Malware-Traffic-Analysis.net - A malware traffic analysis blog 2014-01-02

2014-01-02 - TWO EXAMPLES: FIESTA EK AND NEUTRINO EK

ASSOCIATED FILES:

ZIP of the Fiesta EK PCAP: 2014-01-02-Fiesta-EK-traffic.pcap.zip
ZIP file of the Fiesta EK malware: 2014-01-02-malware-from-fiesta-EK.zip

ZIP of the Neutrino EK PCAP: 2014-01-02-Neutrino-EK-traffic.pcap.zip
ZIP file of the Neutrino EK malware: 2014-01-02-malware-from-neutrino-EK.zip

NOTES:

This is a quick post for PCAPs and malware on two different infections...

EXAMPLE 1 - FIESTA EK TRAFFIC

ASSOCIATED DOMAINS:

108.168.211.92 - www.stevesnovasite.com - Compromised web site
190.123.47.198 - lokishards.com - Redirect domain
64.202.116.125 - yredinblu.in.ua - Fiesta EK domain

HTTP REQUESTS:

2014-01-02 21:00:33 CST - www.stevesnovasite.com - GET /forums/showthread.php?t=54003&page=10
2014-01-02 21:00:34 CST - lokishards.com - GET /ehwqovz.js?89c2887e3cc99e5e
2014-01-02 21:00:35 CST - yredinblu.in.ua - GET /r1tmip5/?2
2014-01-02 21:00:42 CST - yredinblu.in.ua - GET /r1tmip5/?0e29b3101e759abf59005e0250080802065c05025651010b0557510f500b0105
2014-01-02 21:00:45 CST - yredinblu.in.ua - GET /r1tmip5/?7f7282ba8d9d95d1521e52090a095b53015f00090c50525a025454040a0a5205;1;5
2014-01-02 21:00:45 CST - yredinblu.in.ua - GET /r1tmip5/?7f7282ba8d9d95d1521e52090a095b53015f00090c50525a025454040a0a5205;1;5;1
2014-01-02 21:00:49 CST - yredinblu.in.ua - GET /r1tmip5/?2efd84db3037498c580b0a5f0a0f5d50045c515f0c565459075705520a0c5457
2014-01-02 21:00:50 CST - yredinblu.in.ua - GET /r1tmip5/?23b8e91ee6c925775d5c000357020857040a5503515b015e0701010e57010051
2014-01-02 21:00:51 CST - yredinblu.in.ua - GET /r1tmip5/?062d834621cca6e3534e575f0a080d04060f055f0c51040d050451520a0b0403;1;4
2014-01-02 21:00:52 CST - yredinblu.in.ua - GET /r1tmip5/?062d834621cca6e3534e575f0a080d04060f055f0c51040d050451520a0b0403;1;4;1

ARTIFACTS FROM THE PCAP:

MALWARE:

Java exploit - 5ad942fcfdd2e47781ff374d77ed51ba
EXE payload - 624db39ef9470871aa880d3f3b03b52d

EXAMPLE 2 - NEUTRINO EK TRAFFIC

ASSOCIATED DOMAINS:

67.225.214.94 - help.wugnet.com - Compromised web site
151.248.0.195 - mychicagohardwoodflooring.com - Redirect domain
212.83.191.176 - yaingeiy.aktinate.com - Nuetrino EK domain over port 8000

HTTP REQUESTS:

