2017-10-17 - TERROR EK SENDS SMOKE LOADER, SMOKE LOADER SENDS MORE MALWARE
ASSOCIATED FILES:
- ZIP archive of the pcap: 2017-10-17-Terror-EK-pcaps.zip 3.4 MB (3,351,384 bytes)
- 2017-10-17-Terror-EK-example.pcap (354,352 bytes)
- 2017-10-17-post-infection-traffic-from-Terror-EK-payload.pcap (3,870,836 bytes)
- ZIP archive of the malware: 2017-10-17-Terror-EK-artifacts-and-malware.zip 2.5 MB (2,502,144 bytes)
- 2017-10-17-AppData-Local-Temp-3458.tmp.exe (205,144 bytes)
- 2017-10-17-AppData-Local-Temp-4A97.tmp.exe (471,515 bytes)
- 2017-10-17-AppData-Local-Temp-65A7.tmp.exe (631,472 bytes)
- 2017-10-17-AppData-Local-Temp-8C4A.tmp.dll (517,632 bytes)
- 2017-10-17-AppData-Local-Temp-C14F.tmp.exe (791,280 bytes)
- 2017-10-17-Terror-EK-HTML-for-CVE-2015-5119.txt (4,964 bytes)
- 2017-10-17-Terror-EK-artifact-o32.tmp.txt (1,141 bytes)
- 2017-10-17-Terror-EK-flash-exploit-1-of-2.swf (44,396 bytes)
- 2017-10-17-Terror-EK-flash-exploit-2-of-2.swf (17,662 bytes)
- 2017-10-17-Terror-EK-landing-page.txt (111,371 bytes)
- 2017-10-17-Terror-EK-payload-Smoke-Loader.exe (117,711 bytes)
NOTES:
- It's been a while since I looked at Terror EK. Last time I looked into it on 2017-08-29, Terror EK had briefly tried HTTPS (link).
- Seems like that was a short-lived phase, and Terror EK has been using regular HTTP for a while now.
- In this case, Terror EK sent Sharik/Smoke Loader, which kicked off additional malware downloads.
- I generated the original infection on a VM, but SmokeLoader didn't work on that, so I had to run it on a physical host.
TRAFFIC
Shown above: Traffic from the original infection filtered in Wireshark.
Shown above: Post-infection traffic filtered in Wireshark (1 of 2).
Shown above: Post-infection traffic filtered in Wireshark (2 of 2).
Shown above: Post-infection traffic to hellobro.bit returning more malware.
Shown above: Post-infection traffic caused by DarkVNC malware.
Shown above: Post-infection traffic caused by CoinMiner malware.
TERROR EK-RELATED TRAFFIC:
- 5.152.203.123 port 80 - brsmdpfiuuhbvgc21yrz8ovkqdt7tw40k3esen9xagw5laflcyjonxzmpi6hqj.2pih5uvlsgjomgy4zuxx81adce3oj7dkv9qtcbnasnw6rqiryfl
fwtzphmk0eb. zhmhptkstakixgobldls4viyw1jeuno9gj6wb02enury7vra5dcqfpfxc8z3qm.explanation-brother-in-law.cricket - redirect from malvertising gate
- 146.185.163.220 port 80 - pcbjezw.explanation-shampoo.cricket - Terror EK
POST-INFECTION TRAFFIC:
- 104.168.144.17 port 53 - TCP-based DNS query for hellobro.bit
- 185.61.138.114 port 80 - hellobro.bit - POST /
- 185.165.168.124 port 80 - u.teknik.io - GET /1tB63.dll
- 188.209.52.233 port 80 - 188.209.52.233 - POST /gate.php
- 85.17.29.102 port 443 - DarkVNC checkin
- 163.172.207.69 port 80 - Coinminer traffic
LEGITIMATE DOMAINS SEEN DURING POST-INFECTION TRAFFIC:
- www.adobe.com - GET /support/flashplayer/
- www.adobe.com - POST /
- www.adobe.com - POST /go/flashplayer_support/
- www.adobe.com - POST /support/main.html
- www.bing.com - GET /
- helpx.adobe.com - GET /flash-player.html
- helpx.adobe.com - GET /support.html
- java.com - GET /en/
- java.com - GET /en/download/help/
- java.com - GET /en/download/help/index.xml
- java.com - POST /
- java.com - POST /help
- go.microsoft.com - POST /fwlink/?LinkId=133405
- msdn.microsoft.com - GET /vstudio
- support.microsoft.com - POST /kb/2460049
FILE HASHES
MALWARE FROM TERROR EK INFECTION:
- SHA2565 hash: c9f3397340e3671a47c6f15f9e6b1697265cecbb37b3c9c29d1eeae3b4312497
- File size: 44,396 bytes
- File description: Terror EK Flash exploit seen on 2017-10-17 (1 of 2)
- SHA2565 hash: 2090456737a6b44f2c16943662c9cb42acf05b1db6d63f89253a39f33e0ec02c
- File size: 17,662 bytes
- File description: Terror EK Flash exploit seen on 2017-10-17 (2 of 2)
- SHA2565 hash: e6516d2911fc3378903b396b1b3ec97ddd497a1e8b974b531b1f140a485d39ca
- File size: 117,711 bytes
- File location: C:\Users\[username]\AppData\Local\Temp\[random characters].exe
- File location: C:\Users\[username]\AppData\Roaming\Microsoft\vfuggwhu\rvfwteia.exe
- File description: Terror EK payload (Sharik/Smoke Loader)
POST-INFECTION MALWARE:
- SHA2565 hash: 07e96eb325ef315ede680eca649426d6a4516e03a859926d651fda669a98873a
- File size: 205,144 bytes
- File location: C:\Users\[username]\AppData\Local\Temp\3458.tmp.exe
- File location: C:\Users\[username]\AppData\Roaming\reserved\reserv.exe
- SHA256 hash: dda0f5b8759220bdbd8e5dba8bff49868b12e1d5e3bd273b366050dab0c8dd4f
- File size: 471,515 bytes
- File location: C:\Users\[username]\AppData\Local\Temp\4A97.tmp.exe
- SHA256 hash: a5bb96d731ef58cf17cc579578ab89c7c46f275982be8eb137ff64268dff1efc
- File size: 631,472 bytes
- File location: C:\Users\[username]\AppData\Local\Temp\65A7.tmp.exe
- SHA256 hash: bdf3c4e804ebffad9f7ba9a3e3e467d0251c16f57e41095b593d226d2e7f399d
- File size: 517,632 bytes
- File location: C:\Users\[username]\AppData\Local\Temp\8C4A.tmp.dll
- SHA256 hash: e70e429aa051017432921f4cdf2b8492c5cff9465ffdc3aabad2a865ecd2b326
- File size: 791,280 bytes
- File location: C:\Users\[username]\AppData\Local\Temp\C14F.tmp.exe
- File location: C:\Users\[username]\AppData\LocalkHYLfEPyyR\svchost.exe
- File description: CoinMiner
IMAGES
Shown above: Alerts on Terror EK activity from the Emerging Threats (ET) ruleset using Sguil on Security Onion.
Shown above: Alerts on post-infection activity from the Emerging Threats Pro (ET Pro) ruleset using Sguil on Security Onion.
Shown above: Some artifacts seen in the infected user's AppData\Local\Temp folder.
FINAL NOTES
Once again, here are the associated files:
- ZIP archive of the pcap: 2017-10-17-Terror-EK-pcaps.zip 3.4 MB (3,351,384 bytes)
- ZIP archive of the malware: 2017-10-17-Terror-EK-artifacts-and-malware.zip 2.5 MB (2,502,144 bytes)
Zip archives are password-protected with the standard password. If you don't know it, look at the "about" page of this website.
Click here to return to the main page.