Sundown Exploit Kit from 88.99.41.190 and 93.190.143.186 delivers Terdot.A-Zloader

I have added a zipped pcap file for your analysis. The password for the zipped pcap is infected all lowercase.

PCAP file of the infection traffic:
2017-01-12-Sundown-EK-pcap.zip

Thanks!! to @HenriNurmi for sharing information on compromised site.

ASSOCIATED DOMAINS AND IP ADDRESSES:

  • beautifulldressesonline.com – COMPROMISED SITE FLASH REDIRECT
  • 88.99.41.190 – ip.4941.mobi – SUNDOWN EK LANDING PAGE
  • 93.190.143.186 – pkc.1146.mobi – SUNDOWN EK LANDING PAGE
  • 35.167.24.105 – grincode.su POST /FE8hVs3/gs98h.php – POST INFECT TRAFFIC
  • 216.146.43.70 – checkip.dyndns.org – POST INFECT TRAFFIC

 

IMAGES AND DETAILS OF INFECTION CHAIN:

Shown above: HTTP traffic  associated with the Sundown exploit and the delivery of Terdot.A-Zloader

 

Shown above: Sundown exploit kit delivery of malicious payload

 

MALICIOUS PAYLOAD ASSOCIATED WITH SUNDOWN EXPLOIT: