Malware-Traffic-Analysis.net

2014-02-22 - THREE INFECTION CHAINS FROM ONE COMPROMISED WEB SITE

ASSOCIATED FILES:

ZIP of the PCAP: 2014-02-22-Neutrino-and-Nuclear-EK-traffic.pcap.zip
ZIP file of the malware: 2014-02-22-Neutrino-and-Nuclear-EK-malware.zip

NOTES:

CHAIN OF EVENTS

ASSOCIATED DOMAINS

192.232.219.88 - afghanchopankebab.ca - Comrpomised website
144.76.161.34 - ezdomainset.ne - Redirect
64.120.137.58 - wu3.zuxixamydu.com - Another redirect
5.101.173.10 - ksrqm.fieldingclerk.in.net - First Nuclear EK
5.101.173.10 - stavl7.fieldingclerk.in.net - Second Nuclear EK
212.83.167.172 - eikohhou.tieshuwo.com - Neutrino EK domain over TCP port 8000
91.237.198.46 - step-count10.com - Post-infection Asprox-style callback (first domain)
109.163.239.243 - 212-lithium.com - Post-infection Asprox-style callback (second domain)
50.134.47.136, 81.30.185.151, and 178.169.110.6 - cioco-froll.com - Post-infection Asprox-style callback (third domain)

COMPROMISED WEBSITE AND REDIRECTS

03:53:03 - 192.168.204.172:50184 - 192.232.219.88:80 - afghanchopankebab.ca - GET /reviews/
03:53:06 - 192.168.204.172:50200 - 144.76.161.34:80 - ezdomainset.net - GET /zxzzzzzdddff/?id=mx
03:53:06 - 192.168.204.172:50201 - 144.76.161.34:80 - ezdomainset.net - GET /zxzzzzzdddff/?id=mx
03:53:07 - 192.168.204.172:50206 - 144.76.161.34:80 - ezdomainset.net - GET /zxzzzzzdddff/?id=mx
03:53:07 - 192.168.204.172:50206 - 144.76.161.34:80 - ezdomainset.net - GET /zxzzzzzdddff/?id=mx
03:53:07 - 192.168.204.172:50207 - 144.76.161.34:80 - ezdomainset.net - GET /zxzzzzzdddff/?id=mx
03:53:08 - 192.168.204.172:50201 - 144.76.161.34:80 - ezdomainset.net - GET /zxzzzzzdddff/?id=mx
03:53:08 - 192.168.204.172:50211 - 64.120.137.58:80 - wu3.zuxixamydu.com - GET /zyso.cgi?18
03:53:08 - 192.168.204.172:50212 - 64.120.137.58:80 - wu3.zuxixamydu.com - GET /zyso.cgi?18
03:53:08 - 192.168.204.172:50211 - 64.120.137.58:80 - wu3.zuxixamydu.com - GET /zyso.cgi?18
03:53:09 - 192.168.204.172:50206 - 144.76.161.34:80 - ezdomainset.net - GET /zxzzzzzdddff/?id=mx
03:53:10 - 192.168.204.172:50212 - 64.120.137.58:80 - wu3.zuxixamydu.com - GET /zyso.cgi?18
03:53:14 - 192.168.204.172:50207 - 144.76.161.34:80 - ezdomainset.net - GET /zxzzzzzdddff/?id=mx
03:53:14 - 192.168.204.172:50212 - 64.120.137.58:80 - wu3.zuxixamydu.com - GET /zyso.cgi?18

FIRST NUCLEAR EK CHAIN

03:53:08 - 192.168.204.172:50209 - 5.101.173.10:80 - ksrqm.fieldingclerk.in.net - GET /25f_54-3_1c-91Ub_81-fabc6-c370-16-c-f_24Vf_0-dcQ.html
03:53:08 - 192.168.204.172:50210 - 5.101.173.10:80 - ksrqm.fieldingclerk.in.net - GET /2_5f5_43-1-c-91b81fDaPb-c6c3_70F16Xcf_24-f_0dc.html
03:53:23 - 192.168.204.172:50209 - 5.101.173.10:80 - ksrqm.fieldingclerk.in.net - GET /2972269660/1393019820.htm
03:53:23 - 192.168.204.172:50210 - 5.101.173.10:80 - ksrqm.fieldingclerk.in.net - GET /2972269660/1393019820.htm
03:53:23 - 192.168.204.172:50223 - 5.101.173.10:80 - ksrqm.fieldingclerk.in.net - GET /2972269660/1393019820.jar
03:53:25 - 192.168.204.172:50209 - 5.101.173.10:80 - ksrqm.fieldingclerk.in.net - GET /f/1393019820/2972269660/5
03:53:37 - 192.168.204.172:50228 - 5.101.173.10:80 - ksrqm.fieldingclerk.in.net - GET /2972269660/1393019820.jar

