2014-02-23 - NEUTRINO EK USES SILVERLIGHT EXPLOIT

ASSOCIATED FILES:

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS

INFECTION CHAIN OF EVENTS

 

PRELIMINARY MALWARE ANALYSIS

SILVERLIGHT EXPLOIT

File name:  22014-02-23-Neutrino-EK-silverlight-exploit.xap
File size:  14.8 KB ( 15116 bytes )
MD5 hash:  b665305f06d19cb26417e9937ca98725
Detection ratio:  1 / 50
First submission:  2014-02-18 16:09:58 UTC
VirusTotal link: https://www.virustotal.com/en/file/1bd4e67c21f51b6f6cbf29e487ef21aa0294a8c3ad270c5a2c4fbd5eba17c73b/analysis/

 

MALWARE PAYLOAD

File name:  2014-02-23-malware-payload-from-hinuatho.teeleeda.com.exe
File size:  102.6 KB ( 105110 bytes )
MD5 hash:  7da29db8e0705c4d19dae225ffd57e82
Detection ratio:  4 / 49
First submission:  2014-02-23 19:20:21 UTC
VirusTotal link: https://www.virustotal.com/en/file/3f0785e0159b464b750f7e8f3dd38a10a62a537cefd08070c3ee74fdfa52c057/analysis/
Malwr link: https://malwr.com/analysis/NmIzOTkyMWU0MjcyNGRiNTkxZTk1MjZiNDMyMmZmOTU/

 

SNORT EVENTS

SNORT EVENTS FOR NEUTRINO EK TRAFFIC (FROM SECURITY ONION)

 

HIGHLIGHTS FROM THE TRAFFIC

Embedded iframe in the infected web page - alexlipinski.co.uk/new-facebook-page-alex-lipinski/

 

Redirect - hgpk.in/?pi1

 

Neutrino EK delivers Silverlight exploit CVE-2013-0074 - hinuatho.teeleeda.com:8000/ivraieqeydxrhp?fcjdbgigcw=dfwlqo

 

Silverlight exploit CVE-2013-0074 delivers EXE payload - hinuatho.teeleeda.com:8000/hedfkxcjttjb?fzgwddnlthnc=dfwlqo


NOTE: This EXE was XOR-ed with the ASCII string: jste

 

FINAL NOTES

Once again, here are links for the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.