2017-01-19 - EITEST SUNDOWN EK FROM 93.190.143[.]82 SENDS CERBER RANSOMWARE

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• 2017-01-19-EITest-Sundown-EK-sends-Cerber-ransomware-2-pcaps.zip   1.2 MB (1,154,849 bytes)

• 2017-01-19-EITest-Sundown-EK-sends-Cerber-ransomware-1st-run.pcap   (661,866 bytes)
• 2017-01-19-EITest-Sundown-EK-sends-Cerber-ransomware-2nd-run.pcap   (851,017 bytes)

• 2017-01-19-EITest-Sundown-EK-artifacts-and-Cerber-ransomware.zip   1.0 MB (1,001,366 bytes)

• 2017-01-19-Cerber-ransomware_HELP_HELP_HELP_XT5XQY.hta   (75,787 bytes)
• 2017-01-19-Cerber-ransomware_HELP_HELP_HELP_XT5XQY.jpg   (238,406 bytes)
• 2017-01-19-EITest-Sundown-EK-1st-run-exploit-bvfhjgejhfrg.png   (52,131 bytes)
• 2017-01-19-EITest-Sundown-EK-1st-run-landing-page.txt   (79,238 bytes)
• 2017-01-19-EITest-Sundown-EK-1st-run-payload-Cerber-ransomware-rad74AD1.tmp.exe   (293,240 bytes)
• 2017-01-19-EITest-Sundown-EK-2nd-run-artifact-mfgrehy.tmp.txt   (1,279 bytes)
• 2017-01-19-EITest-Sundown-EK-2nd-run-landing-page.txt   (90,963 bytes)
• 2017-01-19-EITest-Sundown-EK-2nd-run-payload-Cerber-ransomware-rad5C6B2.tmp.exe   (245,169 bytes)
• 2017-01-19-EITest-Sundown-EK-2nd-run-artifact-zs3n.tmp.txt   (1,151 bytes)
• 2017-01-19-EITest-Sundown-EK-both-runs-artifact-OTTYUADAF.txt   (1,137 bytes)
• 2017-01-19-EITest-Sundown-EK-both-runs-Flash-exploit-1-of-3.swf   (14,088 bytes)
• 2017-01-19-EITest-Sundown-EK-both-runs-Flash-exploit-2-of-3.swf   (22,872 bytes)
• 2017-01-19-EITest-Sundown-EK-both-runs-Flash-exploit-3-of-3.swf   (45,026 bytes)
• 2017-01-19-page-from-activaclinics_com-with-injected-EITest-script-1st-run.txt   (59,194 bytes)
• 2017-01-19-page-from-activaclinics_com-with-injected-EITest-script-2nd-run.txt   (59,177 bytes)

BACKGROUND ON SUNDOWN EXPLOIT KIT:

• October 2016 Cisco Talos article:  Sundown EK: You Better Take Care.

BACKGROUND ON THE EITEST CAMPAIGN:

• My most recent write-up on the EITest campaign can be found here.

Shown above:  Flowchart for this infection traffic.

 

TRAFFIC

Shown above:  Injected script from the EITest campaign from the compromised site (1st run).

 

Shown above:  Pcap of the infection traffic filtered in Wireshark (1st run).

 

Shown above:  Injected script from the EITest campaign from the compromised site (2nd run).

 

Shown above:  Pcap of the infection traffic filtered in Wireshark (2nd run).

 

ASSOCIATED DOMAINS:

• activaclinics[.]com - Compromised site
• 93.190.143[.]82 port 80 - hco.huc[.]mobi - Sundown EK (sent landing page & exploits, 1st run)
• 93.190.143[.]82 port 80 - ak.hvf[.]mobi - Sundown EK (sent landing page & exploits, 2nd run)
• 93.190.143[.]82 port 80 - hxrheg.fve[.]mobi - Sundown EK (sent payload, both runs)