SECOND NUCLEAR EK CHAIN

03:53:08 - 192.168.204.172:50213 - 5.101.173.10:80 - stavl7.fieldingclerk.in.net - GET /9b_32a-fZ6V2fccEf-8_6fb8d-b5848-a4-77-7_b_6d7/160/147152fff864481ada9e77a52be5735c.html
03:53:08 - 192.168.204.172:50214 - 5.101.173.10:80 - stavl7.fieldingclerk.in.net - GET /9b_32a-fZ6V2fccEf-8_6fb8d-b5848-a4-77-7_b_6d7/160/147152fff864481ada9e77a52be5735c.html
03:53:09 - 192.168.204.172:50214 - 5.101.173.10:80 - stavl7.fieldingclerk.in.net - GET /9b_32a-fZ6V2fccEf-8_6fb8d-b5848-a4-77-7_b_6d7/160/147152fff864481ada9e77a52be5735c.html
03:53:14 - 192.168.204.172:50213 - 5.101.173.10:80 - stavl7.fieldingclerk.in.net - GET /9b_32a-fZ6V2fccEf-8_6fb8d-b5848-a4-77-7_b_6d7/160/147152fff864481ada9e77a52be5735c.html
03:53:15 - 192.168.204.172:50214 - 5.101.173.10:80 - stavl7.fieldingclerk.in.net - GET /9b_32a-fZ6V2fccEf-8_6fb8d-b5848-a4-77-7_b_6d7/160/147152fff864481ada9e77a52be5735c.html
03:53:23 - 192.168.204.172:50213 - 5.101.173.10:80 - stavl7.fieldingclerk.in.net - GET /3893443734/1393019820.htm
03:53:23 - 192.168.204.172:50214 - 5.101.173.10:80 - stavl7.fieldingclerk.in.net - GET /3893443734/1393019820.htm
03:53:23 - 192.168.204.172:50224 - 5.101.173.10:80 - stavl7.fieldingclerk.in.net - GET /3893443734/1393019820.jar
03:53:23 - 192.168.204.172:50225 - 5.101.173.10:80 - stavl7.fieldingclerk.in.net - GET /3893443734/1393019820.jar
03:53:23 - 192.168.204.172:50226 - 5.101.173.10:80 - stavl7.fieldingclerk.in.net - GET /3893443734/1393019820.jar
03:53:23 - 192.168.204.172:50227 - 5.101.173.10:80 - stavl7.fieldingclerk.in.net - GET /3893443734/1393019820.jar
03:53:28 - 192.168.204.172:50214 - 5.101.173.10:80 - stavl7.fieldingclerk.in.net - GET /f/1393019820/3893443734/5
03:53:37 - 192.168.204.172:50213 - 5.101.173.10:80 - stavl7.fieldingclerk.in.net - GET /3893443734/1393019820.htm
03:53:37 - 192.168.204.172:50214 - 5.101.173.10:80 - stavl7.fieldingclerk.in.net - GET /3893443734/1393019820.htm
03:53:38 - 192.168.204.172:50234 - 5.101.173.10:80 - stavl7.fieldingclerk.in.net - GET /3893443734/1393019820.htm
03:53:43 - 192.168.204.172:50229 - 5.101.173.10:80 - stavl7.fieldingclerk.in.net - GET /3893443734/1393019820.jar