2014-01-02 16:55:49 CST - help.wugnet.com - GET /office/delete-email-address-history-Outlook-ftopict977859.html
2014-01-02 16:55:49 CST - 686dkfe4k74v8nu1adebdm7.mychicagohardwoodflooring.com - GET /index.php?f=b3hjd2NoPXhoYmomdGltZT0xNDAxMDIyMDQzMTQ1OTkxNzgy
MSZzcM9MzYwJnN1cmw9aGVscC53dWduZXQuY29tJnNwb3J0PTgwJmtleT00Qzc4Q0JCNiZzdXJpPS9vZmZpY2UvZGVsZXRlLWVtYWlsLWFkZHJlc3MtaGlzdG9yeS1PdXRsb29
rLWZ0b3BpY3Q5Nzc4NTkuaHRtbA==
2014-01-02 16:55:51 CST - 686dkfe4k74v8nu1adebdm753605381e72f85acfc63dadc05f1098ee.mychicagohardwoodflooring.com GET /index2.php
2014-01-02 16:55:52 CST - yaingeiy.aktinate.com:8000 - GET /epuyq?tkimmjxilk=3410575
2014-01-02 16:55:53 CST - yaingeiy.aktinate.com:8000 - GET /iixdorl
2014-01-02 16:55:54 CST - yaingeiy.aktinate.com:8000 - GET /awc4kqo779pmy67a?wkfe4e2d=lv435&g7y1yz2b=r99&3qre8=jyxadlij&q3vsej9=fqa&84yc9=5vt&d3ddq=mddx6&oh7a=uea
2014-01-02 16:55:54 CST - yaingeiy.aktinate.com:8000 - GET /a0nkzfy?h3icayg=a80cbs3&1qep34=tahzt7wn&8sbyrb=2d6cm7z&yg8fnqmnwo=aapa&oq2rr1a2=j22g
2014-01-02 16:55:54 CST - yaingeiy.aktinate.com:8000 - GET /au2prjn9do?bmbfxpdtn7=o4wn4a9&wb9=v6xz&pdvv=lu8x63t
2014-01-02 16:55:54 CST - yaingeiy.aktinate.com:8000 - POST /a5pbh7fqw0t
2014-01-02 16:55:54 CST - yaingeiy.aktinate.com:8000 - POST /aox571g15dvr4001
2014-01-02 16:56:00 CST - yaingeiy.aktinate.com:8000 - GET /al7w6yydrqhw7cn7?391=fjw1f&q7lo=za7&e3vq87ig=spb&ur62=zudn5yjjo5&i6m=5mq&nf7=lolg5z743s&04b=stvkn&qasrc=2mz
2014-01-02 16:56:00 CST - yaingeiy.aktinate.com:8000 - GET /anffplgj1mkmk?3300=e2nyjd&3lx6mory3d=12u98px39k&xjm3p=i5wkbe&8paido99=ai0qx
2014-01-02 16:56:00 CST - yaingeiy.aktinate.com:8000 - GET /avykvz483vt?3yp1=4feowf9&q6iq=mnjs290bbh&6sr=dri7c1bppy&7w0lp0iqh3=p7zza
2014-01-02 16:56:00 CST - yaingeiy.aktinate.com:8000 - GET /ai1sh7uysd102?1a61=4b5z&7iyo7kmc=s4wsqyly&q6s=obbfw7im3&u9v6=lmc&r6bgjhewt=3whe1b&e87h=enrv9&dkyzrfy=irstoo
2014-01-02 16:56:00 CST - yaingeiy.aktinate.com:8000 - POST /kvvzfuigyz
2014-01-02 16:56:00 CST - yaingeiy.aktinate.com:8000 - GET /a2el04rtsc7abg5?qteaei=9p5iw2&6pon=p7x&7en=v4kfs&wgn1=juv&3cmw=i7mvx
2014-01-02 16:56:04 CST - yaingeiy.aktinate.com:8000 - GET /fuuinwhzeew?zyxjzmwdfsu=jnorme
2014-01-02 16:56:05 CST - yaingeiy.aktinate.com:8000 - GET /META-INF/services/javax.xml.datatype.DatatypeFactory
2014-01-02 16:56:05 CST - yaingeiy.aktinate.com:8000 - GET /hlwivhlwnb?zhkeerdiwz=jnorme

ARTIFACTS FROM EXPLOIT DOMAIN IN THE PCAP:

MALWARE:

Java exploit - 61888d05a5939f0ece034df87f64f1f7
EXE payload - f64ac300cab2bfe2f3a3f34c09ff1cbd

FINAL NOTES

Once again, here are the associated files:

ZIP of the Fiesta EK PCAP: 2014-01-02-Fiesta-EK-traffic.pcap.zip
ZIP file of the Fiesta EK malware: 2014-01-02-malware-from-fiesta-EK.zip

ZIP of the Neutrino EK PCAP: 2014-01-02-Neutrino-EK-traffic.pcap.zip
ZIP file of the Neutrino EK malware: 2014-01-02-malware-from-neutrino-EK.zip

ZIP files are password-protected with the standard password. If you don't know it, look at the "about" page of this website.

Click here to return to the main page.