2014-12-07 - NEUTRINO EK FROM 23.105.11.105 - EYTMXGNQLM.NIRVAL.EU:8823

ASSOCIATED FILES:

 

NOTES:

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

 

COMPROMISED WEBSITE AND REDIRECT:

 

NEUTRINO EK:

 

POST-INFECTION CALLBACK TRAFFIC:

 

SNORT EVENTS

Emerging Threats and ETPRO rulesets from Sguil on Security Onion using Suricata (not including ET INFO or ET POLICY rules):

 

Sourcefire VRT ruleset ffrom Sguil on Security Onion using tcpreplay on Snort 2.9.7.0

 

PRELIMINARY MALWARE ANALYSIS

FLASH EXPLOIT

File name:  2014-12-07-Neutrino-EK-flash-exploit.swf
File size:  40.7 KB ( 41721 bytes )
MD5 hash:  455dbb97195e763edafc36c06a776296
Detection ratio:  0 / 53
First submission:  2014-12-08 14:21:52 UTC
VirusTotal link:  https://www.virustotal.com/en/file/b2e2734014be2673a84a1c0281badf043ab3b9a643712bf9e644ba3112c4237f/analysis/

 

MALWARE PAYLOAD

File name:  2014-12-07-Neutrino-EK-malware-payload.exe
File size:  97.0 KB ( 99328 bytes )
MD5 hash:  a20722e4bd3a6a35c8dfbb99f2cad8c0
Detection ratio:  19 / 54
First submission:  2014-12-08 01:32:34 UTC
VirusTotal link:  https://www.virustotal.com/en/file/7e8e748f39b0bff7dd70eee3c1d08241565c07ce9bfe687c18ee727cfb2bc5cf/analysis/
Malwr link:  https://malwr.com/analysis/ZDQ4OGZkY2NiZWI0NDQ1NmI1MDkxNDNhMGNjNWI0YTM/

 

HIGHLIGHTS FROM THE TRAFFIC

Malicious javascript in page from compromised website:

 

Redirect pointing to Neutrino EK:

 

Neutrino EK landing page:

 

Neutrino EK delivers Flash exploit:

 

Neutrino EK delivers malware payload (encrypted):

 

Two other HTTP GET requests by Neutrino EK after the payload is delivered:

 

Example of the post-infection traffic caused by the malware payload (Necurs):

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.