2013-06-18 - NEUTRINO EK FROM 199.195.249.188 - 1208B83B81C141ECD6F05E24.WEBHOP.ORG:8000

PCAP AND MALWARE:

 

NOTES:

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

 

INFECTION TRAFFIC:

 

PRELIMINARY MALWARE ANALYSIS:

JAVA EXPLOIT:

File name:  2013-06-18-Neutrino-EK-java-exploit.jar
File size:  21.9 KB ( 22452 bytes )
MD5 hash:  19d60c47854e35aa5aae8a5fe77ba11a
Detection ratio:  15 / 54
First submission:  2013-06-18 19:14:20 UTC
VirusTotal link:  https://www.virustotal.com/en/file/4cda1350264757b684e73f00f0a616384e83a675deb9bbc3d9f41325e3a5b5a1/analysis/

 

MALWARE PAYLOAD:

File name:  2013-06-18-Neutrino-EK-malware-payload.exe
File size:  91.5 KB ( 93696 bytes )
MD5 hash:  2dc3fbd737281eb93f1df205d12a69e0
Detection ratio:  39 / 52
First submission:  2013-06-18 22:39:00 UTC
VirusTotal link:  https://www.virustotal.com/en/file/a8dafaa2bd5a43fb44b5c626f72bbc969cc6e4a28cbf0d1a0417173b06e83dab/analysis/

 

SNORT EVENTS

Screenshot of Emerging Threats signature hits from Sguil on Security Onion (without ET POLICY or ET INFO events):

 

FINAL NOTES

Once again, here's the PCAP of the traffic and ZIP file of the malware:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.