2016-11-14 - EITEST CAMPAIGN SUNDOWN EK FROM 164.132.116.54

ASSOCIATED FILES:

• ZIP archive of the pcap:  2016-11-14-Sundown-EK-traffic.pcap.zip   1.8 MB (1,826,009 bytes)

• 2016-11-14-Sundown-EK-traffic.pcap   (2,067,146 bytes)

• ZIP archive of the malware:  2016-11-14-Sundown-EK-malware-and-artifacts.zip   684 kB (684,351 bytes)

• 2016-11-14-Sundown-EK-flash-exploit-1-of-2.swf   (22,694 bytes)
• 2016-11-14-Sundown-EK-flash-exploit-2-of-2.swf   (33,592 bytes)
• 2016-11-14-Sundown-EK-landing-page.txt   (67,429 bytes)
• 2016-11-14-Sundown-EK-payload.exe   (454,144 bytes)
• 2016-11-14-other-malware-retrieved-from-the-infected-host.exe   (290,816 bytes)
• 2016-11-14-page-from-showbizgeek_com-with-injected-EITest-script.txt   (100,035 bytes)

 

NOTES:

• Another example of the EITest campaign causing Sundown EK, which I previously saw on 2016-11-02.
• The EITest script (injected in pages from sites compromised by this campaign) has evolved a bit since last week.
• The Sundown EK URL patterns have also changed a little.

Shown above:  Flowchart for this infection traffic.

 

TRAFFIC

Shown above:  Injected script from the EITest campaign in a page from the compromised site.

Shown above:  Traffic from the infection traffic filtered in Wireshark.

 

ASSOCIATED DOMAINS:

• showbizgeek.com - Site compromised with EITest script
• 164.132.116.54 port 80 dqb.888315.info - Sundown EK (first domain)
• 164.132.116.54 port 80 u.228885.info - Sundown EK (second domain)
• 85.199.214.251 port 5998 86t7b9br9.ddns.net - Post-infection traffic: attempted TCP connections (not successful)

 

FILE HASHES

EXPLOITS:

• SHA256 hash:  24861ef2828f5bc9a622cbb04bed3446b775a08bfd137b04633decdd5494d822
  File name:  2016-11-14-Sundown-EK-flash-exploit-1-of-2.swf   (22,694 bytes)

• SHA256 hash:  e704858399a3a47c0143ba46baf392a16c4f8652f001ab10c881a20067840655
  File name:  2016-11-14-Sundown-EK-flash-exploit-2-of-2.swf   (33,592 bytes)

PAYLOAD AND OTHER MALWARE:

• SHA256 hash:  e0782d5f3a7976838c4a9e1bc958e5fd05b1fc9d07084e7f4ccec1a1fd92698d
  File name:  2016-11-14-Sundown-EK-payload.exe   (454,144 bytes)

• SHA256 hash:  9bc943b6eb196ec5c8d72b73a3818f9ccd47f9a76efcb8441c2195ed5b6106f1
  File name:  2016-11-14-other-malware-retrieved-from-the-infected-host.exe   (290,816 bytes)

 

FINAL NOTES

Once again, here are the associated files:

• ZIP archive of the pcap:  2016-11-14-Sundown-EK-traffic.pcap.zip   1.8 MB (1,826,009 bytes)
• ZIP archive of the malware:  2016-11-14-Sundown-EK-malware-and-artifacts.zip   684 kB (684,351 bytes)

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.