2016-07-15 - NEUTRINO EK FROM 5.2.72.237 SENDS GOOTKIT

ASSOCIATED FILES:

  • 2016-07-15-other-Neutrino-EK-sends-Gootkit.pcap   (425,124 bytes)
  • 2016-07-15-Gootkit-task-for-persistence.txt   (3,342 bytes)
  • 2016-07-15-other-Neutrino-EK-flash-exploit.swf   (82,712 bytes)
  • 2016-07-15-other-Neutrino-EK-landing-page.txt   (2,387 bytes)
  • 2016-07-15-other-Neutrino-EK-payload-Gootkit.exe   (198,144 bytes)
  • csopapaxa.dll   (102,912 bytes)

NOTES:


Shown above:  Tweet from @malekal_morte on 2016-07-08.

 

TRAFFIC


Shown above:  Traffic from the first pcap filtered in Wireshark.

 

ASSOCIATED DOMAINS:

 

FILE HASHES

FLASH EXPLOIT:

PAYLOAD AND DROPPED MALWARE:

 

IMAGES


Shown above:  SSL traffic over port 80 with the "MyCompany Ltd" certificate.

 


Shown above:  Item from Task Scheduler that kept Gootkit persisetent on the infected Windows host.

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.