2016-12-30 - EK DATA DUMP (RIG-E, RIG-V, AND SUNDOWN EK)

ASSOCIATED FILES:

  • 2016-12-30-EITest-Rig-E-sends-Chthonicp-banking-Trojan.pcap   (1,022,653 bytes)
  • 2016-12-30-Sundown-EK-1st-run-sends-Terdot.A-Zloader.pcap   (488,504 bytes)
  • 2016-12-30-Sundown-EK-2nd-run-failed-payload.pcap   (178,428 bytes)
  • 2016-12-30-psuedoDarkleech-Rig-V-sends-Cerber-ransomware.pcap   (1,253,973 bytes)
  • 2016-12-30-Cerber-decryption-instructions_82CQLO_README_.hta   (67,423 bytes)
  • 2016-12-30-Cerber-decryption-instructions_82CQLO_README_.jpg   (238,214 bytes)
  • 2016-12-30-EITest-Rig-E-artifact-OTTYUADAF.txt   (1,137 bytes)
  • 2016-12-30-EITest-Rig-E-flash-exploit.swf   (13,700 bytes)
  • 2016-12-30-EITest-Rig-E-landing-page.txt   (85,336 bytes)
  • 2016-12-30-EITest-Rig-E-payload-Chthonic.exe   (159,744 bytes)
  • 2016-12-30-Sundown-EK-1st-run-payload-Terdot.A-Zloader.exe   (273,920 bytes)
  • 2016-12-30-Sundown-EK-2nd-run-Flash-exploit-225.swf   (29,707 bytes)
  • 2016-12-30-Sundown-EK-2nd-run-Flash-exploit-542.swf   (45,026 bytes)
  • 2016-12-30-Sundown-EK-2nd-run-exploit-fvdvsdfv.png   (52,674 bytes)
  • 2016-12-30-Sundown-EK-landing-page-both-runs.txt   (72,224 bytes)
  • 2016-12-30-page-from-activaclinics.com-with-injected-EITest-script.txt   (59,273 bytes)
  • 2016-12-30-page-from-joellipman.com-with-injected-pseudoDarkleech-script.txt   (67,423 bytes)
  • 2016-12-30-pseudoDarkleech-Rig-V-artifact-OTTYUADAF.txt   (1,137 bytes)
  • 2016-12-30-pseudoDarkleech-Rig-V-flash-exploit.swf   (12,681 bytes)
  • 2016-12-30-pseudoDarkleech-Rig-V-landing-page.txt   (5,191 bytes)
  • 2016-12-30-pseudoDarkleech-Rig-V-payload-Cerber.exe   (298,648 bytes)

 

TRAFFIC


Shown above:  Pcap from the 1st infection filtered in Wireshark


Shown above:  Pcap from the 2nd infection filtered in Wireshark


Shown above:  Pcap from the 3rd infection filtered in Wireshark


Shown above:  Pcap from the 4th infection filtered in Wireshark

 

ASSOCIATED DOMAINS:

 

FILE HASHES

EXPLOITS:

 

PAYLOADS:

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.