NEUTRINO EK CHAIN

03:53:08 - 192.168.204.172:50208 - 212.83.167.172:8000 - eikohhou.tieshuwo.com:8000 - GET /aoibpgjgef?decyk=5979669
03:53:08 - 192.168.204.172:50208 - 212.83.167.172:8000 - eikohhou.tieshuwo.com:8000 - GET /ujhfwddoxpkqeqdv.js
03:53:09 - 192.168.204.172:50208 - 212.83.167.172:8000 - eikohhou.tieshuwo.com:8000 - GET /tpgstzpdpbyx
03:53:14 - 192.168.204.172:50208 - 212.83.167.172:8000 - eikohhou.tieshuwo.com:8000 - POST /sszrvcaxmkjnt
03:53:14 - 192.168.204.172:50208 - 212.83.167.172:8000 - eikohhou.tieshuwo.com:8000 - GET /kcsna?fawgtuon=wcveusqyl
03:53:15 - 192.168.204.172:50218 - 212.83.167.172:8000 - eikohhou.tieshuwo.com:8000 - GET /entlc?fkdyemuvkkzr=wcveusqyl

POST-INFECTION ASPROX-STYLE CALLBACK CAUSED BY NEUTRINO EK INFECTION

03:53:17 - 192.168.204.172:50219 - 91.237.198.46:80 - step-count10.com - GET /b/shoe/54675
03:53:18 - 192.168.204.172:50220 - 91.237.198.46:80 - step-count10.com - GET /b/shoe/54675
03:53:18 - 192.168.204.172:50221 - 109.163.239.243:80 - 212-lithium.com - GET /libq39.45/jquery/
03:53:19 - 192.168.204.172:50222 - 109.163.239.243:80 - 212-lithium.com - GET /libq39.45/jquery/
03:53:35 - 192.168.204.172:50232 - 109.163.239.243:80 - 212-lithium.com - GET /libq39.45/jquery/
03:53:36 - 192.168.204.172:50233 - 109.163.239.243:80 - 212-lithium.com - GET /libq39.45/jquery/
03:53:53 - 192.168.204.172:50235 - 109.163.239.243:80 - 212-lithium.com - GET /libq39.45/jquery/
03:53:54 - 192.168.204.172:50236 - 109.163.239.243:80 - 212-lithium.com - GET /libq39.45/jquery/
03:54:10 - 192.168.204.172:50238 - 109.163.239.243:80 - 212-lithium.com - GET /libq39.45/jquery/
03:54:11 - 192.168.204.172:50239 - 109.163.239.243:80 - 212-lithium.com - GET /libq39.45/jquery/
03:55:27 - 192.168.204.172:50242 - 109.163.239.243:80 - 212-lithium.com - GET /libq39.45/ajax/
03:55:29 - 192.168.204.172:50243 - 81.30.185.151:80 - cioco-froll.com - GET /b/eve/bc1b3f8c404463efb1ebc5cd
03:56:30 - 192.168.204.172:50244 - 178.169.110.6:80 - cioco-froll.com - POST /b/opt/2ABD00835565E938A93AB55B
03:56:31 - 192.168.204.172:50245 - 178.169.110.6:80 - cioco-froll.com - GET /b/letr/A7431294A2A9442E5EF6184D
03:56:38 - 192.168.204.172:50246 - 178.169.110.6:80 - cioco-froll.com - POST /b/opt/A40A4995D11F60232D403C40
03:56:55 - 192.168.204.172:50247 - 178.169.110.6:80 - cioco-froll.com - POST /b/req/FE5C9FDF28EE2DA2D4B171C1
03:57:00 - 192.168.204.172:50248 - 50.134.47.136:80 - cioco-froll.com - GET /b/eve/4d860e35b1d95256c2144ac0
03:57:53 - 192.168.204.172:50250 - 178.169.110.6:80 - cioco-froll.com - POST /b/req/44B9702A8A86C8A476D994C7
03:58:14 - 192.168.204.172:50251 - 178.169.110.6:80 - cioco-froll.com - POST /b/req/5E2D45AA8809E9977456B5F4
03:58:38 - 192.168.204.172:50293 - 178.169.110.6:80 - cioco-froll.com - POST /b/opt/8F2B595D272205D2DB7D59B1

PRELIMINARY MALWARE ANALYSIS

JAVA EXPLOIT SEEN FROM NUCLEAR EK

File name: 2014-02-22-Java-exploit-from-Nuclear-EK.jar
File size: 14.5 KB ( 14803 bytes )
MD5 hash: d46f11e559a7a10f88f3ab2ab5d301a6
Detection ratio: 0 / 50
First submission: 2014-02-22 05:55:50 UTC
VirusTotal link: https://www.virustotal.com/en/file/6ff34f2816d72e538ef70ba7ec1fa59212d33c655894d57380e05f1508b6ce5d/analysis/

