2016-11-16 - EITEST CAMPAIGN SUNDOWN EK

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• 2016-11-16-5th-run-EITest-Sudnown-EK.pcap.zip   238 kB (238,478 bytes)

• 2016-11-16-5th-run-EITest-Sudnown-EK.pcap   (277,078 bytes)

• 2016-11-16-5th-run-EITest-Sundown-EK-malware-and-artifacts.zip   219 kB (219,028 bytes)

• 2016-11-16-5th-run-Sundown-EK-flash-exploit-1-of-2.swf   (22,693 bytes)
• 2016-11-16-5th-run-Sundown-EK-flash-exploit-2-of-2.swf   (33,591 bytes)
• 2016-11-16-5th-run-Sundown-EK-landing-page.txt   (304,719 bytes)
• 2016-11-16-5th-run-Sundown-EK-payload.exe   (12,288 bytes)
• 2016-11-16-5th-run-Sundown-EK-silverlight-exploit.zip   (20,412 bytes)
• 2016-11-16-5th-run-page-from-cavallinomotorsport_com-with-injected-EITest-script.txt   (18,505 bytes)

 

NOTES:

• Another example of the EITest campaign causing Sundown EK, which I previously saw on 2016-11-02 and 2016-11-14.

Shown above:  Flowchart for this infection traffic.

 

TRAFFIC

Shown above:  Injected script from the EITest campaign in a page from the compromised site.

Shown above:  Traffic from the infection traffic filtered in Wireshark.

 

ASSOCIATED DOMAINS:

• cavallinomotorsport[.]com - Compromised site with injected EITest script
• 164.132.116[.]54 port 80 - qx.888529[.]info - Sundown EK (first domain)
• 149.202.67[.]202 port 80 - d.888627[.]info - Sundown EK (second domain)

 

FILE HASHES

EXPLOITS:

• SHA256 hash:  d2d6fad1119a6b59a605410b28f19276d1b0b33f965d8489b0b52c3c0191a3c9
  File name:  2016-11-16-Sundown-EK-flash-exploit-1-of-2.swf   (22,693 bytes)

• SHA256 hash:  adbdfe204f57c5339e46f1bced9d29fc37b271fac47a8aa01080e3fb69a88ca5
  File name:  2016-11-16-Sundown-EK-flash-exploit-2-of-2.swf   (33,592 bytes)

• SHA256 hash:  9eb1e6bfed606da3ee6b2529915134ecf58ac983316549c9c038a757d07e0aed
  File name:  2016-11-16-5th-run-Sundown-EK-silverlight-exploit.zip   (20,412 bytes)

PAYLOAD:

• SHA256 hash:  5b8b199451813bcd672183ac97d9a2b81ea94f63258c1b59dcf6781be835862b
  File name:  2016-11-16-5th-run-Sundown-EK-payload.exe   (12,288 bytes)

 

Click here to return to the main page.