[ PART 1 OF 4 ]     [ PART 3 OF 4 ]

2014-02-03 PART 2 OF 4 - NEUTRINO EK DELIVERS ZEUS/ZBOT/CITADEL

PCAP AND MALWARE

 

LINKS ABOUT THE MALWARE

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS

INFECTION CHAIN OF EVENTS

POST INFECTION CALLBACK TRAFFIC

 

PRELIMINARY MALWARE ANALYSIS

JAVA EXPLOIT

File name:  java-exploit-from-212.83.135.167.jar
File size:  19.0 KB ( 19458 bytes )
MD5 hash:  71cb847f10e45acf7d58ddef2ed43303
Detection ratio:  1 / 51
First submission:  2014-02-04 00:42:31 UTC
VirusTotal link: https://www.virustotal.com/en/file/5fac4c4670e9e8eac55974a3f366dbf57f675b624301a64b1707e047380b5cf1/analysis/

 

EXE PAYLOAD - came over the network XOR-ed with the ASCII string: xvbb

File name:  EXE-payload-from-212.83.135.167.exe
File size:  266.2 KB ( 272555 bytes )
MD5 hash:  9114cd6411e9164631d6953e290c3b45
Detection ratio:  26 / 51
First submission:  2014-02-05 05:04:01 UTC
VirusTotal link: https://www.virustotal.com/en/file/656b3886f4214bc986d68cd6bf753be2ad2acd8741176349c1335272caa765fa/analysis/

 

SNORT EVENTS

SNORT EVENTS FOR NEUTRINO EK TRAFFIC (FROM SECURITY ONION)

 

HIGHLIGHTS FROM THE TRAFFIC

Embedded iframe in the infected web page - www.valerierobinson.com/?p=1

 

Part of the redirect chain - 62.76.177.211/sleev/?10

 

Final redirect to the Neutrino EK domain - 30oct2007.com/wp-content/rotr/

 

Neutrino EK domain delivering the Java exploit - eesheshi.ontowess.com:8000/dqjndypi?hlbszwbqmocs=gltiywtx

 

Neutrino EK domain delivering the EXE payload - eesheshi.ontowess.com:8000/kkmohtafl?hnvhxikvyt=gltiywtx - which is XOR-ed with the ASCII string: xvbb

 

Post-infection callback returns more malware which triggered event on possible Citadel download - www.gminalubiewo.pl/images/files/file.php

 

FINAL NOTES

Once again, here are links for a ZIP file of the traffic and ZIP file of the associated malware:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.  Click here to return to the 2014-02-03 overview.  Click here for part 3 of 4.