2016-01-04 - NEUTRINO EK FROM 45.32.238.202 SENDS CRYPTOWALL

ASSOCIATED FILES:

NOTES:

  • https://isc.sans.edu/forums/diary/Actor+using+Angler+exploit+kit+switched+to+Neutrino/20059/
  • https://isc.sans.edu/forums/diary/Actor+that+tried+Neutrino+exploit+kit+now+back+to+Angler/20075/
  •  


    Shown above:  Pcap of the infection traffic filtered in Wireshark.

     

    TRAFFIC

    ASSOCIATED DOMAINS:

     

    COMPROMISED SITE:

     

    NEUTRINO EK:

     

    POST-INFECTION CRYPTOWALL TRAFFIC:

     

    SNORT/SURICATA EVENTS

    Significant signature hits from Suricata using the Emerging Threats ruleset on Security Onion (click here for full list):

    Significant signature hits from the Talos (Sourcefire VRT) registered ruleset using Snort 2.9.8.0 on Debian 7 (click here for full list):

     

    PRELIMINARY MALWARE ANALYSIS

    FLASH EXPLOIT:

    File name:  2016-01-04-Neutrino-EK-flash-exploit.swf
    File size:  84.1 KB ( 86152 bytes )
    MD5 hash:  cb24e563daaf06c61f9373b78b5c7050
    SHA1 hash:  419d983ff021c51ff2de1880d5fe57dc384b537e
    SHA256 hash:  4e7a5e284e6ed9f4a4807aae2189b829a43c216a56f9d2cf73fc7e7e4fe1f414
    Detection ratio (at the time of submission):  1 / 53
    First submission:  2016-01-04 18:01:01 UTC
    VirusTotal link

     

    MALWARE PAYLOAD:

    File name:  2016-01-04-Neutrino-EK-payload-CryptoWall.exe
    File size:  350.0 KB ( 358400 bytes )
    MD5 hash:  e86daca8abdaf5915d5b93283b62e954
    SHA1 hash:  1d7967ac6303754253296a4529d957141523b5d9
    SHA256 hash:  dbed14393c8c7dc284b94efe9df7d5739ab544ddc17559b23d23281cd0c5ba82
    Detection ratio (at the time of submission):  2 / 54
    First submission:  2016-01-04 18:03:11 UTC
    VirusTotal link
    Malwr.com link (click here for pcap from the analysis)
    Hybrid-Analysis.com link (click here for pcap from the analysis)

     

    SCREENSHOTS


    Shown above:  Infected user's Windows desktop after the CryptoWall infection.

     


    Shown above:  Start of injected script in page from the compromised website (starts at beginning before the opening HTML tags).

     


    Shown above:  End of injected script in page from the comrpomised website (ends with </script> on line 444).

     


    Shown above:  Neutrino EK sends its landing page.

     


    Shown above:  Neutrino EK sends a Flash exploit.

     


    Shown above:  Neutrino EK sends its malware payload (encrypted).

     


    Shown above:  Example of the CryptoWall post-infection traffic.

     

    FINAL NOTES

    Once again, here are the associated files:

    ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

    Click here to return to the main page.