2017-01-06 - SUNDOWN EK FROM 188.165.163.226 AND 93.190.143.201

ASSOCIATED FILES:

  • 2017-01-06-Sundown-EK-sends-Terdot.A-Zloader.pcap   (978,479 bytes)
  • 2017-01-06-Sundown-EK-fash-exploit-78493521.swf   (45,026 bytes)
  • 2017-01-06-Sundown-EK-fash-exploit-9643522803.swf   (14,088 bytes)
  • 2017-01-06-Sundown-EK-landing-page.txt   (73,418 bytes)
  • 2017-01-06-Sundown-EK-payload-Terdot.A-Zloader.exe   (244,224 bytes)
  • 2017-01-06-run-Sundown-EK-other-exploit-JHgfjhc.png   (52,591 bytes)

BACKGROUND ON SUNDOWN EXPLOIT KIT:

OTHER NOTES:

 

TRAFFIC


Shown above:  Pcap from the infection traffic filtered in Wireshark

 

SUNDOWN EK:

POST INFECTION TRAFFIC:

 

FILE HASHES

EXPLOITS:

PAYLOADS AND FOLLOW-UP MALWARE:

 

IMAGES

NOTE: For the folders and most of the files shown below, the names are randomized, so if you infected a Windows host with the same malware sample, you won't have the same folder or file names (except for php.exe and php5ts.dll).


Shown above:  Some of the folders created on the infected Windows host.

 


Shown above:  Contents of C:\Users\[username]\AppData\Roaming\Advui

 


Shown above:  Contents of C:\Users\[username]\AppData\Roaming\Nueqma

 


Shown above:  Contents of C:\Users\[username]\AppData\Roaming\Qiid

 


Shown above:  Contents of C:\Users\[username]\AppData\Roaming\Urhiwy

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.