2016-12-08 - SUNDOWN EK FROM 193.70.64.80 AND 193.70.64.91

ASSOCIATED FILES:

• ZIP archive of the pcaps:  2016-12-08-Sundown-EK-both-pcaps.zip   1.8 MB (1,827,676 bytes)

• 2016-12-08-Sundown-EK-first-run.pcap   (1,455,096 bytes)
• 2016-12-08-Sundown-EK-second-run.pcap   (1,897,472 bytes)

• ZIP archive of the malware and artifacts:  2016-12-08-Sundown-EK-malware-and-artifacts.zip   969 kB (968,857 bytes)

• 2016-12-08-Sundown-EK-landing-page.txt   (119,802 bytes)
• 2016-12-08-Sundown-EK-payload.exe   (129,850 bytes)
• bs.dll   (58,368 bytes)
• sql.dll   (522,752 bytes)
• zs.dll   (913,920 bytes)

NOTES:

• Saw some ad traffic that led to Sundown EK earlier today.

Shown above:  Ad traffic chain that led to Sundown EK.

 

TRAFFIC

Shown above:  Traffic from the first run filtered in Wireshark.

Shown above:  Traffic from the second run filtered in Wireshark.

ASSOCIATED DOMAINS:

• 23.238.19.56 port 80 - creditkarmas.us - GET /noone.php   [redirected to Sundown EK landing page]
• 193.70.64.91 port 80 - gaj.09r.biz - First Sundown EK IP and domain (first run)
• 193.70.64.91 port 80 - kdt.17v.biz - First Sundown EK IP and domain (second run)
• 193.70.64.80 port 80 - vlu.01z.biz - Second Sundown EK IP and domain (first and second runs)
• 193.169.252.6 port 80 - 193.169.252.6 - Post-infection callback
• 193.169.252.130 port 80 - 193.169.252.130 - Post-infection callback

 

FILE HASHES

SUNDOWN EK PAYLOAD:

• SHA256 hash:  b3675888d24c5dfdc37420f76c8631a1e02748801271a116f8bc2c7d42e9f30a
  File description:  Sundown EK payload (129,850 bytes)

FOLLOW-UP DOWNLOADS:

• SHA256 hash:  4e22a0ef5543f7b1dcd74b4d9f6157b1498c9f97adaba175e3be1e60e9059a21
  File name:  bs.dll (58,368 bytes)

• SHA256 hash:  043e5570299c6099756c1809c5632eabeab95ed3c1a55c86843c0ec218940e5a
  File name:  sql.dll (522,752 bytes)

• SHA256 hash:  d1d55f7ead8a07c8a085732a401757ab52dd23063a89c4386d9d65f9cd649fb3
  File name:  zs.dll (913,920 bytes)

 

FINAL NOTES

Once again, here are the associated files:

• ZIP archive of the pcaps:  2016-12-08-Sundown-EK-both-pcaps.zip   1.8 MB (1,827,676 bytes)
• ZIP archive of the malware and artifacts:  2016-12-08-Sundown-EK-malware-and-artifacts.zip   969 kB (968,857 bytes)

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.