2017-11-17 - KAIXIN EK STILL AROUND, VERY CHINESE, AND ACTING LIKE IT'S 2013

ASSOCIATED FILES:

  • 2017-11-17-KaiXin-EK-traffic.pcap   (538,517 bytes)
  • 2017-11-17-KaiXin-EK-Snort-alerts.txt   (4,949 bytes)
  • 2017-11-17-KaiXin-EK-Suricata-alerts.txt   (11,508 bytes)
  • 2017-11-17-KaiXin-EK-OvTiFx.htm.txt   (50,706 bytes)
  • 2017-11-17-KaiXin-EK-RfVvPx.htm.txt   (11,437 bytes)
  • 2017-11-17-KaiXin-EK-XlGaYb.jar   (2,609 bytes)
  • 2017-11-17-KaiXin-EK-jquery.js.txt   (15,728 bytes)
  • 2017-11-17-KaiXin-EK-landing-page.txt   (14,709 bytes)
  • 2017-11-17-KaiXin-EK-logo.swf   (23,921 bytes)
  • 2017-11-17-KaiXin-EK-payload-11.7.exe   (377,344 bytes)
  • 2017-11-17-KaiXin-EK-swfobject.js.txt   (12,624 bytes)

NOTES:

 


Shown above:  Borrowed and modified from @Kafeine's notable tweet in March 2017.

 

TRAFFIC


Shown above:  Traffic from an infection filtered in Wireshark.

ASSOCIATED DOMAINS:

 

FILE HASHES

KAIXIN EK JAVA EXPLOIT:

 

KAIXIN EK FLASH EXPLOIT:

 

KAIXIN EK PAYLOAD (A WINDOWS EXECUTABLE):

 

IMAGES


Shown above:  Alerts from Sguil in Security Onion using Suricata and the EmergingThreats ruleset.

 


Shown above:  Edited list of alerts using Snort 2.9.11 and the Snort subscription ruleset when playing back the same pcap.

 


Shown above:  The Windows executable sent by KaiXin EK as the malware payload.

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.