• 90.2.1[.]0 to 90.2.1[.]31 (90.2.1[.]0/27) UDP port 6892 - Cerber ransomware post-infection UDP traffic
• 90.3.1[.]0 to 90.3.1[.]31 (90.3.1[.]0/27) UDP port 6892 - Cerber ransomware post-infection UDP traffic
• 91.239.24[.]0 to 91.239.25[.]255 (91.239.24[.]0/23) UDP port 6892 - Cerber ransomware post-infection UDP traffic
• 162.220.244[.]29 port 80 - p27dokhpz2n7nvgr.1kja1j[.]top - HTTP post-infection traffic caused by Cerber ransomware

 

SUNDOWN EK URLS - 1ST RUN:

• 93.190.143[.]82 port 80 - hco.huc[.]mobi - GET /index.php?z3HbOH2_tdcCHS-bjw=uHq6NT6ghKcCHi3agvcY9VmN0Jc09RQ9-QaomVZiIwynksmzx7R3FjFM
• 93.190.143[.]82 port 80 - hco.huc[.]mobi - GET /7/?9643522803
• 93.190.143[.]82 port 80 - hco.huc[.]mobi - GET /7/?947545190441&id=265
• 93.190.143[.]82 port 80 - hco.huc[.]mobi - GET /7/?78493521
• 93.190.143[.]82 port 80 - hco.huc[.]mobi - GET /bvfhjgejhfrg.png
• 93.190.143[.]82 port 80 - hxrheg.fve[.]mobi - GET /@@@.php?id=265

SUNDOWN EK URLS - 2ND RUN:

• 93.190.143[.]82 port 80 - ak.hvf[.]mobi - GET /index.php?xibVAVqP2MFw=sim9N23z06AMTHyJ06tPoVmHg5Bh-RBq_gj6yVMydw3xksbhkrIjE2JP
• 93.190.143[.]82 port 80 - ak.hvf[.]mobi - GET /7/?9643522803
• 93.190.143[.]82 port 80 - ak.hvf[.]mobi - GET /7/?78493521
• 93.190.143[.]82 port 80 - ak.hvf[.]mobi - GET /7/?947545190441&id=265
• 93.190.143[.]82 port 80 - hxrheg.fve[.]mobi - GET /@@@.php?id=265
• 93.190.143[.]82 port 80 - hxrheg.fve[.]mobi - GET /@@@.php?id=265
• 93.190.143[.]82 port 80 - hxrheg.fve[.]mobi - GET /iU.php

 

FILE HASHES

FLASH EXPLOITS:

• SHA256 hash:  0744ba67c5f8210fcdcf4acb328df68780e96d10f2c68b8eddbb9a355bca213e   (14,088 bytes)
  File description:  Sundown EK Flash exploit seen on 2017-01-19 (1 of 3)

• SHA256 hash:  f4845a817b7b777972ceb292b62103b296a002577884b952e4726e419a7f1df6   (22,872 bytes)
  File description:  Sundown EK Flash exploit seen on 2017-01-19 (2 of 3)

• SHA256 hash:  67d598c6acbd6545ab24bbd44cedcb825657746923f47473dc40d0d1f122abb6   (45,026 bytes)
  File description:  Sundown EK Flash exploit seen on 2017-01-19 (3 of 3)

OTHER EXPLOIT:

• SHA256 hash:  e93f568ecd22e351cc3f0d8f8b3177fa7af812300cbb259a84b80013301a2601   (52,131 bytes)
  File description:  Sundown EK bvfhjgejhfrg.png exploit seen on 2017-01-19

PAYLOADS:

• SHA256 hash:  d600ab1baf24de2a907f24a4fe490f7214ea617fd86014517afac8bdab43237b   (29,3240 bytes)
  File path:  C:\Users\[username]\AppData\Local\Temp\rad74AD1.tmp.exe
  File description:  EITest payload from Sundown EK (Cerber ransomware) 1st run on 2017-01-19

• SHA256 hash:  2b37820da481ee06da08fdb539921394861237f503065edbad5e3d1fa20d13dc   (245,169 bytes)
  File path:  C:\Users\[username]\AppData\Local\Temp\rad5C6B2.tmp.exe
  File description:  EITest payload from Sundown EK (Cerber ransomware) 2nd run on 2017-01-19

 

IMAGES

Shown above:  Desktop of the infected Windows host.

 

Click here to return to the main page.