2016-12-28 - SUNDOWN EK DATA DUMP

ASSOCIATED FILES:

• ZIP archive of the pcap:  2016-12-28-Sundown-EK-all-4-pcaps.zip   2.5 MB (2,539,297 bytes)

• 2016-12-28-1st-run-Sundown-EK-sends-Chthonic.pcap   (1,595,517 bytes)
• 2016-12-28-2nd-run-Sundown-EK-sends-Terdot.A-Zloader.pcap   (218,621 bytes)
• 2016-12-28-3rd-run-Sundown-EK-sends-Terdot.A-Zloader.pcap   (449,975 bytes)
• 2016-12-28-4th-run-Sundown-EK-sends-Terdot.A-Zloader.pcap   (972,836 bytes)

• ZIP archive of the malware:  2016-12-28-Sundown-EK-malware-and-artifacts.zip   701 kB (700,637 bytes)

• 2016-12-28-Sundown-EK-artifact-Inj6sFosp.txt   (1,170 bytes)
• 2016-12-28-Sundown-EK-artifact-OTTYUADAF.txt   (1,137 bytes)
• 2016-12-28-Sundown-EK-exploit-fvdvsdfv.png   (52,674 bytes)
• 2016-12-28-Sundown-EK-flash-exploit-208.swf   (29,406 bytes)
• 2016-12-28-Sundown-EK-flash-exploit-225.swf   (29,707 bytes)
• 2016-12-28-Sundown-EK-flash-exploit-542.swf   (45,026 bytes)
• 2016-12-28-Sundown-EK-flash-exploit-5421.swf   (14,088 bytes)
• 2016-12-28-Sundown-EK-landing-page-example-1-of-2.txt   (72,224 bytes)
• 2016-12-28-Sundown-EK-landing-page-example-2-of-2.txt   (35,412 bytes)
• 2016-12-28-Sundown-EK-payload-Chthonic-banking-Trojan.exe   (159,744 bytes)
• 2016-12-28-Sundown-EK-payload-Terdot.A-Zloader.exe   (273,920 bytes)
• 2016-12-28-followup-malware-downloaded-by-Terdot.A-Zloader.exe   (312,320 bytes)

BACKGROUND ON SUNDOWN EXPLOIT KIT:

• Nick Biasini from Cisco's Talos threat intelligence team, wrote about Sundown EK in this October 2016 article:  Sundown EK: You Better Take Care.
• Another interesting article is by Trustwave's SpiderLabs Blog from September 2016:  Sundown EK – Stealing Its Way to the Top
• Today's traffic is not the Sundown EK variant described in Malwarebytes October 2016 blog titled:  Yet another Sundown EK variant? (which I saw on 2016-10-17)

OTHER NOTES:

• My thanks to Jérôme Segura and another person who wishes to remain anonymous.  They both provided info so I could generate today's pcaps and malware.
• Unfortunately, I cannot share the referers that kicked off traffic for today's Sundown EK.  (I've redacted that data from the pcaps.)
• Sundown EK appears to be ripping off Rig EK even more now.
• I'm seeing the same artifacts in C:\Users\[usrname]\AppData\Local\Temp\ from Sundown EK that I've seen from Rig EK (Inj6sFosp and OTTYUADAF).
• Furthermore, one of the Flash exploits sent today by Sundown EK is the same exact Flash file seen from Rig-V on 2016-12-21.

 

TRAFFIC

Shown above:  Pcap from the 1st infection filtered in Wireshark

Shown above:  Pcap from the 2nd infection filtered in Wireshark

Shown above:  Pcap from the 3rd infection filtered in Wireshark

Shown above:  Pcap from the 4th infection filtered in Wireshark

 

SUNDOWN EK LANDING PAGE URLS:

• 188.165.163.227 port 80 - ah.0346.mobi - GET /index.php?t3z-ZUyQpcQET20=4im6ZWv0gPEEHnrY0aAeoFnQjMZl-xZu-VOqk1Fjd1n0kpXjxL8mGDkc
• 188.165.163.227 port 80 - iw.0541.mobi - GET /index.php?tGfZN3yCgg=uCm9ZDf02KUBGCba0acYp1mNg5A0_0Fh-wWukwFnIgqiksWzkbImE2FA
• 188.165.163.227 port 80 - fp.0498.mobi - GET /index.php?tnq8EVmrqMQDWQ=syfpMT7306pRSSrc0aoY8FmGjcQ3-hlq9FX_mFZkJF_1kpezkeJ3Q2ZB
• 188.165.163.227 port 80 - mu.0547.mobi - GET /index.php?-EjLNGzz=tn7uMT_31PYHTyaO0aZJ9FmD1MM39RltqAP5kwpkfwjxksO2w7MtEDEb

SUNDOWN EK EXPLOIT FILE URLS:

• 188.165.163.227 port 80 - ah.0346.mobi - GET /4325/5421.swf
• 188.165.163.227 port 80 - ah.0346.mobi - GET /4325/208.swf
• 188.165.163.227 port 80 - ah.0346.mobi - GET /4325/542.swf
• 188.165.163.227 port 80 - iw.0541.mobi - GET /fvdvsdfv.png
• 188.165.163.227 port 80 - iw.0541.mobi - GET /4325/225.swf
• 188.165.163.227 port 80 - iw.0541.mobi - GET /4325/542.swf
• 188.165.163.227 port 80 - fp.0498.mobi - GET /fvdvsdfv.png
• 188.165.163.227 port 80 - fp.0498.mobi - GET /4325/225.swf
• 188.165.163.227 port 80 - fp.0498.mobi - GET /4325/542.swf

SUNDOWN EK PAYLOAD URLS:

• 93.190.143.211 port 80 - zwh.0142.mobi - GET /43526876827345687356872456.php?id=208
• 93.190.143.211 port 80 - sof.0144.mobi - GET /z.php?id=225
• 93.190.143.211 port 80 - sof.0144.mobi - GET /43526876827345687356872456.php?id=225

POST INFECTION TRAFFIC:

• 45.56.117.118 port 53 - TCP-based DNS query for pationare.bit caused by Chthonic banking Trojan
• 144.76.133.38 port 53 - TCP-based DNS query for pationare.bit caused by Chthonic banking Trojan
• 23.88.147.108 port 80 - pationare.bit - POST /     [HTTP traffic caused by Chthonic banking Trojan]
• checkip.dyndns.org - GET /     [IP check caused by Terdot.A/Zloader]
• 54.186.95.29 port 80 - settledness.ru - POST /FE8hVs3/gs98h.php     [HTTP traffic caused by Terdot.A/Zloader]

 

FILE HASHES

EXPLOITS:

• SHA256 hash:  4fe30eb4fd3c1e54b58f901e94e36fc1a8c7a514bf827e7611740d260dd73f4b
  File description:  Sundown EK Flash exploit sent as 208.swf
  File size:  29,406 bytes

• SHA256 hash:  cf730db69db781c515919b26ac46698c5249a62a5413edd11e1dd92fd3a44acb
  File description:  Sundown EK Flash exploit sent as 225.swf
  File size:  29,707 bytes

• SHA256 hash:  67d598c6acbd6545ab24bbd44cedcb825657746923f47473dc40d0d1f122abb6
  File description:  Sundown EK Flash exploit sent as 542.swf
  File size:  45,026 bytes

• SHA256 hash:  0744ba67c5f8210fcdcf4acb328df68780e96d10f2c68b8eddbb9a355bca213e
  File description:  Sundown EK Flash exploit sent as 5421.swf   (The same hash for a Rig-V Flash exploit I saw on 2016-12-21)
  File size:  14,088 bytes

• SHA256 hash:  fc4bb31eb4e3d533e369b3687d72abb263937c698019b4f50229a5ca2d083bbb
  File description:  An exploit sent by Sundown EK as fvdvsdfv.png (appears to be an actual PNG image)
  File size:  52,674 bytes

PAYLOADS AND FOLLOW-UP MALWARE:

• SHA256 hash:  112db20b0f6cbb39bd24dd2dbe121e62506c6862b1db1276b0219bda76a903dd
  File description:  Chthonic banking Trojan sent as EK payload from first run
File size:  159,744 bytes
File path:  C:\Users\[username]\AppData\Local\Temp\radA3269.tmp.exe

• SHA256 hash:  c4b894094c08ea234a2a2652f77383f4a22c5402918c330a7ad6f39520dcc53c
  File description:  Terdot.A/Zloader sent as EK payload from the 2nd through 4th runs
File size:  273,920 bytes
File path:  C:\Users\[username]\AppData\Local\Temp\etgerf.exe
File path:  C:\Users\[username]\AppData\Local\Temp\rgfrf.exe
File path:  C:\Users\[username]\AppData\Local\Temp\radEF99C.tmp.exe
File path:  C:\Users\[username]\AppData\Local\Temp\z.tmp

• SHA256 hash:  9ee649300ee66768afdb2b8866d504e802bd40fd8e4125667bb0f0e2bb6d339f
  File description:  Follow-up malware downloaded by the Terdot.A/Zloader payload
File size:  312,320 bytes
File path:  C:\Users\[username]\AppData\Local\Temp\ytec.exe

 

FINAL NOTES

Once again, here are the associated files:

• ZIP archive of the pcap:  2016-12-28-Sundown-EK-all-4-pcaps.zip   2.5 MB (2,539,297 bytes)
• ZIP archive of the malware:  2016-12-28-Sundown-EK-malware-and-artifacts.zip   701 kB (700,637 bytes)

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.