2019-03-16 - SPELEVO EK EXAMPLES

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• Zip archive of the infection traffic:  2019-03-16-Spelevo-EK-infection-traffic-3-pcaps.zip   4.6 MB (4,554,819 bytes)

• 2019-03-16-Spelevo-EK-1st-run.pcap   (2,322,092 bytes)
• 2019-03-16-Spelevo-EK-2nd-run.pcap   (2,313,412 bytes)
• 2019-03-16-Spelevo-EK-3rd-run.pcap   (301,336 bytes)

• Zip archive of the malware & artifacts:  2019-03-16-Spelevo-EK-malware-and-artifacts.zip   399 kB (399,076 bytes)

• 2019-03-16-Spelevo-EK-decoded-payload-retrieved-from-infected-host-all-3-runs.exe   (193,536 bytes)
• 2019-03-16-Spelevo-EK-encoded-payload-sent-from-server-all-3-runs.bin   (197,894 bytes)
• 2019-03-16-Spelevo-EK-flash-exploit-all-runs.swf   (22,863 bytes)
• 2019-03-16-Spelevo-EK-iframe-for-Flash-exploit-1st-run.txt   (1,852 bytes)
• 2019-03-16-Spelevo-EK-iframe-for-Flash-exploit-2nd-run.txt   (1,852 bytes)
• 2019-03-16-Spelevo-EK-iframe-for-Flash-exploit-3rd-run.txt   (1,827 bytes)
• 2019-03-16-Spelevo-EK-landing-page-1st-run.txt   (28,227 bytes)
• 2019-03-16-Spelevo-EK-landing-page-2nd-run.txt   (28,227 bytes)
• 2019-03-16-Spelevo-EK-landing-page-3rd-run.txt   (28,217 bytes)

ASSOCIATED FILES:

• Earlier this month, @kafeine tweeted about Spelevo EK (link) and others have have also been tracking this.
• I ran across some examples on 2019-03-16, which are included in today's blog post.

 

WEB TRAFFIC BLOCK LIST

Indicators are not a block list.  If you feel the need to block web traffic, I suggest the following domains and URLs:

• neighbor.onegooglechecksim[.]xyz
• chichi.onegoogledeleterent[.]xyz
• lot.onegooglechecksim[.]xyz
• pppoe[.]bit
• weather0[.]bit
• mygranny[.]bit
• six6[.]bit
• learncpp[.]bit

 

TRAFFIC

Shown above:  Traffic from the 1st infection filtered in Wireshark.

 

Shown above:  Traffic from the 2nd infection filtered in Wireshark.

 

Shown above:  Traffic from the 3rd infection filtered in Wireshark.

 

1ST INFECTION RUN ON 2019-03-16 AT 23:19 UTC:

• 85.17.197[.]100 port 80 - neighbor.onegooglechecksim[.]xyz - GET /eesti-amatoare-neighbor
• 85.17.197[.]100 port 80 - neighbor.onegooglechecksim[.]xyz - GET /?s=dffc4090b3576aae0fb5f800c91f9173fl
• 85.17.197[.]100 port 80 - neighbor.onegooglechecksim[.]xyz - GET /?s=198e4404289f5109a67192288b5294f5sw
• 85.17.197[.]100 port 80 - neighbor.onegooglechecksim[.]xyz - POST /?s=d14d8cd32ec253835c076c04f7e67da2mf
• 85.17.197[.]100 port 80 - neighbor.onegooglechecksim[.]xyz - POST /?s=d14d8cd32ec253835c076c04f7e67da2mf&e=00000111&p=1
• 193.37.213[.]223 port 53 (UDP) - DNS query for pppoe[.]bit
• 31.148.220[.]69 port 443 - HTTPS/SSL/TLS traffic caused by malware payload

 

2ND INFECTION RUN ON 2019-03-16 AT 23:58 UTC:

• 85.17.197[.]100 port 80 - chichi.onegoogledeleterent[.]xyz - GET /pantera-classic-chichi
• 85.17.197[.]100 port 80 - chichi.onegoogledeleterent[.]xyz - GET /?s=e31e6edb08bf0ae9fbb32210b24540b6fl
• 85.17.197[.]100 port 80 - chichi.onegoogledeleterent[.]xyz - GET /?s=674f36ad3ac6bc2d7a3687d22ef5d4a5sw
• 85.17.197[.]100 port 80 - chichi.onegoogledeleterent[.]xyz - POST /?s=336d3757542e4bd97b71091bffd0c275mf
• 85.17.197[.]100 port 80 - chichi.onegoogledeleterent[.]xyz - POST /?s=336d3757542e4bd97b71091bffd0c275mf&e=00000111&p=1
• 193.37.213[.]223 port 53 (UDP) - DNS query for pppoe[.]bit
• 31.148.220[.]69 port 443 - HTTPS/SSL/TLS traffic caused by malware payload

 

3RD INFECTION RUN ON 2019-03-17 AT 00:19 UTC:

• 85.17.197[.]100 port 80 - lot.onegooglechecksim[.]xyz - GET /holiday-titanime-lot
• 85.17.197[.]100 port 80 - lot.onegooglechecksim[.]xyz - GET /?s=a6acd7f14a570b2aed5b7175b47133bbfl
• 85.17.197[.]100 port 80 - lot.onegooglechecksim[.]xyz - GET /?s=d4a09da02780baeca3114b1b9162871bsw
• 85.17.197[.]100 port 80 - lot.onegooglechecksim[.]xyz - POST /?s=606b700bb49450ae37ad3a041661df07mf
• 85.17.197[.]100 port 80 - lot.onegooglechecksim[.]xyz - POST /?s=606b700bb49450ae37ad3a041661df07mf&e=00000111&p=1
• 193.37.213[.]223 port 53 (UDP) - DNS queries for pppoe[.]bit
• 193.37.213[.]223 port 53 (UDP) - DNS queries for weather0[.]bit
• 193.37.213[.]223 port 53 (UDP) - DNS queries for mygranny[.]bit
• 193.37.213[.]223 port 53 (UDP) - DNS queries for six6[.]bit
• 193.37.213[.]223 port 53 (UDP) - DNS queries for learncpp[.]bit

 

FILE HASHES

SPELEVO EK FLASH EXPLOIT:

• SHA256 hash:  a0bdb809a45a5558bcad4d66290f084f8eb7e9ceb6bdd13132fc3e5f3c9255c6
  File size:  22,863 bytes
  File description:  Spelevo EK Flash exploit seen on Saturday 2019-03-16

SPELEVO EK PAYLOAD EXE:

• SHA256 hash:  ca30c42334fcc693320772b4ce1df26fe5f1d0110bc454ec6388d79dffea4ae8
  File size:  193,536 bytes
  File location:  C:\Users\[username]\AppData\Local\Temp\[random hex characters].tmp
  File location:  C:\Users\[username]\AppData\Local\Microsoft\WUDHost.exe
  File description:  Payload caused Spelevo EK on Saturday 2019-03-16, found on the infected Windows host

 

IMAGES

Shown above:  Decoded EXE from the infected Windows host, caused by Spelevo EK.

 

Shown above:  Notification seen during the infection.

 

Shown above:  Payload EXE persistent on the infected Windows host.

 

Shown above:  More info on the payload EXE.

 

Shown above:  Scheduled task to keep the payload EXE persistent.

 

Click here to return to the main page.