2016-05-31 - KAIXIN EK FROM 98.126.83.188 AND 98.126.83.189

ASSOCIATED FILES:

  • 2016-05-28-KaiXin-EK-traffic-from-threatglass.pcap   (151,529 bytes)
  • 2016-05-31-KaiXin-EK-traffic-first-run.pcap   (117,518 bytes)
  • 2016-05-31-KaiXin-EK-traffic-second-run.pcap   (178,552 bytes)
  • 2016-05-31-KaiXin-EK-traffic-third-run.pcap   (136,213 bytes)
  • 2016-05-28-and-31-KaiXin-EK-flash-exploit.swf   (10,879 bytes)
  • 2016-05-28-and-31-KaiXin-EK-malware-payload.exe   (56,064 bytes)
  • 2016-05-31-KaiXin-EK-flash-exploit-2.swf   (30,337 bytes)
  • 2016-05-31-KaiXin-EK-flash-exploit-3.swf   (12,401 bytes)

 

NOTES:

 

TRAFFIC


Shown above:  Traffic carved from the 2016-05-28 Threatglass pcap filtered in Wireshark.


Shown above:  Traffic from the 2016-05-31 first run (no infection) filtered in Wireshark.


Shown above:  Traffic from the 2016-05-31 second run (infection) filtered in Wireshark.


Shown above:  Traffic from the 2016-05-31 third run (no infection) filtered in Wireshark.

ASSOCIATED DOMAINS:

 

IMAGES


Shown above:  Alerts from Sguil in Security Onion using Suricata and the ETPRO ruleset.

 


Shown above:  Alerts using Snort 2.9.8.2 and Snort subscriber ruleset when playing back the same pcap.

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.