2019-03-16 - SPELEVO EK EXAMPLES

ASSOCIATED FILES:

  • 2019-03-16-Spelevo-EK-1st-run.pcap   (2,322,092 bytes)
  • 2019-03-16-Spelevo-EK-2nd-run.pcap   (2,313,412 bytes)
  • 2019-03-16-Spelevo-EK-3rd-run.pcap   (301,336 bytes)
  • 2019-03-16-Spelevo-EK-decoded-payload-retrieved-from-infected-host-all-3-runs.exe   (193,536 bytes)
  • 2019-03-16-Spelevo-EK-encoded-payload-sent-from-server-all-3-runs.bin   (197,894 bytes)
  • 2019-03-16-Spelevo-EK-flash-exploit-all-runs.swf   (22,863 bytes)
  • 2019-03-16-Spelevo-EK-iframe-for-Flash-exploit-1st-run.txt   (1,852 bytes)
  • 2019-03-16-Spelevo-EK-iframe-for-Flash-exploit-2nd-run.txt   (1,852 bytes)
  • 2019-03-16-Spelevo-EK-iframe-for-Flash-exploit-3rd-run.txt   (1,827 bytes)
  • 2019-03-16-Spelevo-EK-landing-page-1st-run.txt   (28,227 bytes)
  • 2019-03-16-Spelevo-EK-landing-page-2nd-run.txt   (28,227 bytes)
  • 2019-03-16-Spelevo-EK-landing-page-3rd-run.txt   (28,217 bytes)

ASSOCIATED FILES:

 

WEB TRAFFIC BLOCK LIST

Indicators are not a block list.  If you feel the need to block web traffic, I suggest the following domains and URLs:

 

TRAFFIC


Shown above:  Traffic from the 1st infection filtered in Wireshark.

 


Shown above:  Traffic from the 2nd infection filtered in Wireshark.

 


Shown above:  Traffic from the 3rd infection filtered in Wireshark.

 

1ST INFECTION RUN ON 2019-03-16 AT 23:19 UTC:

 

2ND INFECTION RUN ON 2019-03-16 AT 23:58 UTC:

 

3RD INFECTION RUN ON 2019-03-17 AT 00:19 UTC:

 

FILE HASHES

SPELEVO EK FLASH EXPLOIT:

SPELEVO EK PAYLOAD EXE:

 

IMAGES


Shown above:  Decoded EXE from the infected Windows host, caused by Spelevo EK.

 


Shown above:  Notification seen during the infection.

 


Shown above:  Payload EXE persistent on the infected Windows host.

 


Shown above:  More info on the payload EXE.

 


Shown above:  Scheduled task to keep the payload EXE persistent.

 

FINAL NOTES

Once again, here are the associated files:

Zip archives are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.