2015-09-02 - NEUTRINO EK FROM 46.108.156.181 SENDS TESLACRYPT 2.0

ASSOCITED FILES:

NOTES:

 


Shown above: Google earch results for the compromised website.

 


Shown above: Two examples of malicious script injected into page from compromised site.

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

 

COMPROMISED WEBSITE AND MALICIOUS URL FROM SCRIPT:

 

NEUTRINO EK:

 

POST-INFECTION TRAFFIC:

 

USER VIEWING THE DECRYPT INSTRUCTIONS:

NOTE: There were three links from the decrypt instructions, and this host checked all three.

 

SNORT/SURICATA EVENTS

Significant signature hits from Suricata using the Emerging Threats ruleset on Security Onion:

Significant signature hits from the Talos (Sourcefire VRT) registered ruleset using Snort 2.9.7.5 on Debian 7:

 

PRELIMINARY MALWARE ANALYSIS

FLASH EXPLOIT:

File name:  2015-09-02-Nuetrino-EK-flash-exploit.swf
File size:  73.4 KB ( 75200 bytes )
MD5 hash:  4780d6f03556c31bd56f0618cd154051
SHA1 hash:  64b6703857eedf5e73dc484f4230e2663c0d2ad2
SHA256 hash:  bd83ee1e05bc9e6a551310c79b7ffeb45ac97f526a5135fcaca7c9da5b5be00b
Detection ratio:  0 / 55
First submission:  2015-09-02 14:56:03 UTC
VirusTotal link:  https://www.virustotal.com/en/file/bd83ee1e05bc9e6a551310c79b7ffeb45ac97f526a5135fcaca7c9da5b5be00b/analysis/

 

MALWARE PAYLOAD:

File name:  2015-09-02-Nuetrino-EK-malware-payload-TeslaCrypt-2.0.exe
File size:  318.8 KB ( 326492 bytes )
MD5 hash:  9cd70299c5f16642411c241c6dab45bd
SHA1 hash:  1753aa4f6a7689d21f55e21fb16e7efc5bd134b4
SHA256 hash:  20f8ea706350e016a5a2e926293bbc59360608bdc9d279c4635ccddeb773d392
Detection ratio:  2 / 56
First submission:  2015-09-02 14:56:17 UTC
VirusTotal link:  https://www.virustotal.com/en/file/20f8ea706350e016a5a2e926293bbc59360608bdc9d279c4635ccddeb773d392/analysis/
Malwr link:  https://malwr.com/analysis/MTFhNWZlZmE5M2Q5NGI1OGJkMWI5NzRiMzdjZWZkZDc/
Hybrid-Analysis link:  https://www.hybrid-analysis.com/sample/20f8ea706350e016a5a2e926293bbc59360608bdc9d279c4635ccddeb773d392?environmentId=4

 

FINAL NOTES

Once again, here are the associated files:

The ZIP file is password-protected with the standard password.  If you don't know it, email me at admin@malware-traffic-analysis.net and ask.

Click here to return to the main page.