2014-01-21 - ANOTHER NEUTRINO EK EXAMPLE

ASSOCIATED FILES:

 

NOTES:

A quick post on traffic for a VM infected by the Neutrino EK...

 

SNORT EVENTS

 

TRAFFIC

ASSOCIATED DOMAINS:

INFECTION CHAIN:

 

PRELIMINARY MALWARE ANALYSIS

 

Java exploit from 212.83.154.207 port 8000 (iepheiph.bandrets.com):

https://www.virustotal.com/en/file/2a5ef17ea9eb2f29b14fc69086b5d7bc2425942ad0cdb83536e9cf6ab3f448f6/analysis/

File name:  2014-01-21-Neutrino-Java-exploit.jar
File size:  18.8 KB ( 19264 bytes )
MD5 hash:  37c2eb4f18306ecbec6c8035195684ea
Detection ratio:  4 / 50
First submitted:  2014-01-20 00:32:58 GMT

 

EXE payload from 212.83.154.207 port 8000 (iepheiph.bandrets.com):

https://www.virustotal.com/en/file/c5e42cba7d55770a96aae6d723f28b794736e7bb5513f133a322084ee540c76c/analysis/

File name:  2014-01-21-Neutrino-EXE-payload.exe
File size:  272.2 KB ( 278729 bytes )
MD5 hash:  b34aa8ffa78b4b5adbd63cf8143fc93b
Detection ratio:  15 / 50
First submitted:  2014-01-21 14:41:38 GMT

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.