2016-10-17 - SUNDOWN EK FROM 37.139.47.53 SENDS LOCKY RANSOMWARE
ASSOCIATED FILES:
- ZIP archive of the pcap: 2016-10-17-Sundown-EK-sends-Locky-ransomware.pcap.zip 262.0 kB (261,952 bytes)
- 2016-10-17-Sundown-EK-sends-Locky-ransomware.pcap (399,867 bytes)
- ZIP archive of the malware: 2016-10-17-Sundown-EK-sends-Locky-malware-and-artifacts.zip 277.6 kB (277,616 bytes)
- 2016-10-17-Locky_HOWDO_text.bmp (149,158 bytes)
- 2016-10-17-Locky_HOWDO_text.html (9,899 bytes)
- 2016-10-17-Sundown-EK-flash-exploit.swf (71,545 bytes)
- 2016-10-17-Sundown-EK-landing-page.txt (21,005 bytes)
- 2016-10-17-Sundown-EK-payload-Locky.exe (250,880 bytes)
NOTES:
- Thanks to Baber, who tipped me off to this infection chain.
- Aside from the signature hits I got from the ETPRO ruleset indicating this is Sundown EK, I couldn't find anything else related this traffic.
BACKGROUND ON SUNDOWN EK:
- 2015-06-08 - Malware Don't Need Coffee: Fast look at Sundown EK.
- 2015-06-18 - Virus Bulletin: Beta exploit pack: one more piece of crimeware for the infection road!
- 2015-06-25 - ProofPoint Blog: Sundown EK Spreads LuminosityLink RAT: Light After Dark.
- 2016-09-02 - SpiderLabs Blog: Sundown EK - Stealing Its Way to the Top.
- 2016-10-07 - ProofPoint: Daily Ruleset Update Summary 2016/10/07 -- Some of these rules triggered on today's Sundown EK traffic.
- 2016-10-17 - MalwareBytes Blog: New-looking Sundown EK drops Smoke Loader, Kronos banker.
TRAFFIC
Shown above: Infection traffic filtered in Wireshark.
INITIAL WEBSITE AND AD TRAFFIC CHAIN:
- newsru.co.il
- ad.newsru.co.il
- secure.web-wise.co.il
GATE:
- 5.200.55.73 port 80 - designs.teraspectrum.com - GET /assumed/lang.js
SUNDOWN EK:
- 37.139.47.53 port 80 - announces.terawideworld.com - GET /index.php - landing page
- 37.139.47.53 port 80 - announces.terawideworld.com - GET /gjorijfjds.swf - Flash exploit
- 37.139.47.53 port 80 - spectral.theoptimalism.com - GET /p.php?id=1 - payload (Locky)
FILE HASHES
FLASH EXPLOIT:
- SHA256 hash: f1016d736929c2cbd9265b2d975a4bf8593aafa6c1af5318bef8329b3f869bf6
File name: 016-10-17-Sundown-EK-flash-exploit.swf (71,545 bytes)
PAYLOAD (LOCKY):
- SHA256 hash: 04e3cce4775868fcfb497de27979ea077623d0bc9707f86efd86ab0136227d3a
File name: 2016-10-17-Sundown-EK-payload-Locky.exe (250,880 bytes)
IMAGES
Shown above: Notable alerts on the traffic in Snort using the Snort subscriber ruleset.
Shown above: Notable alerts on the infection traffic in Security Onion using Suricata and the EmergingThreats Pro ruleset.
Shown above: Desktop of an infected Windows host after rebooting.
FINAL NOTES
Once again, here are the associated files:
- ZIP archive of the pcap: 2016-10-17-Sundown-EK-sends-Locky-ransomware.pcap.zip 262.0 kB (261,952 bytes)
- ZIP archive of the malware: 2016-10-17-Sundown-EK-sends-Locky-malware-and-artifacts.zip 277.6 kB (277,616 bytes)
ZIP files are password-protected with the standard password. If you don't know it, look at the "about" page of this website.
Click here to return to the main page.