2016-02-12 - NEUTRINO EK FROM 45.32.181.74 SENDS NECURS

PCAP AND MALWARE:

 

NOTES:

 

CHAIN OF EVENTS


Shown above:  Today's pcap filtered in Wireshark.

 

DATE/TIME OF THE INFECTION:  2016-02-12 18:19 UTC

 

IP ADDRESSES/DOMAINS FROM ANALYSIS OF THE PAYLOAD:

 

PRELIMINARY MALWARE ANALYSIS

File name:  2016-02-12-Neutrino-EK-flash-exploit.swf
File size:  87.7 KB (89,833 bytes)
MD5 hash:  b61c58e7bb6f3e027184257d4c6e4782
SHA1 hash:  fdc73a42ac46973d04db93d9fdf3bd3096ed561c
SHA256 hash:  de2c4e5744b1d415c1f7e8efc3ed1965ddc8e7cb2a9c89bfb50c3f289151a596
Detection ratio:  3 / 53
First submission:  2016-02-12 19:03:51 UTC
VirusTotal link:  https://www.virustotal.com/en/file/de2c4e5744b1d415c1f7e8efc3ed1965ddc8e7cb2a9c89bfb50c3f289151a596/analysis/

 

File name:  2016-02-12-Neutrino-EK-malware-payload.exe
File size:  114.5 KB (117,248 bytes)
MD5 hash:  fe929245ee022e3410b22456be10c4f1
SHA1 hash:  a80c0616adffcbc0064bf1ba8c3746ac5a7d3570
SHA256 hash:  42d15597c83ee42ec736b80cbb9c667d5538a4b14faa1bff2e4db981ab980097
Detection ratio:  40 / 54
First submission:  2016-02-05 15:13:21 UTC
VirusTotal link:  https://www.virustotal.com/en/file/42d15597c83ee42ec736b80cbb9c667d5538a4b14faa1bff2e4db981ab980097/analysis/
Malwr link:  https://malwr.com/analysis/MDQ3NTdhNDkwMjZjNGYxOTllNGI3ZDBlZjg2ZDVhNjA/
Hybrid-Analysis link:  https://www.hybrid-analysis.com/sample/42d15597c83ee42ec736b80cbb9c667d5538a4b14faa1bff2e4db981ab980097?environmentId=4


Shown above:  HTTP traffic generated by the payload.


Shown above:  UDP traffic generated by the payload.


Shown above:  Some of the DNS queries generated by the payload.

 

SCREENSHOTS


Shown above:  Injected script in page from compromised website.

 


Shown above:  Redirect/gate URL returned iframe pointing to Neutrino EK landing page.

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.