2016-05-31 - KAIXIN EK FROM 98.126.83[.]188 AND 98.126.83[.]189

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• 2016-05-31-KaiXin-EK-traffic-4-pcaps.zip   380.8 kB (380,757 bytes)

• 2016-05-28-KaiXin-EK-traffic-example-from-Threatglass.pcap   (151,529 bytes)
• 2016-05-31-KaiXin-EK-traffic-first-run.pcap   (117,518 bytes)
• 2016-05-31-KaiXin-EK-traffic-second-run.pcap   (178,552 bytes)
• 2016-05-31-KaiXin-EK-traffic-third-run.pcap   (136,213 bytes)

• 2016-05-31-KaiXin-EK-mlaware-and-artifacts.zip   104.3 kB (104,288 bytes)

• 2016-05-28-and-31-KaiXin-EK-flash-exploit.swf   (10,879 bytes)
• 2016-05-28-and-31-KaiXin-EK-malware-payload.exe   (56,064 bytes)
• 2016-05-31-KaiXin-EK-flash-exploit-2.swf   (30,337 bytes)
• 2016-05-31-KaiXin-EK-flash-exploit-3.swf   (12,401 bytes)

 

NOTES:

• This is my follow-up to a post from Threatglass at: https://web.archive.org/web/20160607143138/http://threatglass.com/malicious_urls/bannerkoubou-com

 

TRAFFIC

Shown above:  Traffic carved from the 2016-05-28 Threatglass pcap filtered in Wireshark.

Shown above:  Traffic from the 2016-05-31 first run (no infection) filtered in Wireshark.

Shown above:  Traffic from the 2016-05-31 second run (infection) filtered in Wireshark.

Shown above:  Traffic from the 2016-05-31 third run (no infection) filtered in Wireshark.

ASSOCIATED DOMAINS:

• 98.126.83[.]188 port 82 - 98.126.83[.]188:82 - KaiXin EK
• 98.126.83[.]189 port 82 - 98.126.83[.]189:82 - GET /smss.exe - KaiXin EK payload

 

IMAGES

Shown above:  Alerts from Sguil in Security Onion using Suricata and the ETPRO ruleset.

 

Shown above:  Alerts using Snort 2.9.8.2 and Snort subscriber ruleset when playing back the same pcap.

 

Click here to return to the main page.