Malware-Traffic-Analysis.net - 2015-04-24 - Neutrino EK from 193.242.211.149

2015-05-24 - NEUTRINO EK FROM 193.242.211.149

ASSOCIATED FILES:

ZIP of the pcap: 2015-04-24-Neutrino-EK-traffic.pcap.zip
ZIP of the malware: 2015-04-24-Neutrino-EK-malware.zip

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

50.62.168.3 port 80 - books.eaiesb.org - Redirect (gate)
193.242.211.149 port 23513 - rmuxvayun.pkrgzrpdebksbl.gq:23513 - Neutrino EK
193.242.211.149 port 13249 - soeon.pkrgzrpdebksbl.gq:13249 - Neutrino EK

DATE/TIME OF THE ACTIVITY:

Friday 2015-04-24 at 15:35 UTC

TRAFFIC:

books.eaiesb.org - GET /v7ncwkdx.php?id=137838
rmuxvayun.pkrgzrpdebksbl.gq:23513 - GET /eater.htm?little=15162&extent=kiss&switch=19450
rmuxvayun.pkrgzrpdebksbl.gq:23513 - GET /tool.phtml?obey=tremble&brandy=61722&kindle=2690&launch=16659
soeon.pkrgzrpdebksbl.gq:13249 - GET /flap/97062/seldom/59331/decision/undoubted/boat/58777/sideway/42673/case/12909/bare/6374/
soeon.pkrgzrpdebksbl.gq:13249 - GET /split.aspx?quiet=state&either=61298&route=front&beast=18963&emerge=36201&warmth=92636&wail=3860&sleep=29456
soeon.pkrgzrpdebksbl.gq:13249 - GET /dormitory/monkey/loose/forth/upper/83734/candle/16584/round/24347/find/2805/short/99447/harm/2461/expensive/52099/
soeon.pkrgzrpdebksbl.gq:13249 - GET /patch/sacrifice/play/attitude/christmas/radio/second/75392/risk/92839/with/39798/anymore/33018/
soeon.pkrgzrpdebksbl.gq:13249 - GET /control/74279/tidings/42922/even/52095/distract/already/cheerful/77883/poke/brief/handle/57755/

MALWARE

FLASH EXPLOIT:

File name: 2015-04-24-Neutrino-EK-flash-exploit.swf
File size: 40.7 KB ( 41703 bytes )
MD5 hash: 299fbdcc18026be07fa1dcdfa4b195ca
Detection ratio: 1 / 57
First submission: 2015-04-24 16:09:57 UTC
VirusTotal link: https://www.virustotal.com/en/file/7be063cf2fd8d41c12e77eeef2a299d014b7174a2c4f115935f20482e384cee9/analysis/

MALWARE PAYLOAD:

File name: 2015-04-24-Neutrino-EK-malware-payload.exe
File size: 335.5 KB ( 343552 bytes )
MD5 hash: 174a16e10cfb51b0ea10c4e4a1f5d3b4
Detection ratio: 35 / 57
First submission: 2015-04-16 16:19:52 UTC
VirusTotal link: https://www.virustotal.com/en/file/9e5bd085ac44548035eb1c61ffe48a18b8a116e7f262b81e750e0c0ca1cb201e/analysis/
Malwr link: https://malwr.com/analysis/NWQ3MjI2YzY1NDA3NDIyYjk5NzgyMTkyOWEwMmMwY2Q/

FINAL NOTES

Once again, here are the associated files:

ZIP of the pcap: 2015-04-24-Neutrino-EK-traffic.pcap.zip
ZIP of the malware: 2015-04-24-Neutrino-EK-malware.zip

ZIP files are password-protected with the standard password. If you don't know it, look at the "about" page of this website.

Click here to return to the main page.