2017-10-17 - TERROR EK SENDS SMOKE LOADER, SMOKE LOADER SENDS MORE MALWARE

ASSOCIATED FILES:

  • 2017-10-17-Terror-EK-example.pcap   (354,352 bytes)
  • 2017-10-17-post-infection-traffic-from-Terror-EK-payload.pcap   (3,870,836 bytes)
  • 2017-10-17-AppData-Local-Temp-3458.tmp.exe   (205,144 bytes)
  • 2017-10-17-AppData-Local-Temp-4A97.tmp.exe   (471,515 bytes)
  • 2017-10-17-AppData-Local-Temp-65A7.tmp.exe   (631,472 bytes)
  • 2017-10-17-AppData-Local-Temp-8C4A.tmp.dll   (517,632 bytes)
  • 2017-10-17-AppData-Local-Temp-C14F.tmp.exe   (791,280 bytes)
  • 2017-10-17-Terror-EK-HTML-for-CVE-2015-5119.txt   (4,964 bytes)
  • 2017-10-17-Terror-EK-artifact-o32.tmp.txt   (1,141 bytes)
  • 2017-10-17-Terror-EK-flash-exploit-1-of-2.swf   (44,396 bytes)
  • 2017-10-17-Terror-EK-flash-exploit-2-of-2.swf   (17,662 bytes)
  • 2017-10-17-Terror-EK-landing-page.txt   (111,371 bytes)
  • 2017-10-17-Terror-EK-payload-Smoke-Loader.exe   (117,711 bytes)

NOTES:

 

TRAFFIC


Shown above:  Traffic from the original infection filtered in Wireshark.

 


Shown above:  Post-infection traffic filtered in Wireshark (1 of 2).

 


Shown above:  Post-infection traffic filtered in Wireshark (2 of 2).

 


Shown above:  Post-infection traffic to hellobro.bit returning more malware.

 


Shown above:  Post-infection traffic caused by DarkVNC malware.

 


Shown above:  Post-infection traffic caused by CoinMiner malware.

 

TERROR EK-RELATED TRAFFIC:

POST-INFECTION TRAFFIC:

LEGITIMATE DOMAINS SEEN DURING POST-INFECTION TRAFFIC:

 

FILE HASHES

MALWARE FROM TERROR EK INFECTION:

POST-INFECTION MALWARE:

 

IMAGES


Shown above:  Alerts on Terror EK activity from the Emerging Threats (ET) ruleset using Sguil on Security Onion.

 


Shown above:  Alerts on post-infection activity from the Emerging Threats Pro (ET Pro) ruleset using Sguil on Security Onion.

 


Shown above:  Some artifacts seen in the infected user's AppData\Local\Temp folder.

 

FINAL NOTES

Once again, here are the associated files:

Zip archives are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.