2016-12-08 - SUNDOWN EK FROM 193.70.64[.]80 AND 193.70.64[.]91
NOTICE:
- The zip archives on this page have been updated, and they now use the new password scheme. For the new password, see the "about" page of this website.
ASSOCIATED FILES:
- 2016-12-08-Sundown-EK-both-pcaps.zip 1.8 MB (1,828,002 bytes)
- 2016-12-08-Sundown-EK-first-run.pcap (1,455,096 bytes)
- 2016-12-08-Sundown-EK-second-run.pcap (1,897,472 bytes)
- 2016-12-08-Sundown-EK-malware-and-artifacts.zip 969.5 kB (969,513 bytes)
- 2016-12-08-Sundown-EK-landing-page.txt (119,802 bytes)
- 2016-12-08-Sundown-EK-payload.exe (129,850 bytes)
- bs.dll (58,368 bytes)
- sql.dll (522,752 bytes)
- zs.dll (913,920 bytes)
NOTES:
- Saw some ad traffic that led to Sundown EK earlier today.
Shown above: Ad traffic chain that led to Sundown EK.
TRAFFIC
Shown above: Traffic from the first run filtered in Wireshark.
Shown above: Traffic from the second run filtered in Wireshark.
ASSOCIATED DOMAINS:
- 23.238.19[.]56 port 80 - creditkarmas[.]us - GET /noone.php [redirected to Sundown EK landing page]
- 193.70.64[.]91 port 80 - gaj.09r[.]biz - First Sundown EK IP and domain (first run)
- 193.70.64[.]91 port 80 - kdt.17v[.]biz - First Sundown EK IP and domain (second run)
- 193.70.64[.]80 port 80 - vlu.01z[.]biz - Second Sundown EK IP and domain (first and second runs)
- 193.169.252[.]6 port 80 - 193.169.252[.]6 - Post-infection callback
- 193.169.252[.]130 port 80 - 193.169.252[.]130 - Post-infection callback
FILE HASHES
SUNDOWN EK PAYLOAD:
- SHA256 hash: b3675888d24c5dfdc37420f76c8631a1e02748801271a116f8bc2c7d42e9f30a
File description: Sundown EK payload (129,850 bytes)
FOLLOW-UP DOWNLOADS:
- SHA256 hash: 4e22a0ef5543f7b1dcd74b4d9f6157b1498c9f97adaba175e3be1e60e9059a21
File name: bs.dll (58,368 bytes)
- SHA256 hash: 043e5570299c6099756c1809c5632eabeab95ed3c1a55c86843c0ec218940e5a
File name: sql.dll (522,752 bytes)
- SHA256 hash: d1d55f7ead8a07c8a085732a401757ab52dd23063a89c4386d9d65f9cd649fb3
File name: zs.dll (913,920 bytes)
Click here to return to the main page.