Malware-Traffic-Analysis.net - A malware traffic analysis blog 2014-01-07

2014-01-07 - NEUTRINO EK TRAFFIC

ASSOCIATED FILES:

ZIP of the PCAP: 2014-01-07-Neutrino-EK-traffic.pcap.zip
ZIP file of the malware: 2014-01-07-Neutrino-EK-malware.zip

NOTES:

A quick post on traffic for another VM infected by the Neturino EK...

INFECTION CHAIN OF EVENTS

ASSOCIATED DOMAINS:

67.227.151.164 - help.lockergnome.com - infected website
46.20.227.195 - shiningstarscleaningservice.com - redirect domain
212.83.188.39 - quohyiin.dikarlos.com - Neutrino EK domain

INFECTION CHAIN:

18:36:04 - 67.227.151.164 - help.lockergnome.com - GET /office/Highlight-part-picture-Word--ftopict688815.html
18:36:05 - 46.20.227.195 - hsiammyy7hdin7jqu6hfnjt.shiningstarscleaningservice.com - GET /index.php?v=emdsenpxPXNvaiZ0aW1lPTE0MDEwNzIzMjMtNzM3MzE0NjMzJnNy
Yz0zMzYmc3VybD1oZWxwLmxvY2tlcmdub21lLmNvbSZzcG9ydD04MCZrZXk9NERGQkI5QzUmc3VyaT0vb2ZmaWNlL0hpZ2hsaWdodC1wYXJ0LXBpY3R1cmUtV29yZC0tZnR
vcGljdDY4ODgxNS5odG1s
18:36:06 - 46.20.227.195 - hsiammyy7hdin7jqu6hfnjt53365382c8e420ee542452677cded84d6.shiningstarscleaningservice.com - GET /index2.php
18:36:07 - 212.83.188.39 - quohyiin.dikarlos.com:8000 - GET /ndffrps?klqcxbsn=3410575
18:36:08 - 212.83.188.39 - quohyiin.dikarlos.com:8000 - GET /zgaqwbhsxee
18:36:09 - 212.83.188.39 - quohyiin.dikarlos.com:8000 - GET /eofsrr3capt52?ff898ia802=2rucy4b&qwa9um3od6=eirykdac9&vrme4kcw0d=m19lb7gc&xr8u4=eoj
18:36:09 - 212.83.188.39 - quohyiin.dikarlos.com:8000 - POST /ewk2n8g8e
18:36:09 - 212.83.188.39 - quohyiin.dikarlos.com:8000 - POST /ea9ssaa
18:36:09 - 212.83.188.39 - quohyiin.dikarlos.com:8000 - POST /e7xwm5qzry
18:36:09 - 212.83.188.39 - quohyiin.dikarlos.com:8000 - POST /etsvgkdg
18:36:09 - 212.83.188.39 - quohyiin.dikarlos.com:8000 - POST /etys8e5z939x
18:36:13 - 212.83.188.39 - quohyiin.dikarlos.com:8000 - POST /auktbdxqjp
18:36:13 - 212.83.188.39 - quohyiin.dikarlos.com:8000 - POST /eip9llenxe
18:36:13 - 212.83.188.39 - quohyiin.dikarlos.com:8000 - POST /euh8dsuwo
18:36:13 - 212.83.188.39 - quohyiin.dikarlos.com:8000 - POST /ebje5zwj
18:36:13 - 212.83.188.39 - quohyiin.dikarlos.com:8000 - POST /eud8yowa
18:36:22 - 212.83.188.39 - quohyiin.dikarlos.com:8000 - GET /taazuixa?fqdpqfvc=sklgnwdlhe
18:36:22 - 212.83.188.39 - quohyiin.dikarlos.com:8000 - GET /META-INF/services/javax.xml.datatype.DatatypeFactory
18:36:23 - 212.83.188.39 - quohyiin.dikarlos.com:8000 - GET /swnyughkun?ffvgqegrebz=sklgnwdlhe

PRELIMINARY MALWARE ANALYSIS

Java exploit from 212.83.188.39 port 8000 (quohyiin.dikarlos.com):

https://www.virustotal.com/en/file/f3ccab0af7589ff0018eeb6b7d8d14f84ee8561ae148dc90e4cbf34d95eb53a3/analysis/1389505092/

File name: 2014-01-07-java-exploit-from-neutrino-domain.jar
File size: 19.5 KB ( 20008 bytes )
MD5 hash: 634bc1f2a8e620aafee15c30a1bdd31d
Detection ratio: 7 / 47
First submitted: 2014-01-04 23:05:25 GMT

EXE payload from 212.83.188.39 port 8000 (quohyiin.dikarlos.com):

https://www.virustotal.com/en/file/7630bc8964eb3dfe40f9402823f319eba57b4c8f29da1a30614aebe0dc399141/analysis/1389505110/

File name: 2014-01-07-EXE-payload-from-neutrino-domain.exe
File size: 230.3 KB ( 235820 bytes )
MD5 hash: 86f7ac3c1f9762ae8a4197f5d2d8a3e5
Detection ratio: 11 / 47
First submitted: 2014-01-08 15:09:49 GMT

FINAL NOTES

Once again, here are the associated files:

ZIP of the PCAP: 2014-01-07-Neutrino-EK-traffic.pcap.zip
ZIP file of the malware: 2014-01-07-Neutrino-EK-malware.zip

ZIP files are password-protected with the standard password. If you don't know it, look at the "about" page of this website.

Click here to return to the main page.