2017-08-29 - TERROR EK SEEN USING HTTPS

ASSOCIATED FILES:

• Fiddler capture of the traffic (password-protected):  2017-08-29-Terror-EK-traffic.saz   123 kB (123,152 bytes)

• Zip archive of the artifacts:  2017-08-29-Terror-EK-artifacts.zip   104 kB (104,446 bytes)

• 2017-08-29-Terror-EK-3Np2K9XwEp3C.txt   (4,641 bytes)
• 2017-08-29-Terror-EK-8EUj3DVsJ3l6.txt   (64,126 bytes)
• 2017-08-29-Terror-EK-QMxBnqBlgl4e.txt   (11,582 bytes)
• 2017-08-29-Terror-EK-TyIPdwZ096Uf.swf   (24,667 bytes)
• 2017-08-29-Terror-EK-Uhg2F49WHwXu.txt   (12,638 bytes)
• 2017-08-29-Terror-EK-cZV9AQd9UyjN.txt   (8,209 bytes)
• 2017-08-29-Terror-EK-mESH7HMjAcFA.swf   (51,139 bytes)
• 2017-08-29-Terror-EK-showthread-php-id-7991937328.txt   (4,938 bytes)

 

NOTES:

• Saw a "404 not found" in response to the URL requesting the payload.
• @jeromesegura was able to get a payload from it, though.   (link)
• Thanks to @nao_sec, who saw this EK using HTTPS earlier today and let me know.  Otherwise, I might not have noticed.
• Also thanks to @jeromesegura, who corrected me when I initially thought this was Disdain EK.  (Disdain EK stole from Terror EK, but it's not Terror.)

 

TRAFFIC

Shown above:  Traffic from Terror EK on 2017-08-29 filtered in Wireshark.

 

Shown above:  Traffic from Terror EK on 2017-08-29 as recorded through Fiddler.

 

ASSOCIATED URLS:

• 188.166.93.163 port 443 (HTTPS) - stockshare.loan - GET /forum_S2hpxwQ/showthread.php?id=7991937328
• 188.166.93.163 port 443 (HTTPS) - stockshare.loan - GET /forum_S2hpxwQ/70jT7XJ0lysv/Uhg2F49WHwXu.html
• 188.166.93.163 port 443 (HTTPS) - stockshare.loan - GET /forum_S2hpxwQ/l3Pg9p7lEM5v/3Np2K9XwEp3C.html
• 188.166.93.163 port 443 (HTTPS) - stockshare.loan - GET /forum_S2hpxwQ/70jT7XJ0lysv/8EUj3DVsJ3l6.html
• 188.166.93.163 port 443 (HTTPS) - stockshare.loan - GET /forum_S2hpxwQ/70jT7XJ0lysv/QMxBnqBlgl4e.html
• 188.166.93.163 port 443 (HTTPS) - stockshare.loan - GET /forum_S2hpxwQ/70jT7XJ0lysv/cZV9AQd9UyjN.html
• 188.166.93.163 port 443 (HTTPS) - stockshare.loan - GET /forum_S2hpxwQ/70jT7XJ0lysv/test.mp3
• 188.166.93.163 port 443 (HTTPS) - stockshare.loan - GET /forum_S2hpxwQ/l3Pg9p7lEM5v/IClMPh7jWGyz.swf
• 188.166.93.163 port 443 (HTTPS) - stockshare.loan - GET /forum_S2hpxwQ/l3Pg9p7lEM5v/mESH7HMjAcFA.swf
• 188.166.93.163 port 443 (HTTPS) - stockshare.loan - GET /forum_S2hpxwQ/l3Pg9p7lEM5v/TyIPdwZ096Uf.swf

 

FILE HASHES

TERROR EK FLASH EXPLOIT (1 OF 2):

• SHA256 hash:  0dbb15afb887069b2f75308d2cff947db56d08adf8ceb17bb39ccdc71db28db3
  File size:  51,139 bytes
  File description:  Flash exploit used by Terror EK on 2017-08-29

TERROR EK FLASH EXPLOIT (2 OF 2):

• SHA256 hash:  7ff9703ac519fa05d323e032b16b2b55cbaf8e1f51d1e89a0a337c4125aebe97
  File size:  24,667 bytes
  File description:  Another Flash exploit used by Terror EK on 2017-08-29

 

FINAL NOTES

Once again, here are the associated files:

• Fiddler capture of the traffic (password-protected):  2017-08-29-Terror-EK-traffic.saz   123 kB (123,152 bytes)
• Zip archive of the artifacts:  2017-08-29-Terror-EK-artifacts.zip   104 kB (104,446 bytes)

ZIP and SAZ archives are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.