2015-07-10 - NEUTRINO EK - 3 EXAMPLES

PCAP AND MALWARE:

• ZIP of the traffic (all 3 pcaps):  2015-07-10-Neutrino-EK-pcaps.zip
• ZIP of the malware (all examples):  2015-07-10-Neutrino-EK-malware.zip

 

NOTES:

• This blog entry tracks one particular actor using Neutrino EK that sent the same malware (with different file hashes) three days in a row.
• Post-infection traffic had the same characteristics all three days.

 

CHAIN OF EVENTS - EXAMPLE 1 OF 3

ASSOCIATED DOMAINS:

• 46.108.156.159 port 31375 - vbeaxzx.gncmdlusyqvxvywumb.tk - Neutrino EK
• 104.219.184.108 port 80 - forestnice.com - post-infection traffic
• 81.177.22.189 port 80 - ip.xss.ru - post-infection traffic

 

NEUTRINO EK:

• 2015-07-08 21:58:13 UTC - vbeaxzx.gncmdlusyqvxvywumb.tk:31375 - GET /material/99943/port/66946/medical/46136/forty/63379/love/60477/

• 2015-07-08 21:58:15 UTC - vbeaxzx.gncmdlusyqvxvywumb.tk:31375 - GET /board/bread/worry/75505/slice/seven/head/27431/drug/44515/brow/70866/farewell/82958/
  faster/74763/boil/36847/foreign/12849/

• 2015-07-08 21:58:17 UTC - vbeaxzx.gncmdlusyqvxvywumb.tk:31375 - GET /second.pl?clumsy=809&monster=extent&thing=mighty&weapon=traffic&gift=food&
  store=29897&official=30367&oxford=66009

• 2015-07-08 21:58:18 UTC - vbeaxzx.gncmdlusyqvxvywumb.tk:31375 - GET /urge.phtml?shop=87267&guest=earn&faith=jump&lofty=hasten&anyway=tender

• 2015-07-08 21:58:21 UTC - vbeaxzx.gncmdlusyqvxvywumb.tk:31375 - GET /hour/character/crew/light/unless/quarrel/holiday/58539/higher/78048/hiss/whom/carriage/
  thief/cold/49413/clad/7456/folk/86694/

 

POST-INFECTION TRAFFIC:

• 2015-07-08 21:59:59 UTC - forestnice.com - GET /login.asp
• 2015-07-08 22:00:02 UTC - forestnice.com - GET /images/transparent.gif
• 2015-07-08 22:00:05 UTC - forestnice.com - GET /images/arrows.gif
• 2015-07-08 22:00:08 UTC - forestnice.com - GET /download/7BE8023C.zip
• 2015-07-08 22:00:12 UTC - forestnice.com - GET /download/BF18069B.zip
• 2015-07-08 22:00:59 UTC - forestnice.com - GET /download/D382454B.zip
• 2015-07-08 22:01:06 UTC - forestnice.com - GET /download/6E12D18C.zip
• 2015-07-08 22:01:18 UTC - forestnice.com - GET /download/6C156D35.zip
• 2015-07-08 22:01:26 UTC - forestnice.com - GET /images/108666613664.gif
• 2015-07-08 22:02:14 UTC - ip.xss.ru - GET /
• 2015-07-08 22:02:18 UTC - forestnice.com - POST /account.asp?qu=cfg&crc32=0
• 2015-07-08 22:02:22 UTC - forestnice.com - POST /account.asp?qu=cmd
• 2015-07-08 22:03:24 UTC - forestnice.com - POST /account.asp?qu=cmd
• 2015-07-08 22:04:25 UTC - forestnice.com - POST /account.asp?qu=cmd
• 2015-07-08 22:05:26 UTC - forestnice.com - POST /account.asp?qu=cmd

 

CHAIN OF EVENTS - EXAMPLE 2 OF 3

ASSOCIATED DOMAINS:

• 193.242.211.180 port 42802 - crmcolr.njyylbwsignz.cf - Neutrino EK
• 104.219.184.108 port 80 - forestnice.com - post-infection traffic
• 81.177.22.189 port 80 - ip.xss.ru - post-infection traffic

 

NEUTRINO EK:

• 2015-07-09 20:46:55 UTC - crmcolr.njyylbwsignz.cf:42802 - GET /gaze/9501/song/survive/knock/23742/value/49541/armor/47504/nanny/1348/alarm/2483/hover/45980/

• 2015-07-09 20:46:55 UTC - crmcolr.njyylbwsignz.cf:42802 - GET /shutter/ridiculous/wolf/95174/grasp/15139/launch/46250/

• 2015-07-09 20:46:56 UTC - crmcolr.njyylbwsignz.cf:42802 - GET /breath/36119/fist/64989/smell/37695/ridge/87330/

• 2015-07-09 20:46:58 UTC - crmcolr.njyylbwsignz.cf:42802 - GET /evil/conduct/dick/67221/lighter/64611/treasure/85252/upward/27506/brain/case/survey/whoever/
  choice/52415/

 

POST-INFECTION TRAFFIC:

