2017-08-29 - TERROR EK SEEN USING HTTPS
ASSOCIATED FILES:
- Fiddler capture of the traffic (password-protected): 2017-08-29-Terror-EK-traffic.saz 123 kB (123,152 bytes)
- Zip archive of the artifacts: 2017-08-29-Terror-EK-artifacts.zip 104 kB (104,446 bytes)
- 2017-08-29-Terror-EK-3Np2K9XwEp3C.txt (4,641 bytes)
- 2017-08-29-Terror-EK-8EUj3DVsJ3l6.txt (64,126 bytes)
- 2017-08-29-Terror-EK-QMxBnqBlgl4e.txt (11,582 bytes)
- 2017-08-29-Terror-EK-TyIPdwZ096Uf.swf (24,667 bytes)
- 2017-08-29-Terror-EK-Uhg2F49WHwXu.txt (12,638 bytes)
- 2017-08-29-Terror-EK-cZV9AQd9UyjN.txt (8,209 bytes)
- 2017-08-29-Terror-EK-mESH7HMjAcFA.swf (51,139 bytes)
- 2017-08-29-Terror-EK-showthread-php-id-7991937328.txt (4,938 bytes)
NOTES:
- Saw a "404 not found" in response to the URL requesting the payload.
- @jeromesegura was able to get a payload from it, though. (link)
- Thanks to @nao_sec, who saw this EK using HTTPS earlier today and let me know. Otherwise, I might not have noticed.
- Also thanks to @jeromesegura, who corrected me when I initially thought this was Disdain EK. (Disdain EK stole from Terror EK, but it's not Terror.)
TRAFFIC
Shown above: Traffic from Terror EK on 2017-08-29 filtered in Wireshark.
Shown above: Traffic from Terror EK on 2017-08-29 as recorded through Fiddler.
ASSOCIATED URLS:
- 188.166.93.163 port 443 (HTTPS) - stockshare.loan - GET /forum_S2hpxwQ/showthread.php?id=7991937328
- 188.166.93.163 port 443 (HTTPS) - stockshare.loan - GET /forum_S2hpxwQ/70jT7XJ0lysv/Uhg2F49WHwXu.html
- 188.166.93.163 port 443 (HTTPS) - stockshare.loan - GET /forum_S2hpxwQ/l3Pg9p7lEM5v/3Np2K9XwEp3C.html
- 188.166.93.163 port 443 (HTTPS) - stockshare.loan - GET /forum_S2hpxwQ/70jT7XJ0lysv/8EUj3DVsJ3l6.html
- 188.166.93.163 port 443 (HTTPS) - stockshare.loan - GET /forum_S2hpxwQ/70jT7XJ0lysv/QMxBnqBlgl4e.html
- 188.166.93.163 port 443 (HTTPS) - stockshare.loan - GET /forum_S2hpxwQ/70jT7XJ0lysv/cZV9AQd9UyjN.html
- 188.166.93.163 port 443 (HTTPS) - stockshare.loan - GET /forum_S2hpxwQ/70jT7XJ0lysv/test.mp3
- 188.166.93.163 port 443 (HTTPS) - stockshare.loan - GET /forum_S2hpxwQ/l3Pg9p7lEM5v/IClMPh7jWGyz.swf
- 188.166.93.163 port 443 (HTTPS) - stockshare.loan - GET /forum_S2hpxwQ/l3Pg9p7lEM5v/mESH7HMjAcFA.swf
- 188.166.93.163 port 443 (HTTPS) - stockshare.loan - GET /forum_S2hpxwQ/l3Pg9p7lEM5v/TyIPdwZ096Uf.swf
FILE HASHES
TERROR EK FLASH EXPLOIT (1 OF 2):
- SHA256 hash: 0dbb15afb887069b2f75308d2cff947db56d08adf8ceb17bb39ccdc71db28db3
File size: 51,139 bytes
File description: Flash exploit used by Terror EK on 2017-08-29
TERROR EK FLASH EXPLOIT (2 OF 2):
- SHA256 hash: 7ff9703ac519fa05d323e032b16b2b55cbaf8e1f51d1e89a0a337c4125aebe97
File size: 24,667 bytes
File description: Another Flash exploit used by Terror EK on 2017-08-29
FINAL NOTES
Once again, here are the associated files:
- Fiddler capture of the traffic (password-protected): 2017-08-29-Terror-EK-traffic.saz 123 kB (123,152 bytes)
- Zip archive of the artifacts: 2017-08-29-Terror-EK-artifacts.zip 104 kB (104,446 bytes)
ZIP and SAZ archives are password-protected with the standard password. If you don't know it, look at the "about" page of this website.
Click here to return to the main page.