2016-05-31 - KAIXIN EK FROM 98.126.83.188 AND 98.126.83.189
ASSOCIATED FILES:
- ZIP archive of the pcaps: 2016-05-31-KaiXin-EK-pcaps.zip 380.2 kB (380,243 bytes)
- 2016-05-28-KaiXin-EK-traffic-from-threatglass.pcap (151,529 bytes)
- 2016-05-31-KaiXin-EK-traffic-first-run.pcap (117,518 bytes)
- 2016-05-31-KaiXin-EK-traffic-second-run.pcap (178,552 bytes)
- 2016-05-31-KaiXin-EK-traffic-third-run.pcap (136,213 bytes)
- ZIP archive of the malware and artifacts: 2016-05-31-KaiXin-EK-mlaware-and-artifacts.zip 103.7 kB (103,730 bytes)
- 2016-05-28-and-31-KaiXin-EK-flash-exploit.swf (10,879 bytes)
- 2016-05-28-and-31-KaiXin-EK-malware-payload.exe (56,064 bytes)
- 2016-05-31-KaiXin-EK-flash-exploit-2.swf (30,337 bytes)
- 2016-05-31-KaiXin-EK-flash-exploit-3.swf (12,401 bytes)
NOTES:
- This is my follow-up to a post from Threatglass at: http://threatglass.com/malicious_urls/bannerkoubou-com
TRAFFIC
Shown above: Traffic carved from the 2016-05-28 Threatglass pcap filtered in Wireshark.
Shown above: Traffic from the 2016-05-31 first run (no infection) filtered in Wireshark.
Shown above: Traffic from the 2016-05-31 second run (infection) filtered in Wireshark.
Shown above: Traffic from the 2016-05-31 third run (no infection) filtered in Wireshark.
ASSOCIATED DOMAINS:
- 98.126.83.188 port 82 - 98.126.83.188:82 - KaiXin EK
- 98.126.83.189 port 82 - 98.126.83.189:82 - GET /smss.exe - KaiXin EK payload
IMAGES
Shown above: Alerts from Sguil in Security Onion using Suricata and the ETPRO ruleset.
Shown above: Alerts using Snort 2.9.8.2 and Snort subscriber ruleset when playing back the same pcap.
FINAL NOTES
Once again, here are the associated files:
- ZIP archive of the pcaps: 2016-05-31-KaiXin-EK-pcaps.zip 380.2 kB (380,243 bytes)
- ZIP archive of the malware and artifacts: 2016-05-31-KaiXin-EK-mlaware-and-artifacts.zip 103.7 kB (103,730 bytes)
ZIP files are password-protected with the standard password. If you don't know it, look at the "about" page of this website.
Click here to return to the main page.