2016-10-17 - SUNDOWN EK FROM 37.139.47.53 SENDS LOCKY RANSOMWARE

ASSOCIATED FILES:

• ZIP archive of the pcap:  2016-10-17-Sundown-EK-sends-Locky-ransomware.pcap.zip   262.0 kB (261,952 bytes)

• 2016-10-17-Sundown-EK-sends-Locky-ransomware.pcap   (399,867 bytes)

• ZIP archive of the malware:  2016-10-17-Sundown-EK-sends-Locky-malware-and-artifacts.zip   277.6 kB (277,616 bytes)

• 2016-10-17-Locky_HOWDO_text.bmp   (149,158 bytes)
• 2016-10-17-Locky_HOWDO_text.html   (9,899 bytes)
• 2016-10-17-Sundown-EK-flash-exploit.swf   (71,545 bytes)
• 2016-10-17-Sundown-EK-landing-page.txt   (21,005 bytes)
• 2016-10-17-Sundown-EK-payload-Locky.exe   (250,880 bytes)

 

NOTES:

• Thanks to Baber, who tipped me off to this infection chain.
• Aside from the signature hits I got from the ETPRO ruleset indicating this is Sundown EK, I couldn't find anything else related this traffic.

 

BACKGROUND ON SUNDOWN EK:

• 2015-06-08 - Malware Don't Need Coffee:  Fast look at Sundown EK.
• 2015-06-18 - Virus Bulletin:  Beta exploit pack: one more piece of crimeware for the infection road!
• 2015-06-25 - ProofPoint Blog:  Sundown EK Spreads LuminosityLink RAT: Light After Dark.
• 2016-09-02 - SpiderLabs Blog:  Sundown EK - Stealing Its Way to the Top.
• 2016-10-07 - ProofPoint:  Daily Ruleset Update Summary 2016/10/07 -- Some of these rules triggered on today's Sundown EK traffic.
• 2016-10-17 - MalwareBytes Blog:  New-looking Sundown EK drops Smoke Loader, Kronos banker.

 

TRAFFIC

Shown above:  Infection traffic filtered in Wireshark.

 

INITIAL WEBSITE AND AD TRAFFIC CHAIN:

• newsru.co.il
• ad.newsru.co.il
• secure.web-wise.co.il

GATE:

• 5.200.55.73 port 80 - designs.teraspectrum.com - GET /assumed/lang.js

SUNDOWN EK:

• 37.139.47.53 port 80 - announces.terawideworld.com - GET /index.php - landing page
• 37.139.47.53 port 80 - announces.terawideworld.com - GET /gjorijfjds.swf - Flash exploit
• 37.139.47.53 port 80 - spectral.theoptimalism.com - GET /p.php?id=1 - payload (Locky)

 

FILE HASHES

FLASH EXPLOIT:

• SHA256 hash:  f1016d736929c2cbd9265b2d975a4bf8593aafa6c1af5318bef8329b3f869bf6
  File name:  016-10-17-Sundown-EK-flash-exploit.swf   (71,545 bytes)

PAYLOAD (LOCKY):

• SHA256 hash:  04e3cce4775868fcfb497de27979ea077623d0bc9707f86efd86ab0136227d3a
  File name:  2016-10-17-Sundown-EK-payload-Locky.exe   (250,880 bytes)

 

IMAGES

Shown above:  Notable alerts on the traffic in Snort using the Snort subscriber ruleset.

 

Shown above:  Notable alerts on the infection traffic in Security Onion using Suricata and the EmergingThreats Pro ruleset.

 

Shown above:  Desktop of an infected Windows host after rebooting.

 

FINAL NOTES

Once again, here are the associated files:

• ZIP archive of the pcap:  2016-10-17-Sundown-EK-sends-Locky-ransomware.pcap.zip   262.0 kB (261,952 bytes)
• ZIP archive of the malware:  2016-10-17-Sundown-EK-sends-Locky-malware-and-artifacts.zip   277.6 kB (277,616 bytes)

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.