2014-02-09 - NEUTRINO EK SENDS MALWARE, CAUSES ANDROMEDA ALERT

ASSOCIATED FILES:

NOTES:

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS

INFECTION CHAIN OF EVENTS

POST-INFECTION CALLBACK TRAFFIC

 

PRELIMINARY MALWARE ANALYSIS

SILVERLIGHT EXPLOIT

File name:  Silverlight-exploit-from-212.83.149.239.xap
File size:  14.1 KB ( 14401 bytes )
MD5 hash:  c30951dc2d25c0652d7d4e4a4d288d7a
Detection ratio:  2 / 49
First submission:  2014-02-09 19:44:26 UTC
VirusTotal link:  https://www.virustotal.com/en/file/9425c3a69260c998a6593724b41e3e813a48baeadc4ec62e545e56dc5c2ed1c7/analysis/

NOTE: This is a Silverlight exploit for CVE-2013-0074

 

MALWARE PAYLOAD

File name:  EXE-payload-from-212.83.149.239.exe
File size:  104.5 KB ( 107008 bytes )
MD5 hash:  5a880a85681748cacc81ea66719ba270
Detection ratio:  13 / 49
First submission:  2014-02-09 19:44:46 UTC
VirusTotal link:  https://www.virustotal.com/en/file/82d7fe8280fd980f848dc2f4f8cd76a5a3d646d3d90515293e7e6a9ceeab2948/analysis/

Malwr link:  https://malwr.com/analysis/YjQ0MGEyYWZiOTI3NDRiMTkxNzU5OTgyYTRiYzFkZDk/

NOTES:

 

SNORT EVENTS

SNORT EVENTS FOR NEUTRINO EK TRAFFIC (FROM SECURITY ONION)

 

HIGHLIGHTS FROM THE TRAFFIC

Embedded iframe in the infected web page - sugarloafweddings.com/category/kinh-nghiem-cuoi-2/

 

First domain in the failed redirect chain - irfan.ca/rotr/

 

Second domain in the failed redirect chain - 62.76.177.211/sleev/?9

 

Third domain in the failed redirect chain - asyscert.com/images/rotr/

 

Successful redirect - taleroom.com/wp-content/files/

 

Neutrino EK domain delivers Silverlight exploit - yeegegie.amcancode.com:8000/ymgidx?hsqeaia=fjyhdzniepe

 

Neutrino EK domain delivers EXE payload - yeegegie.amcancode.com:8000/tnrvn?hinpt=fjyhdzniepe

NOTE: The malware came across the network XOR-ed with the ASCII string: bsip

 

Post-infection callback traffic - salomblog.com/ldr/image.php

 

FINAL NOTES

Once again, here are links for the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.