[ PART 2 OF 4 ]     [ PART 4 OF 4 ]

2014-02-03 PART 3 OF 4 - NEUTRINO EK RESULTS IN BITCOIN MINING

PCAP AND MALWARE

 

LINKS ABOUT THE MALWARE

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS

INFECTION CHAIN OF EVENTS

POST INFECTION CALLBACK TRAFFIC

 

PRELIMINARY MALWARE ANALYSIS

SILVERLIGHT EXPLOIT - CVE-2013-0074

File name:  Silverlight-exploit-from-212.83.135.167.xap
File size:  5.1 KB ( 5210 bytes )
MD5 hash:  ce056895e07d2a9d04c5e8db844013ea
Detection ratio:  5 / 50
First submission:  2013-12-30 23:31:49 UTC
VirusTotal link: https://www.virustotal.com/en/file/8bd2cd6a40ad378a974b20e6b0ae49ba4715cd81b96c667c2627f14eab08bc50/analysis/

 

EXE PAYLOAD

File name:  Malware-delivered-by-Silverlight-exploit-from-212.83.135.167.exe
File size:  435.0 KB ( 445440 bytes )
MD5 hash:  749f15ab411098de4d541bec4479d96e
Detection ratio:  20 / 50
First submission:  2014-02-06 02:31:08 UTC
VirusTotal link: https://www.virustotal.com/en/file/fb6730ff3a00a0fc239ea4c81abf9cff95ee3fd4fe33cf74db5584fcc7a48598/analysis/

 

SNORT EVENTS

SNORT EVENTS FOR NEUTRINO EK TRAFFIC (FROM SECURITY ONION)

 

HIGHLIGHTS FROM THE TRAFFIC

Embedded iframe in the infected web page - sorbix.com/


Before end of the HTML header

After end of the HTML body

 

Redirect - taleroom.com/wp-content/files

 

Neutrino EK delivering the Silverlight exploit - eesheshi.ontowess.com:8000/dvhgfzxaakcru?hswskaqdqacs=jrcuzdzan

 

Neutrino EK delivering the EXE payload - eesheshi.ontowess.com:8000/kqcpzilup?hzpoapzcgt=jrcuzdzan

 

Post-infection bitcoin mining - grossform.ru/gate.php and grossform.ru/GPUMiner.files

 

FINAL NOTES

Once again, here are links for a ZIP file of the traffic and ZIP file of the associated malware:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.  Click here to return to the 2014-02-03 overview.  Click here for part 4 of 4.