2016-12-08 - SUNDOWN EK FROM 193.70.64.80 AND 193.70.64.91

ASSOCIATED FILES:

  • 2016-12-08-Sundown-EK-first-run.pcap   (1,455,096 bytes)
  • 2016-12-08-Sundown-EK-second-run.pcap   (1,897,472 bytes)
  • 2016-12-08-Sundown-EK-landing-page.txt   (119,802 bytes)
  • 2016-12-08-Sundown-EK-payload.exe   (129,850 bytes)
  • bs.dll   (58,368 bytes)
  • sql.dll   (522,752 bytes)
  • zs.dll   (913,920 bytes)

NOTES:


Shown above:  Ad traffic chain that led to Sundown EK.

 

TRAFFIC


Shown above:  Traffic from the first run filtered in Wireshark.


Shown above:  Traffic from the second run filtered in Wireshark.

ASSOCIATED DOMAINS:

 

FILE HASHES

SUNDOWN EK PAYLOAD:

FOLLOW-UP DOWNLOADS:

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.