FIRST MALWARE PAYLOAD FROM NUCLEAR EK

File name: 2014-02-22-malware-payload-from-ksrqm.fieldingclerk.in.net.exe
File size: 40.0 KB ( 40960 bytes )
Detection ratio: 4 / 50
MD5 hash: eb8d0ec539c5901e3fdbc36e7acd3a03
First submission: 2014-02-22 06:41:57 UTC
VirusTotal link: https://www.virustotal.com/en/file/1a7d32e41ea34edf5aec4d11acce2707e9b4e0e175442533070d8e2e7a283ea7/analysis/
Malwr link: https://malwr.com/analysis/Y2I2MTRlYTk1MDE4NGYwNDhkNzY2YjliZGM0NTM0MmM/

SECOND MALWARE PAYLOAD FROM NUCLEAR EK

File name: 2014-02-22-malware-payload-from-stavl7.fieldingclerk.in.net.exe
File size: 96.3 KB ( 98617 bytes )
MD5 hash: f1005d691b42b790d6ef05794635b494
Detection ratio: 2 / 49
First submission: 2014-02-22 06:42:22 UTC
VirusTotal link: https://www.virustotal.com/en/file/17726206a359f9870f44a292e0fbb5d923fe6b65c3b3800df85d0b6357eddd26/analysis/
Malwr link: https://malwr.com/analysis/YjE4OTc5ZWExNGY1NGIyZWI3ODgxYjc4Y2RhNjM4YTQ/

NEUTRINO EK SILVERLIGHT EXPLOIT - CVE-2013-0074

File name: 2014-02-22-silverlight-exploit-from-eikohhou.tieshuwo.com.xap
File size: 14.8 KB ( 15116 bytes )
MD5 hash: b665305f06d19cb26417e9937ca98725
Detection ratio: 1 / 50
First submission: 2014-02-18 16:09:58 UTC
VirusTotal link: https://www.virustotal.com/en/file/1bd4e67c21f51b6f6cbf29e487ef21aa0294a8c3ad270c5a2c4fbd5eba17c73b/analysis/

NEUTRINO EK MALWARE PAYLOAD

File name: 2014-02-22-Neutrino-malware-payload-from-eikohhou.tieshuwo.com.exe
File size: 83.3 KB ( 85305 bytes )
MD5 hash: 6b1bc984c802cd75a0edd63a83a11806
Detection ratio: 4 / 49
First submission: 2014-02-22 05:38:26 UTC
VirusTotal link: https://www.virustotal.com/en/file/744a045ec779ad93f2d993bdab773b19aca7fa8cc067624258a24da5151a977d/analysis/

FOLLOW-UP MALWARE FROM APPDATA\LOCAL\TEMP AFTER ASPROX-STYLE CALLBACK

File name: UpdateFlashPlayer_02e6195c.exe
File size: 286.6 KB ( 293462 bytes )
MD5 hash: 0804f25e23282729225645fbace197ed
Detection ratio: 13 / 48
First submission: 2014-02-22 07:56:23 UTC
VirusTotal link: https://www.virustotal.com/en/file/fe257a8413b0f8dd26e6e7a9296c7bc8500b8e66127111bcd134756b08e5ef8e/analysis/

SNORT EVENTS

SNORT EVENTS FOR THIS TRAFFIC (FROM SECURITY ONION)

2014-02-22 03:53:08 UTC - 192.168.204.172:50208 -> 212.83.167.172:8000
- ET CURRENT_EVENTS Possible Neutrino EK Landing URI Format Nov 1 2013

2014-02-22 03:53:15 UTC - 192.168.204.172:50218 -> 212.83.167.172:8000
- ET CURRENT_EVENTS Possible Neutrino IE/Silverlight Payload Download

2014-02-22 03:53:18 UTC - 109.163.239.243:80 -> 192.168.204.172:50221
- ET INFO EXE - Served Attached HTTP

