2016-07-20 - EITEST NEUTRINO EK FROM 131.72.139.201

ASSOCIATED FILES:

  • 2016-07-20-EITest-Neutrino-EK-after-classical959.com.pcap   (589,327 bytes)
  • 2016-07-20-EITest-Neutrino-EK-flash-exploit-after-classical959.com.swf   (87,945 bytes)
  • 2016-07-20-EITest-Neutrino-EK-landing-page-after-classical959.com.txt   (3,813 bytes)
  • 2016-07-20-EITest-Neutrino-EK-payload-after-classical959.com.exe   (447,488 bytes)
  • 2016-07-20-EITest-flash-redirect-from-rsupcdn.xyz.swf   (4,446 bytes)
  • 2016-07-20-page-from-classical959.com-with-injected-EITest-script.txt   (46,756 bytes)

NOTES:

 


Shown above:  Flowchart for this infection traffic.

 

TRAFFIC


Shown above:  Injected script in page from compromised website.

 


Shown above:  Traffic from the pcap filtered in Wireshark.

 

ASSOCIATED DOMAINS:

 

FILE HASHES

FLASH FILES:

PAYLOAD:

 

IMAGES


Shown above:  Certificate in the SSL post-infection traffic to abolidissolvehastaxes.ru.

 


Shown above:  I used Security Onion with the ETPRO ruleset to get an idea of what this malware payload was.

 


Shown above:  I also tried to read the pcap in Snort using the Snort subscriber ruleset.

 


Shown above:  The malware payload moved itself and was made persistent through a registry update.

 

The user's AppData\Local\Temp folder had files with a .bin file extension; however, these were actually .zip archives containing text files.  The text files had system application info and commands that were typed on the infected host.  This malware payload probably trying to get passwords and account information.


Shown above:  Some of the files created by the malware.

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.