2016-12-28 - SUNDOWN EK DATA DUMP

ASSOCIATED FILES:

  • 2016-12-28-1st-run-Sundown-EK-sends-Chthonic.pcap   (1,595,517 bytes)
  • 2016-12-28-2nd-run-Sundown-EK-sends-Terdot.A-Zloader.pcap   (218,621 bytes)
  • 2016-12-28-3rd-run-Sundown-EK-sends-Terdot.A-Zloader.pcap   (449,975 bytes)
  • 2016-12-28-4th-run-Sundown-EK-sends-Terdot.A-Zloader.pcap   (972,836 bytes)
  • 2016-12-28-Sundown-EK-artifact-Inj6sFosp.txt   (1,170 bytes)
  • 2016-12-28-Sundown-EK-artifact-OTTYUADAF.txt   (1,137 bytes)
  • 2016-12-28-Sundown-EK-exploit-fvdvsdfv.png   (52,674 bytes)
  • 2016-12-28-Sundown-EK-flash-exploit-208.swf   (29,406 bytes)
  • 2016-12-28-Sundown-EK-flash-exploit-225.swf   (29,707 bytes)
  • 2016-12-28-Sundown-EK-flash-exploit-542.swf   (45,026 bytes)
  • 2016-12-28-Sundown-EK-flash-exploit-5421.swf   (14,088 bytes)
  • 2016-12-28-Sundown-EK-landing-page-example-1-of-2.txt   (72,224 bytes)
  • 2016-12-28-Sundown-EK-landing-page-example-2-of-2.txt   (35,412 bytes)
  • 2016-12-28-Sundown-EK-payload-Chthonic-banking-Trojan.exe   (159,744 bytes)
  • 2016-12-28-Sundown-EK-payload-Terdot.A-Zloader.exe   (273,920 bytes)
  • 2016-12-28-followup-malware-downloaded-by-Terdot.A-Zloader.exe   (312,320 bytes)

BACKGROUND ON SUNDOWN EXPLOIT KIT:

OTHER NOTES:

 

TRAFFIC


Shown above:  Pcap from the 1st infection filtered in Wireshark


Shown above:  Pcap from the 2nd infection filtered in Wireshark


Shown above:  Pcap from the 3rd infection filtered in Wireshark


Shown above:  Pcap from the 4th infection filtered in Wireshark

 

SUNDOWN EK LANDING PAGE URLS:

SUNDOWN EK EXPLOIT FILE URLS:

SUNDOWN EK PAYLOAD URLS:

POST INFECTION TRAFFIC:

 

FILE HASHES

EXPLOITS:

PAYLOADS AND FOLLOW-UP MALWARE:

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.