2017-03-30 - TERROR EK FROM 159.203.185.4
ASSOCIATED FILES:
- ZIP archive of the pcap: 2017-03-30-Terror-EK-traffic.pcap.zip 1.4 MB (1,433,570 bytes)
- 2017-03-30-Terror-EK-traffic.pcap (1,549,974 bytes)
- ZIP archive of the malware: 2017-03-30-Terror-EK-malware-and-artifacts.zip 328 kB (328,451 bytes)
- 2017-03-30-Terror-EK-SilverApp1.zip (8,381 bytes)
- 2017-03-30-Terror-EK-artifact-zs3n.tmp.txt (1,151 bytes)
- 2017-03-30-Terror-EK-landing-page.txt (2,573 bytes)
- 2017-03-30-Terror-EK-more-html.txt (1,195 bytes)
- 2017-03-30-Terror-EK-radBE65C.tmp.dll (723,456 bytes)
BACKGROUND ON THE TERROR EK:
- 2017-01-09 - SpiderLabs Blog - Terror Exploit Kit? More like Error Exploit Kit
- Since the above blog, I've seen some comments on Twitter about Terror EK re-branded and advertised as Blaze EK or possibly Neptune EK.
OTHER NOTES:
- Big thanks to @Zerophage1337 tweeting about this on 2017-03-29 and providing a referrer (link).
TRAFFIC
Shown above: Injected script from the EITest campaign in a page from the compromised site.
ASSOCIATED DOMAINS:
- 173.208.245.114 port 80 - www.sexyvideos.club - compromised site (okay when I checked later)
- 159.203.185.4 port 80 - 159.203.185.4 - Terror EK
FILE HASHES
EXPLOIT:
- SHA256 hash: 88cdbf79aba30f553a949fc281baaa5d2e5f887d6c3f05b617c4712a709d47a9
File size: 8,381 bytes
File description: Terror EK Silverlight exploit (in zip archive form) seen on 2017-03-30
PAYLOAD:
- SHA256 hash: 71ea85fd9a93949b4a22ed0ac43caebf991f9c046318bf6a490fe1ecb95537fe
File size: 723,456 bytes
File location: C:\Users\[username]\AppData\Local\Temp\radBE65C.tmp.dll
File location: C:\Users\[username]\AppData\Local\Temp\b6g3KwL.exe
IMAGES
Shown above: Some alerts on the traffic from the Emerging Threats and ETPRO rulesets using Sguil on Security Onion.
Shown above: Alerts from the Snort subscriber ruleset using Snort 2.9.9.0 on Debian 7.
FINAL NOTES
Once again, here are the associated files:
- ZIP archive of the pcap: 2017-03-30-Terror-EK-traffic.pcap.zip 1.4 MB (1,433,570 bytes)
- ZIP archive of the malware: 2017-03-30-Terror-EK-malware-and-artifacts.zip 328 kB (328,451 bytes)
ZIP files are password-protected with the standard password. If you don't know it, look at the "about" page of this website.
Click here to return to the main page.