2016-11-02 - EITEST SUNDOWN EK FROM 185.104.8.166 SENDS MSIL/KRYPTIK

ASSOCIATED FILES:

  • 2016-11-02-Sundown-EK.pcap   (463,942 bytes)
  • 2016-11-02-page-from-whiteswebsite.com-with-injected-EITest-script.txt   (10,332 bytes)
  • 2016-11-02-Sundown-EK-landing-page.txt   (74,799 bytes)
  • 2016-11-02-Sundown-EK-flash-exploit-1-of-2.swf   (22,694 bytes)
  • 2016-11-02-Sundown-EK-flash-exploit-2-of-2.swf   (33,592 bytes)
  • 2016-11-02-Sundown-EK-silverlight-exploit.zip   (20,413 bytes)
  • 2016-11-02-Sundown-EK-payload.exe   (292,864 bytes)
  • 2016-11-02-follow-up-malware-after-Sundown-EK-infection-info.exe   (385,024 bytes)

 

NOTES:


Shown above:  How I felt when I realized what had happened.

 


Shown above:  Flowchart for this infection traffic.

 

TRAFFIC


Shown above:  Injected script from the EITest campaign in a page from the compromised site.


Shown above:  Traffic from the infection traffic filtered in Wireshark.

 

ASSOCIATED DOMAINS:

 

FILE HASHES

EXPLOITS:

PAYLOAD AND FOLLOW-UP:

 

IMAGES


Shown above:  Alerts using tcpreplay on the first pcap with the Emerging Threats Pro (ETPRO) ruleset using Sguil on Security Onion.

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.