2016-11-14 - EITEST CAMPAIGN SUNDOWN EK FROM 164.132.116.54

ASSOCIATED FILES:

  • 2016-11-14-Sundown-EK-traffic.pcap   (2,067,146 bytes)
  • 2016-11-14-Sundown-EK-flash-exploit-1-of-2.swf   (22,694 bytes)
  • 2016-11-14-Sundown-EK-flash-exploit-2-of-2.swf   (33,592 bytes)
  • 2016-11-14-Sundown-EK-landing-page.txt   (67,429 bytes)
  • 2016-11-14-Sundown-EK-payload.exe   (454,144 bytes)
  • 2016-11-14-other-malware-retrieved-from-the-infected-host.exe   (290,816 bytes)
  • 2016-11-14-page-from-showbizgeek_com-with-injected-EITest-script.txt   (100,035 bytes)

 

NOTES:


Shown above:  Flowchart for this infection traffic.

 

TRAFFIC


Shown above:  Injected script from the EITest campaign in a page from the compromised site.


Shown above:  Traffic from the infection traffic filtered in Wireshark.

 

ASSOCIATED DOMAINS:

 

FILE HASHES

EXPLOITS:

PAYLOAD AND OTHER MALWARE:

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.


\