2017-01-06 - SUNDOWN EK FROM 188.165.163[.]226 AND 93.190.143[.]201
NOTICE:
- The zip archives on this page have been updated, and they now use the new password scheme. For the new password, see the "about" page of this website.
ASSOCIATED FILES:
- 2017-01-06-Sundown-EK-sends-Zloader.pcap.zip 763.1 kB (763,089 bytes)
- 2017-01-06-Sundown-EK-sends-Zloader.pcap (978,479 bytes)
- 2017-01-06-Sundown-EK-artifacts-and-ZLoader.zip 321.4 kB (321,410 bytes)
- 2017-01-06-Sundown-EK-fash-exploit-78493521.swf (45,026 bytes)
- 2017-01-06-Sundown-EK-fash-exploit-9643522803.swf (14,088 bytes)
- 2017-01-06-Sundown-EK-landing-page.txt (73,418 bytes)
- 2017-01-06-Sundown-EK-payload-Zloader.exe (244,224 bytes)
- 2017-01-06-run-Sundown-EK-other-exploit-JHgfjhc.png (52,591 bytes)
BACKGROUND ON SUNDOWN EXPLOIT KIT:
- Nick Biasini from Cisco's Talos threat intelligence team, wrote about Sundown EK in this October 2016 article: Sundown EK: You Better Take Care.
OTHER NOTES:
- The URL patterns for Sundown EK changed starting 2017-01-05 to what I'm showing for today.
TRAFFIC
Shown above: Pcap from the infection traffic filtered in Wireshark
SUNDOWN EK:
- 188.165.163[.]226 port 80 - eud.3204[.]mobi - GET /index.php?9W7EBUOp191ha3GjlA=4y23ZDynh_NRHnyN0aRE9FnWh5o0_xI-rVWoyQUxcwvxksnowbciR2Mb
- 188.165.163[.]226 port 80 - eud.3204[.]mobi - GET /JHgfjhc.png
- 188.165.163[.]226 port 80 - eud.3204[.]mobi - GET /7/?9643522803
- 188.165.163[.]226 port 80 - eud.3204[.]mobi - GET /7/?947545190441&id=225
- 188.165.163[.]226 port 80 - eud.3204[.]mobi - GET /7/?78493521
- 93.190.143[.]201 port 80 - eho.1146[.]mobi - GET /z.php?id=225
- 93.190.143[.]201 port 80 - eho.1146[.]mobi - GET /43526876827345687356872456.php?id=225
- 93.190.143[.]201 port 80 - eho.1146[.]mobi - GET /z.php?id=225
POST INFECTION TRAFFIC:
- 54.210.141[.]161 port 80 - overtgrill[.]su - POST /FE8hVs3/gs98h.php
- 35.167.23[.]188 port 80 - overtgrill[.]su - POST /FE8hVs3/gs98h.php
- checkip.dyndns[.]org - GET /
FILE HASHES
EXPLOITS:
- SHA256 hash: 0744ba67c5f8210fcdcf4acb328df68780e96d10f2c68b8eddbb9a355bca213e
File description: Sundown EK Flash exploit returned after GET /7/?9643522803
File size: 14,088 bytes
- SHA256 hash: 67d598c6acbd6545ab24bbd44cedcb825657746923f47473dc40d0d1f122abb6
File description: Sundown EK Flash exploit returned after GET /7/?78493521
File size: 45,026 bytes
- SHA256 hash: 49cb62e64ce93a825e5fb9b20dc2407a0d943d5c49fa06a464b76c0f04efcc94
File description: Sundown EK exploit returned after GET /JHgfjhc.png
File size: 52,591 bytes
PAYLOADS AND FOLLOW-UP MALWARE:
- SHA256 hash: 05b96b412347a1383d7add644b2bc29142ec79df581655ffca4731dbde742d40
File description: Zloader (Terdot.A) sent as Sundown EK payload
File size: 244,224 bytes
File path: C:\Users\[username]\AppData\Local\Temp\rad0B36A.tmp.exe
File path: C:\Users\[username]\AppData\Local\Temp\rad5EFE3.tmp.exe
File path: C:\Users\[username]\AppData\Local\Temp\radB325B.tmp.exe
File path: C:\Users\[username]\AppData\Local\Temp\rgh.exe
File path: C:\Users\[username]\AppData\Local\Temp\sf.exe
File path: C:\Users\[username]\AppData\Local\Temp\yrre.exe
File path: C:\Users\[username]\AppData\Local\Temp\z.tmp
IMAGES
NOTE: For the folders and most of the files shown below, the names are randomized, so if you infected a Windows host with the same malware sample, you won't have the same folder or file names (except for php.exe and php5ts.dll).
Shown above: Some of the folders created on the infected Windows host.
Shown above: Contents of C:\Users\[username]\AppData\Roaming\Advui
Shown above: Contents of C:\Users\[username]\AppData\Roaming\Nueqma
Shown above: Contents of C:\Users\[username]\AppData\Roaming\Qiid
Shown above: Contents of C:\Users\[username]\AppData\Roaming\Urhiwy
Click here to return to the main page.