Sundown Exploit Kit from 88.99.41.189 and 93.190.143.185 delivers Terdot.A-Zloader

I have added a zipped pcap file for your analysis. The password for the zipped pcap is infected all lowercase.

PCAP file of the infection traffic:
2017-01-18-Sundown-EK-pcap.zip

Thanks!! to @HenriNurmi for sharing information on compromised site.


ASSOCIATED DOMAINS AND IP ADDRESSES
:

  • niceandcutepuppies.com – COMPROMISED SITE
  • 88.99.41.189 – cvr.hse.mobi – SUNDOWN EK LANDING PAGE
  • 93.190.143.185 – ujs.fyu.mobi – SUNDOWN EK LANDING PAGE
  • 88.99.41.189 – db.hse.mobi – SUNDOWN EK LANDING PAGE
  • 54.197.197.37 – normhill.su – POST INFECTION TRAFFIC
  • 216.146.38.70 – checkip.dyndns.org – POST INFECTION TRAFFIC

 

IMAGES AND DETAILS OF INFECTION CHAIN:

Shown above: HTTP traffic  associated with the Sundown exploit and the delivery of Terdot.A-Zloader

 

Shown above: Injected script found on index page of compromised site which redirects visitor to the Sundown EK landing page to start infection chain

 

Shown above: Post infection traffic associated with Terdot.A-Zloader

 

Shown above: Post infection certificate installed on infected host using Certutil.exe

 

MALICIOUS PAYLOAD ASSOCIATED WITH SUNDOWN EXPLOIT: