2016-12-07 - KAIXIN EK FROM 220.169.242.216

ASSOCIATED FILES:

  • 2016-12-07-KaiXin-EK-traffic.pcap   (8,060,637 bytes)
  • 2016-12-07-KaiXin-EK-index.js.txt   (3,002 bytes)
  • 2016-12-07-KaiXin-EK-jquery-1.4.2.min.js.txt   (19,936 bytes)
  • 2016-12-07-KaiXin-EK-landing-page.txt   (6,907 bytes)
  • 2016-12-07-KaiXin-EK-main.htm.txt   (16,083 bytes)
  • 2016-12-07-KaiXin-EK-payload-server.exe   (114,688 bytes)
  • 2016-12-07-KaiXin-EK-swfobject.js.txt   (12,677 bytes)
  • 2016-12-07-KaiXin-EK-win.html.txt   (15,519 bytes)
  • 2016-12-07-post-infection-down.cables-echu.com-8191-Sanxun_1053.exe   (1,447,424 bytes)
  • 2016-12-07-post-infection-downdll.baijiai.com-caches-sevice_905_45078.exe   (576,680 bytes)
  • 2016-12-07-post-infection-senv.selcn.com-senvzhibo-Sesp203_nv_u.exe   (1,261,568 bytes)
  • 2016-12-07-post-infection-test.baogonghui.com-test-setup_50006.exe   (1,928,192 bytes)

NOTES:


Shown above:  A Windows host after being infected with this particular Murlo file downloader.

 

TRAFFIC


Shown above:  Traffic from the infection filtered in Wireshark.

KAIXIN EK:

POST-INFECTION FOLLOW-UP DOWNLOADS:

 

FILE HASHES

KAXIN EK PAYLOAD (MURLO FILE DOWNLOADER):

FOLLOW-UP DOWNOADS:

 

IMAGES


Shown above:  Some of alerts from the Emerging Threats and ETPRO rulesets using Sguil on Security Onion.

 


Shown above:  Some alerts the Snort subscriber ruleset using Snort 2.9.8.3 on Debian 7.11.

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.