2016-06-28 - EK DATA DUMP (NEUTRINO EK, RIG EK)

ASSOCIATED FILES:

  • 2016-06-28-Neutrino-EK-after-mu-media.co.uk.pcap   (5,521,238 bytes)
  • 2016-06-28-Neutrino-EK-after-tonyattwood.com.au.pcap   (413,103 bytes)
  • 2016-06-28-Rig-EK-after-monavocatparis.fr.pcap   (200,657 bytes)
  • 2016-06-28-pseudoDarkleech-Neutrino-EK-after-airbornehydrography.com.pcap   (1,133,721 bytes)
  • 2016-06-28-pseudoDarkleech-Neutrino-EK-after-gennaroespositomilano.it.pcap   (1,385,884 bytes)
  • ZIP archive of the malware/artifacts:  2016-06-28-EK-data-dump-malware-and-artifacts.zip   1.0 MB (1,045,408 bytes)
    • 2016-06-28-Neutrino-EK-flash-exploit-after-mu-media.co.uk.swf   (87,014 bytes)
    • 2016-06-28-Neutrino-EK-flash-exploit-after-tonwyattwood.com.au.swf   (90,037 bytes)
    • 2016-06-28-Neutrino-EK-landing-page-after-mu-media.co.uk.txt   (1,156 bytes)
    • 2016-06-28-Neutrino-EK-landing-page-after-tonwyattwood.com.au.txt   (1,003 bytes)
    • 2016-06-28-Neutrino-EK-payload-gootkit-after-mu-media.co.uk.exe   (238,592 bytes)
    • 2016-06-28-Neutrino-EK-payload-gootkit-after-tonwyattwood.com.au.exe   (238,592 bytes)
    • 2016-06-28-Rig-EK-flash-exploit-after-monavocatparis.fr.swf   (24,413 bytes)
    • 2016-06-28-Rig-EK-landing-page-after-monavocatparis.fr.txt   (5,304 bytes)
    • 2016-06-28-Rig-EK-payload-after-monavocatparis.fr.exe   (151,552 bytes)
    • 2016-06-28-page-from-airbornehydrography.com-with-injected-pseudoDarkleech-script.txt   (15,473 bytes)
    • 2016-06-28-page-from-gennaroespositomilano.it-with-injected-pseudoDarkleech-script.txt   (32,141 bytes)
    • 2016-06-28-page-from-monavocatparis.fr-with-injected-script-pointing-to-gate.txt   (12,860 bytes)
    • 2016-06-28-pseudoDarkleech-CryptXXX-decrypt-instructions.bmp   (3,686,454 bytes)
    • 2016-06-28-pseudoDarkleech-CryptXXX-decrypt-instructions.html   (36,201 bytes)
    • 2016-06-28-pseudoDarkleech-CryptXXX-decrypt-instructions.txt   (1,755 bytes)
    • 2016-06-28-pseudoDarkleech-Neutrino-EK-flash-exploit-after-airbornehydrography.com.swf   (86,380 bytes)
    • 2016-06-28-pseudoDarkleech-Neutrino-EK-flash-exploit-after-gennaroespositomilano.it.swf   (89,145 bytes)
    • 2016-06-28-pseudoDarkleech-Neutrino-EK-landing-page-after-airbornehydrography.com.txt   (1,153 bytes)
    • 2016-06-28-pseudoDarkleech-Neutrino-EK-landing-page-after-gennaroespositomilano.it.txt   (1,012 bytes)
    • 2016-06-28-pseudoDarkleech-Neutrino-EK-payload-CryptXXX.dll   (500,224 bytes)

     

    TRAFFIC

    ASSOCIATED DOMAINS:

     

    IMAGES


    Shown above:  Traffic from the first pcap filtered in Wireshark.

     


    Shown above:  Alerts in Sguil after using tcpreplay on the first pcap in Security Onion with Suricata and the EmergingThreats Pro ruleset.

     


    Shown above:  Traffic from the second pcap filtered in Wireshark.

     


    Shown above:  Alerts in Sguil after using tcpreplay on the second pcap in Security Onion with Suricata and the EmergingThreats Pro ruleset.

     


    Shown above:  Traffic from the third pcap filtered in Wireshark.

     


    Shown above:  Alerts in Sguil after using tcpreplay on the third pcap in Security Onion with Suricata and the EmergingThreats Pro ruleset.

     


    Shown above:  Traffic from the fourth pcap filtered in Wireshark.

     


    Shown above:  Alerts in Sguil after using tcpreplay on the fourth pcap in Security Onion with Suricata and the EmergingThreats Pro ruleset.

     


    Shown above:  Traffic from the fifth pcap filtered in Wireshark.

     


    Shown above:  Alerts in Sguil after using tcpreplay on the fifth pcap in Security Onion with Suricata and the EmergingThreats Pro ruleset.

     

    FINAL NOTES

    Once again, here are the associated files:

    The ZIP file is password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

    Click here to return to the main page.