2017-01-06 - SUNDOWN EK FROM 188.165.163.226 AND 93.190.143.201
ASSOCIATED FILES:
- ZIP archive of the pcap: 2017-01-06-Sundown-EK-sends-Terdot.A-Zloader.pcap.zip 763 kB (763,107 bytes)
- 2017-01-06-Sundown-EK-sends-Terdot.A-Zloader.pcap (978,479 bytes)
- ZIP archive of the malware: 2017-01-06-Sundown-EK-malware-and-artifacts.zip 321 kB (320,772 bytes)
- 2017-01-06-Sundown-EK-fash-exploit-78493521.swf (45,026 bytes)
- 2017-01-06-Sundown-EK-fash-exploit-9643522803.swf (14,088 bytes)
- 2017-01-06-Sundown-EK-landing-page.txt (73,418 bytes)
- 2017-01-06-Sundown-EK-payload-Terdot.A-Zloader.exe (244,224 bytes)
- 2017-01-06-run-Sundown-EK-other-exploit-JHgfjhc.png (52,591 bytes)
BACKGROUND ON SUNDOWN EXPLOIT KIT:
- Nick Biasini from Cisco's Talos threat intelligence team, wrote about Sundown EK in this October 2016 article: Sundown EK: You Better Take Care.
- A more recent article on Sundown EK is from TrendLabs Security Intelligence Blog in December 2016: Updated Sundown Exploit Kit Uses Steganography
OTHER NOTES:
- The URL patterns for Sundown EK changed starting 2017-01-05 to what I'm showing for today.
TRAFFIC
Shown above: Pcap from the infection traffic filtered in Wireshark
SUNDOWN EK:
- 188.165.163.226 port 80 - eud.3204.mobi - GET /index.php?9W7EBUOp191ha3GjlA=4y23ZDynh_NRHnyN0aRE9FnWh5o0_xI-rVWoyQUxcwvxksnowbciR2Mb
- 188.165.163.226 port 80 - eud.3204.mobi - GET /JHgfjhc.png
- 188.165.163.226 port 80 - eud.3204.mobi - GET /7/?9643522803
- 188.165.163.226 port 80 - eud.3204.mobi - GET /7/?947545190441&id=225
- 188.165.163.226 port 80 - eud.3204.mobi - GET /7/?78493521
- 93.190.143.201 port 80 - eho.1146.mobi - GET /z.php?id=225
- 93.190.143.201 port 80 - eho.1146.mobi - GET /43526876827345687356872456.php?id=225
- 93.190.143.201 port 80 - eho.1146.mobi - GET /z.php?id=225
POST INFECTION TRAFFIC:
- 54.210.141.161 port 80 - overtgrill.su - POST /FE8hVs3/gs98h.php
- 35.167.23.188 port 80 - overtgrill.su - POST /FE8hVs3/gs98h.php
- checkip.dyndns.org - GET /
FILE HASHES
EXPLOITS:
- SHA256 hash: 0744ba67c5f8210fcdcf4acb328df68780e96d10f2c68b8eddbb9a355bca213e
File description: Sundown EK Flash exploit returned after GET /7/?9643522803
File size: 14,088 bytes
- SHA256 hash: 67d598c6acbd6545ab24bbd44cedcb825657746923f47473dc40d0d1f122abb6
File description: Sundown EK Flash exploit returned after GET /7/?78493521
File size: 45,026 bytes
- SHA256 hash: 49cb62e64ce93a825e5fb9b20dc2407a0d943d5c49fa06a464b76c0f04efcc94
File description: Sundown EK exploit returned after GET /JHgfjhc.png
File size: 52,591 bytes
PAYLOADS AND FOLLOW-UP MALWARE:
- SHA256 hash: 05b96b412347a1383d7add644b2bc29142ec79df581655ffca4731dbde742d40
File description: Terdot.A/Zloader sent as Sundown EK payload
File size: 244,224 bytes
File path: C:\Users\[username]\AppData\Local\Temp\rad0B36A.tmp.exe
File path: C:\Users\[username]\AppData\Local\Temp\rad5EFE3.tmp.exe
File path: C:\Users\[username]\AppData\Local\Temp\radB325B.tmp.exe
File path: C:\Users\[username]\AppData\Local\Temp\rgh.exe
File path: C:\Users\[username]\AppData\Local\Temp\sf.exe
File path: C:\Users\[username]\AppData\Local\Temp\yrre.exe
File path: C:\Users\[username]\AppData\Local\Temp\z.tmp
IMAGES
NOTE: For the folders and most of the files shown below, the names are randomized, so if you infected a Windows host with the same malware sample, you won't have the same folder or file names (except for php.exe and php5ts.dll).
Shown above: Some of the folders created on the infected Windows host.
Shown above: Contents of C:\Users\[username]\AppData\Roaming\Advui
Shown above: Contents of C:\Users\[username]\AppData\Roaming\Nueqma
Shown above: Contents of C:\Users\[username]\AppData\Roaming\Qiid
Shown above: Contents of C:\Users\[username]\AppData\Roaming\Urhiwy
FINAL NOTES
Once again, here are the associated files:
- ZIP archive of the pcap: 2017-01-06-Sundown-EK-sends-Terdot.A-Zloader.pcap.zip 763 kB (763,107 bytes)
- ZIP archive of the malware: 2017-01-06-Sundown-EK-malware-and-artifacts.zip 321 kB (320,772 bytes)
ZIP files are password-protected with the standard password. If you don't know it, look at the "about" page of this website.
Click here to return to the main page.