2017-04-05 - TERROR EK SENDS ANDROMEDA

ASSOCIATED FILES:

  • 2017-04-05-Terror-EK-sends-Andromeda-1st-run.pcap   (258,216 bytes)
  • 2017-04-05-Terror-EK-sends-Andromeda-2nd-run.pcap   (572,869 bytes)
  • 2017-04-04-Terror-EK-landing-page.txt   (5,790 bytes)
  • 2017-04-04-Terror-EK-more-HTML-part-1-of-3.txt   (20,108 bytes)
  • 2017-04-04-Terror-EK-more-HTML-part-2-of-3.txt   (3,833 bytes)
  • 2017-04-04-Terror-EK-more-HTML-part-3-of-3.txt   (1,195 bytes)
  • 2017-04-04-Terror-EK-payload-0x7vjvgc.exe   (103,421 bytes)
  • 2017-04-04-Terror-EK-payload-radEE66C.tmp.exe   (103,421 bytes)
  • 2017-04-05-Terror-EK-artifact-mxl3sfDs.tmp.txt   (1,279 bytes)
  • 2017-04-05-Terror-EK-artifact-zs3n.tmp.txt   (1,151 bytes)
  • 2017-04-05-file-from-compromised-site-leads-to-old-Terror-EK-landing-page-URL-custom.js.txt   (560 bytes)
  • Dendrite   (41,137 bytes)
  • KB00292189.exe   (284,160 bytes)
  • salsify.dll   (45,056 bytes)

NOTES:

 


Shown above:  Flow chart for the infection traffic.

 

TRAFFIC


Shown above:  Traffic from the 1st run filtered in Wireshark.

 


Shown above:  Traffic from the 2nd run filtered in Wireshark.

 

ASSOCIATED DOMAINS:

 

MALWARE AND ARTIFACTS

ARTIFACTS FROM THE INFECTED WINDOWS HOST:

WINDOWS REGISTRY ENTRIES CREATED FOR PERSISTENCE:

OTHER EXAMPLES OF THE EK PAYLOAD PERSISTENT ON AN INFECTED HOST:

MALWARE FROM THE INFECTED HOST:

 

IMAGES


Shown above:  Some alerts on the 1st run pcap from the Emerging Threats Pro (ETPRO) ruleset using Sguil on Security Onion.

 


Shown above:  Entries in the Windows registry making the EK payload persistent after a reboot.

 


Shown above:  Want a quick way to see what traffic is generated to a domain that doesn't resolve in DNS?  Edit the Windows hosts file at
C:\Windows\sytem32\Drivers\etc\hosts to resolve the domain to an actual IP address.

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.