Shown above:  Alerts from the Snort subscriber ruleset using Snort 2.9.9.0 on Debian 7.

 

Click here to return to the main page.