2013-06-18 - NEUTRINO EK FROM 199.195.249.188 - 1208B83B81C141ECD6F05E24.WEBHOP.ORG:8000

PCAP AND MALWARE:

• ZIP file of the PCAP:  2013-06-18-Neutrino-EK-traffic.pcap.zip
• ZIP file of the malware:  2013-06-18-Neutrino-EK-malware.zip

 

NOTES:

• This was my first blog entry, back when I began documenting exploit kit (EK) traffic, and I didn't realize this was Neutrino EK.
• The malware payload was obfusated, XOR-ed with the ASCII string: nylhvw (something I hadn't figured out yet).
• This PCAP is dated 2013-06-19 in UTC, which was 2013-06-18 Central time in the US (which is why this blog entry is dated 2013-06-18).
• On 2014-09-20, I updated this blog entry with more information, and changed the format to how I now report on EK traffic.

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

• [information redacted] - Compromised website
• 173.247.253.210:80 - www.insightcrime.org - malicious javascript pointing to Neutrino gate
• 93.171.172.220 - 93.171.172.220 - Neutrino gate
• 199.195.249.188 - 1208b83b81c141ecd6f05e24.webhop.org:8000 - Neutrino EK

 

INFECTION TRAFFIC:

• 00:25:23 UTC - www.insightcrime.org - GET /media/system/js/jquery-1.6.5.min.js
• 00:25:23 UTC - 93.171.172.220 - GET /?1
• 00:25:24 UTC - 93.171.172.220 - GET /?2
• 00:25:24 UTC - 1208b83b81c141ecd6f05e24.webhop.org:8000 - GET /aotyprvqvj?hash=6a4c601e0802b403736ff29f3ceaa7c0&qspot=4012736
• 00:25:25 UTC - 1208b83b81c141ecd6f05e24.webhop.org:8000 - GET /zbtsnshkxph.js
• 00:25:25 UTC - 1208b83b81c141ecd6f05e24.webhop.org:8000 - GET /lllpy.css
• 00:25:25 UTC - 1208b83b81c141ecd6f05e24.webhop.org:8000 - GET /gzfkzixuudb.js
• 00:25:25 UTC - 1208b83b81c141ecd6f05e24.webhop.org:8000 - GET /vctvkgszlijgkz.css
• 00:25:25 UTC - 1208b83b81c141ecd6f05e24.webhop.org:8000 - GET /mfgvlykftmyoxe.js
• 00:25:25 UTC - 1208b83b81c141ecd6f05e24.webhop.org:8000 - GET /aimwofqjubqlvuzy.css
• 00:25:25 UTC - 1208b83b81c141ecd6f05e24.webhop.org:8000 - GET /gmjgrxnqdx.js
• 00:25:25 UTC - 1208b83b81c141ecd6f05e24.webhop.org:8000 - GET /mvkhymxmmyg.js
• 00:25:25 UTC - 1208b83b81c141ecd6f05e24.webhop.org:8000 - GET /scripts/js/plg.js
• 00:25:25 UTC - 1208b83b81c141ecd6f05e24.webhop.org:8000 - GET /ynxvcejiqt.js
• 00:25:25 UTC - 1208b83b81c141ecd6f05e24.webhop.org:8000 - GET /ircyuaohvzo.js
• 00:25:25 UTC - 1208b83b81c141ecd6f05e24.webhop.org:8000 - GET /pznggodm.css
• 00:25:25 UTC - 1208b83b81c141ecd6f05e24.webhop.org:8000 - GET /urdacn.js
• 00:25:25 UTC - 1208b83b81c141ecd6f05e24.webhop.org:8000 - GET /wqqfwaf.js
• 00:25:25 UTC - 1208b83b81c141ecd6f05e24.webhop.org:8000 - GET /jvjskjfrp.css
• 00:25:26 UTC - 1208b83b81c141ecd6f05e24.webhop.org:8000 - GET /mgylmdxkq.png
• 00:25:26 UTC - 1208b83b81c141ecd6f05e24.webhop.org:8000 - GET /szqbqjq.png
• 00:25:26 UTC - 1208b83b81c141ecd6f05e24.webhop.org:8000 - GET /txvu.jpg
• 00:25:26 UTC - 1208b83b81c141ecd6f05e24.webhop.org:8000 - GET /plrjx.gif
• 00:25:26 UTC - 1208b83b81c141ecd6f05e24.webhop.org:8000 - GET /obzmmphsihjjxs.gif
• 00:25:26 UTC - 1208b83b81c141ecd6f05e24.webhop.org:8000 - GET /tutoogrerinpmdl.gif
• 00:25:26 UTC - 1208b83b81c141ecd6f05e24.webhop.org:8000 - GET /koqavj.gif
• 00:25:26 UTC - 1208b83b81c141ecd6f05e24.webhop.org:8000 - POST /boezkexoxrlbjwxii
• 00:25:30 UTC - 1208b83b81c141ecd6f05e24.webhop.org:8000 - GET /cbsthcfq?mimsrws=nshbdaiqnay
• 00:25:30 UTC - 1208b83b81c141ecd6f05e24.webhop.org:8000 - GET /drddbg?mebhqtwycgg=nshbdaiqnay

 

PRELIMINARY MALWARE ANALYSIS:

JAVA EXPLOIT:

File name:  2013-06-18-Neutrino-EK-java-exploit.jar
File size:  21.9 KB ( 22452 bytes )
MD5 hash:  19d60c47854e35aa5aae8a5fe77ba11a
Detection ratio:  15 / 54
First submission:  2013-06-18 19:14:20 UTC
VirusTotal link:  https://www.virustotal.com/en/file/4cda1350264757b684e73f00f0a616384e83a675deb9bbc3d9f41325e3a5b5a1/analysis/

 

MALWARE PAYLOAD:

File name:  2013-06-18-Neutrino-EK-malware-payload.exe
File size:  91.5 KB ( 93696 bytes )
MD5 hash:  2dc3fbd737281eb93f1df205d12a69e0
Detection ratio:  39 / 52
First submission:  2013-06-18 22:39:00 UTC
VirusTotal link:  https://www.virustotal.com/en/file/a8dafaa2bd5a43fb44b5c626f72bbc969cc6e4a28cbf0d1a0417173b06e83dab/analysis/

 

SNORT EVENTS

Screenshot of Emerging Threats signature hits from Sguil on Security Onion (without ET POLICY or ET INFO events):

 

FINAL NOTES

Once again, here's the PCAP of the traffic and ZIP file of the malware:

• ZIP file of the PCAP:  2013-06-18-Neutrino-EK-traffic.pcap.zip
• ZIP file of the malware:  2013-06-18-Neutrino-EK-malware.zip

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.