- 126.96.36.199 – dp.jev.mobi and nso.fzo.mobi – Sundown EK
File name: iedetector.js
File name: index2.php.html
File name: 9643522803.swf
File name: 947545190441&id=257.swf
File name: 78493521.swf
Looking at “iedetector.js” shows numerous checks being performed. We can also see that there are comments left in the file:
Once the checks are completed the Sundown EK landing page is requested, this time using “index2.php?”:
We then see the GET requests for the Flash exploits and PNG exploit. I am not sure if this was a test that I caught, a one-off, or something that we might be seeing in the near future.
They are zipped and password protected (same password used by numerous security researchers). Send me an email or hit me up on Twitter if you need the password.