Notes
  • Sample found on Threatglass
  • Payload is Neutrino, and is in the PCAP, but post-infection traffic not present
PCAP and Malware

PCAP here: 2015-12-27-Sundown-EK-Traffic.pcap
Malware here: 2015-12-27-Sundown-EK-Malware-Exploits.zip

For .zip password, please email me at jack@malwarefor.me.

Compromised Domain and Redirects

2015-12-27 04:59:19 UTC - 217.160.177.4 - foromtb.com - GET /
2015-12-27 04:59:19 UTC - 217.160.177.4 - www.foromtb.com - GET /

Sundown EK Traffic

2015-12-27 04:59:21 UTC - 185.86.77.160 - millychiccolo.space - GET /jhgrjhk.php
2015-12-27 04:59:23 UTC - 185.86.77.160 - nomeatea.space - GET //?OWI1YjQ5ZjdmOGMwN2Y0M2VmZmU0YWVjYzY3YmYyNTQ=
2015-12-27 04:59:24 UTC - 185.86.77.160 - nomeatea.space - GET //?Z3R5N200
2015-12-27 04:59:24 UTC - 185.86.77.160 - nomeatea.space - GET //new/e/49c58cc2b166b1a5b13eab5f472a4f7b.html
2015-12-27 04:59:24 UTC - 185.86.77.160 - nomeatea.space - GET //new/e/8573855J6LHK4J54KL5JHK53J654364354.html
2015-12-27 04:59:24 UTC - 185.86.77.160 - nomeatea.space - GET //new/e/865HKJJHGFHJRGJKGYJTYG6LKJTHYRKLJTGH.html
2015-12-27 04:59:24 UTC - 185.86.77.160 - nomeatea.space - GET //new/e/360a296ea1e0abb38f1080f5e802fb4b.html
2015-12-27 04:59:24 UTC - 185.86.77.160 - nomeatea.space - GET //new/e/8500d58389eba3b3820a17641449b81d.html
2015-12-27 04:59:25 UTC - 185.86.77.160 - nomeatea.space - GET //new/e/49c58cc2b166b1a5b13eab5f472a4f7b.swf
2015-12-27 04:59:30 UTC - 185.86.77.160 - millychiccolo.space - GET /jhgrjhk.php
2015-12-27 04:59:31 UTC - 185.86.77.160 - nomeatea.space - GET //?OWI1YjQ5ZjdmOGMwN2Y0M2VmZmU0YWVjYzY3YmYyNTQ=
2015-12-27 04:59:31 UTC - 185.86.77.160 - nomeatea.space - GET //?Z3R5N200
2015-12-27 04:59:32 UTC - 185.86.77.160 - nomeatea.space - GET //new/e/49c58cc2b166b1a5b13eab5f472a4f7b.html
2015-12-27 04:59:32 UTC - 185.86.77.160 - nomeatea.space - GET //new/e/8573855J6LHK4J54KL5JHK53J654364354.html
2015-12-27 04:59:32 UTC - 185.86.77.160 - nomeatea.space - GET //new/e/865HKJJHGFHJRGJKGYJTYG6LKJTHYRKLJTGH.html
2015-12-27 04:59:32 UTC - 185.86.77.160 - nomeatea.space - GET //new/e/360a296ea1e0abb38f1080f5e802fb4b.html
2015-12-27 04:59:35 UTC - 185.86.77.160 - nomeatea.space - GET //new/e/8500d58389eba3b3820a17641449b81d.html
2015-12-27 04:59:35 UTC - 185.86.77.160 - tequeryomuch.space - GET /?NGFlY2M2N2JmMjU0&d=9b5b49f7f8c07f43effe4aecc67bf254
2015-12-27 04:59:40 UTC - 185.86.77.160 - millychiccolo.space - GET /jhgrjhk.php
2015-12-27 04:59:42 UTC - 185.86.77.160 - nomeatea.space - GET //new/e/8573855J6LHK4J54KL5JHK53J654364354.html
2015-12-27 04:59:42 UTC - 185.86.77.160 - nomeatea.space - GET //new/e/360a296ea1e0abb38f1080f5e802fb4b.html
2015-12-27 04:59:45 UTC - 185.86.77.160 - nomeatea.space - GET //new/e/8500d58389eba3b3820a17641449b81d.html
2015-12-27 04:59:45 UTC - 185.86.77.160 - tequeryomuch.space - GET /?NGFlY2M2N2JmMjU0&d=9b5b49f7f8c07f43effe4aecc67bf254

IDS alerts using the Emerging Threats Pro Ruleset (INFO/POLICY disabled) on Suricata 2.0.8

2015-12-27 04:59:24 UTC - 192.168.49.10:1059 -> 185.86.77.160:80 - ETPRO CURRENT_EVENTS Sundown/Xer EK URI struct Oct 25 2015 M1
2015-12-27 04:59:25 UTC - 192.168.49.10:1060 -> 185.86.77.160:80 - ETPRO CURRENT_EVENTS Sundown/Xer EK URI struct Oct 25 2015 M1
2015-12-27 04:59:25 UTC - 192.168.49.10:1061 -> 185.86.77.160:80 - ETPRO CURRENT_EVENTS Sundown/Xer EK URI struct Oct 25 2015 M1
2015-12-27 04:59:25 UTC - 192.168.49.10:1059 -> 185.86.77.160:80 - ETPRO CURRENT_EVENTS Sundown/Xer EK URI struct Oct 25 2015 M1
2015-12-27 04:59:25 UTC - 192.168.49.10:1063 -> 185.86.77.160:80 - ETPRO CURRENT_EVENTS Sundown/Xer EK URI struct Oct 25 2015 M1
2015-12-27 04:59:25 UTC - 192.168.49.10:1062 -> 185.86.77.160:80 - ETPRO CURRENT_EVENTS Sundown/Xer EK URI struct Oct 25 2015 M1
2015-12-27 04:59:28 UTC - 185.86.77.160:80 -> 192.168.49.10:1061 - ETPRO CURRENT_EVENTS Hunter EK Landing Flash Exploits Aug 25 2015 M1
2015-12-27 04:59:28 UTC - 185.86.77.160:80 -> 192.168.49.10:1061 - ETPRO CURRENT_EVENTS Hunter EK Landing Flash Exploits Aug 25 2015 M2
2015-12-27 04:59:32 UTC - 192.168.49.10:1072 -> 185.86.77.160:80 - ETPRO CURRENT_EVENTS Sundown/Xer EK URI struct Oct 25 2015 M1
2015-12-27 04:59:32 UTC - 192.168.49.10:1074 -> 185.86.77.160:80 - ETPRO CURRENT_EVENTS Sundown/Xer EK URI struct Oct 25 2015 M12
2015-12-27 04:59:32 UTC - 192.168.49.10:1072 -> 185.86.77.160:80 - ETPRO CURRENT_EVENTS Sundown/Xer EK URI struct Oct 25 2015 M1
2015-12-27 04:59:33 UTC - 192.168.49.10:1074 -> 185.86.77.160:80 - ETPRO CURRENT_EVENTS Sundown/Xer EK URI struct Oct 25 2015 M1
2015-12-27 04:59:35 UTC - 185.86.77.160:80 -> 192.168.49.10:1074 - ETPRO CURRENT_EVENTS Hunter EK Landing Flash Exploits Aug 25 2015 M1
2015-12-27 04:59:35 UTC - 185.86.77.160:80 -> 192.168.49.10:1074 - ETPRO CURRENT_EVENTS Hunter EK Landing Flash Exploits Aug 25 2015 M2
2015-12-27 04:59:35 UTC - 192.168.49.10:1074 -> 185.86.77.160:80 - ETPRO CURRENT_EVENTS Sundown/Xer EK URI struct Oct 25 2015 M1
2015-12-27 04:59:42 UTC - 192.168.49.10:1080 -> 185.86.77.160:80 - ETPRO CURRENT_EVENTS Sundown/Xer EK URI struct Oct 25 2015 M1
2015-12-27 04:59:42 UTC - 192.168.49.10:1081 -> 185.86.77.160:80 - ETPRO CURRENT_EVENTS Sundown/Xer EK URI struct Oct 25 2015 M1
2015-12-27 04:59:42 UTC - 192.168.49.10:1080 -> 185.86.77.160:80 - ETPRO CURRENT_EVENTS Sundown/Xer EK URI struct Oct 25 2015 M1
2015-12-27 04:59:42 UTC - 192.168.49.10:1081 -> 185.86.77.160:80 - ETPRO CURRENT_EVENTS Sundown/Xer EK URI struct Oct 25 2015 M1
2015-12-27 04:59:45 UTC - 185.86.77.160:80 -> 192.168.49.10:1081 - ETPRO CURRENT_EVENTS Hunter EK Landing Flash Exploits Aug 25 2015 M1
2015-12-27 04:59:45 UTC - 185.86.77.160:80 -> 192.168.49.10:1081 - ETPRO CURRENT_EVENTS Hunter EK Landing Flash Exploits Aug 25 2015 M2
2015-12-27 04:59:45 UTC - 192.168.49.10:1081 -> 185.86.77.160:80 - ETPRO CURRENT_EVENTS Sundown/Xer EK URI struct Oct 25 2015 M1

Preliminary Malware Analysis

File name: 2015-12-27-Sundown-Hunter-EK-Flash-Exploit.swf
File size: 74.9 KB ( 76663 bytes )
MD5 hash: 6b2befdd397c9032fcc01b73e6797126
Detection ratio: 14 / 54
First submission: 2015-08-26 22:50:39 UTC
VirusTotal link: https://www.virustotal.com/en/file/039305c06a28bc23e91d067ec0ceb4b40ef55b14c982efaafd1d67f29055dfd8/analysis/1451352675/

File name: 2015-12-27-Sundown-EK-Payload.exe
File size: 280.0 KB ( 286720 bytes )
MD5 hash: 4baeee098c34b463eb8ac709b9bd9967
Detection ratio: 23 / 54
First submission: 2015-12-28 18:46:01 UTC
VirusTotal link: https://www.virustotal.com/en/file/592ecb3d6acaefbccc69987604110bd3ed98465b9b727ed9f4e013c300078d33/analysis/1451352660/

PCAP and Malware

PCAP here: 2015-12-27-Sundown-EK-Traffic.pcap
Malware here: 2015-12-27-Sundown-EK-Malware-Exploits.zip

For .zip password, please email me at jack@malwarefor.me.

If you have any feedback or questions please email me at jack@malwarefor.me.
Additionally, you can reach out on Twitter or follow for for updates