2014-02-22 03:53:23 UTC - 192.168.204.172:50209 -> 5.101.173.10:80
- ET CURRENT_EVENTS Nuclear EK CVE-2013-2551 URI Struct Nov 26 2013

2014-02-22 03:53:23 UTC - 192.168.204.172:50223 -> 5.101.173.10:80
- ET POLICY Vulnerable Java Version 1.7.x Detected
- ET CURRENT_EVENTS Nuclear EK JAR URI Struct Nov 05 2013

2014-02-22 03:53:24 UTC - 5.101.173.10:80 -> 192.168.204.172:50223
- ET CURRENT_EVENTS Hostile _dsgweed.class JAR exploit
- ET INFO JAVA - Java Archive Download By Vulnerable Client

2014-02-22 03:53:25 UTC - 192.168.204.172:50209 -> 5.101.173.10:80
- ET CURRENT_EVENTS Nuclear EK Payload URI Struct Nov 05 2013

2014-02-22 03:53:25 UTC - 5.101.173.10:80 -> 192.168.204.172:50209
- ET INFO EXE - Served Inline HTTP
- ET CURRENT_EVENTS Blackhole Exploit Kit Delivering Executable to Client

2014-02-22 03:53:38 UTC - 5.101.173.10:80 -> 192.168.204.172:50213
- ET SHELLCODE Common 0a0a0a0a Heap Spray String

2014-02-22 03:55:27 UTC - 109.163.239.243:80 -> 192.168.204.172:50242
- ET POLICY PE EXE or DLL Windows file download
- ET MALWARE Possible Windows executable sent when remote host claims to send a Text File

2014-02-22 03:55:29 UTC - 192.168.204.172:50243 -> 81.30.185.151:80
- ET TROJAN W32/Asprox.ClickFraudBot CnC Beacon

2014-02-22 03:55:30 UTC - 81.30.185.151:80 -> 192.168.204.172:50243
- ET TROJAN W32/Asprox.ClickFraudBot CnC Beacon Acknowledgement

2014-02-22 03:56:30 UTC - 192.168.204.172:50244 -> 178.169.110.6:80
- ET TROJAN W32/Asprox.ClickFraudBot POST CnC Beacon

2014-02-22 03:57:00 UTC - 50.134.47.136:80 -> 192.168.204.172:50248
- ET TROJAN W32/Asprox.ClickFraudBot CnC Beacon Acknowledgement

HIGHLIGHTS FROM THE TRAFFIC

Malicious javasript within the infected web page - afghanchopankebab.ca/reviews/

Redirects - ezdomainset.net/zxzzzzzdddff/?id=mx and wu3.zuxixamydu.com/zyso.cgi?18

Nuclear EK delivers MSIE exploit CVE-2013-2551 - ksrqm.fieldingclerk.in.net/2972269660/1393019820.htm

NOTE: Exploit traffic from both of the Nuclear EK domains looked identical.

MSIE exploit CVE-2013-2551 delivers EXE payload - ksrqm.fieldingclerk.in.net/f/1393019820/2972269660/5

NOTE 1: The other Nuclear EK domain delivered a different exploit, but it had the same file name.
NOTE 2: I normally don't see EXE payloads gzip-compressed like this over the network.

Neutrino EK delivers Silverlight exploit CVE-2013-0074 - eikohhou.tieshuwo.com:8000/kcsna?fawgtuon=wcveusqyl

Silverlight exploit CVE-2013-0074 delivers EXE payload - eikohhou.tieshuwo.com:8000/entlc?fkdyemuvkkzr=wcveusqyl

NOTE: This EXE file was sent as a binary XOR-ed with the ASCII string: ocdp

Asprox-style callback for more malware - 212-lithium.com/libq39.45/jquery/

NOTE: Identified as exe.exe in 200 OK header but saved as UpdateFlashPlayer_02e6195c.exe

Some of the click-fraud traffic to various search engines

FINAL NOTES

Once again, here are links for the associated files:

ZIP of the PCAP: 2014-02-22-Neutrino-and-Nuclear-EK-traffic.pcap.zip
ZIP file of the malware: 2014-02-22-Neutrino-and-Nuclear-EK-malware.zip

ZIP files are password-protected with the standard password. If you don't know it, look at the "about" page of this website.

Click here to return to the main page.