2017-03-07 - SUNDOWN EK

ASSOCIATED FILES:

  • 2017-03-07-Sundown-EK.pcap   (431,448 bytes)
  • 2017-03-07-Sundown-EK-artifact-mxl3sfDs.tmp.txt   (1,279 bytes)
  • 2017-03-07-Sundown-EK-flash-exploit-1-of-2.swf   (49,754 bytes)
  • 2017-03-07-Sundown-EK-flash-exploit-2-of-2.swf   (22,693 bytes)
  • 2017-03-07-Sundown-EK-landing-page.txt   (58,051 bytes)
  • 2017-03-07-Sundown-EK-payload-bqekbms2.exe   (310,304 bytes)

NOTES:

 


Shown above:  Traffic from the infection filtered in Wireshark.

 

ASSOCIATED DOMAINS AND URLS:

  • 66.11.117.44 port 80 - dns.cheapghost.pw - GET /   [gate leading to Sundown EK]
  • 217.23.15.183 port 80 - gly.ytlzz.xyz - GET /index.php?[long string]   [Sundown EK landing page]
  • 217.23.15.183 port 80 - gly.ytlzz.xyz - GET /0E2/?9643522803
  • 217.23.15.183 port 80 - gly.ytlzz.xyz - GET /0E2/?947545190441
  • 217.23.15.195 port 80 - fbm.ytlyt.xyz - GET /d.php   [Sundown EK payload]

 

FILE HASHES

SUNDOWN EK FLASH EXPLOIT (1 OF 2):

SUNDOWN EK FLASH EXPLOIT (2 OF 2):

SUNDOWN EK PAYLOAD:

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.