• 2015-07-09 20:48:35 UTC - forestnice.com - GET /login.asp
• 2015-07-09 20:48:38 UTC - forestnice.com - GET /images/transparent.gif
• 2015-07-09 20:48:41 UTC - forestnice.com - GET /images/arrows.gif
• 2015-07-09 20:48:43 UTC - forestnice.com - GET /download/7BE8023C.zip
• 2015-07-09 20:48:47 UTC - forestnice.com - GET /download/BF18069B.zip
• 2015-07-09 20:49:05 UTC - forestnice.com - GET /download/D382454B.zip
• 2015-07-09 20:49:08 UTC - forestnice.com - GET /download/6E12D18C.zip
• 2015-07-09 20:49:12 UTC - forestnice.com - GET /download/6C156D35.zip
• 2015-07-09 20:49:17 UTC - forestnice.com - GET /images/108666613664.gif
• 2015-07-09 20:50:47 UTC - ip.xss.ru - GET /
• 2015-07-09 20:50:48 UTC - forestnice.com - POST /account.asp?qu=log
• 2015-07-09 20:50:50 UTC - forestnice.com - POST /account.asp?qu=cfg&crc32=0
• 2015-07-09 20:50:51 UTC - forestnice.com - POST /account.asp?qu=cmd
• 2015-07-09 20:51:53 UTC - forestnice.com - POST /account.asp?qu=cmd
• 2015-07-09 20:52:54 UTC - forestnice.com - POST /account.asp?qu=cmd
• 2015-07-09 20:53:55 UTC - forestnice.com - POST /account.asp?qu=cmd
• 2015-07-09 20:54:56 UTC - forestnice.com - POST /account.asp?qu=cmd
• 2015-07-09 20:55:58 UTC - forestnice.com - POST /account.asp?qu=cmd

 

CHAIN OF EVENTS - EXAMPLE 3 OF 3

ASSOCIATED DOMAINS:

• 193.242.211.180 port 34617 - unqdrjie.clovyjbcoxrcnqfi.ml - Neutrino EK
• 104.219.184.108 port 80 - forestnice.com - post-infection traffic
• 81.177.22.189 port 80 - ip.xss.ru - post-infection traffic

 

NEUTRINO EK:

• 2015-07-10 13:35:37 UTC - unqdrjie.clovyjbcoxrcnqfi.ml:34617 - GET /grace/46866/myself/79813/vital/authority/bile/fudge/shoe/10043/hiss/65426/

• 2015-07-10 13:35:37 UTC - unqdrjie.clovyjbcoxrcnqfi.ml:34617 - GET /team.phtml?unlike=choose&jewel=34448&bearer=bolt&barrel=phrase&mock=35271&
  steeple=18451&bell=puzzle&blind=50110

• 2015-07-10 13:35:38 UTC - unqdrjie.clovyjbcoxrcnqfi.ml:34617 - GET /they/54330/port/26601/slope/23893/dull/45837/flush/69533/

• 2015-07-10 13:35:39 UTC - unqdrjie.clovyjbcoxrcnqfi.ml:34617 - GET /whistle.phtml?peeve=otherwise&david=40650&useless=74038&knife=15071&broom=17838

• 2015-07-10 13:35:42 UTC - unqdrjie.clovyjbcoxrcnqfi.ml:34617 - GET /clever/10859/worth/43885/tread/7294/model/56526/swift/97333/dick/6809/born/16415/

 

POST-INFECTION TRAFFIC:

• 2015-07-10 13:37:17 UTC - forestnice.com - GET /login.asp
• 2015-07-10 13:37:19 UTC - forestnice.com - GET /images/transparent.gif
• 2015-07-10 13:37:21 UTC - forestnice.com - GET /images/arrows.gif
• 2015-07-10 13:37:23 UTC - forestnice.com - GET /download/7BE8023C.zip
• 2015-07-10 13:37:26 UTC - forestnice.com - GET /download/BF18069B.zip
• 2015-07-10 13:37:33 UTC - forestnice.com - GET /download/D382454B.zip
• 2015-07-10 13:37:36 UTC - forestnice.com - GET /download/6E12D18C.zip
• 2015-07-10 13:37:40 UTC - forestnice.com - GET /download/6C156D35.zip
• 2015-07-10 13:37:44 UTC - forestnice.com - GET /images/108666613664.gif
• 2015-07-10 13:39:26 UTC - ip.xss.ru - GET /
• 2015-07-10 13:39:28 UTC - forestnice.com - POST /account.asp?qu=cfg&crc32=0
• 2015-07-10 13:39:30 UTC - forestnice.com - POST /account.asp?qu=cmd
• 2015-07-10 13:40:31 UTC - forestnice.com - POST /account.asp?qu=cmd
• 2015-07-10 13:41:32 UTC - forestnice.com - POST /account.asp?qu=cmd
• 2015-07-10 13:42:33 UTC - forestnice.com - POST /account.asp?qu=cmd

 

FINAL NOTES

Once again, here are the associated files:

• ZIP of the traffic (all 3 pcaps):  2015-07-10-Neutrino-EK-pcaps.zip
• ZIP of the malware (all examples):  2015-07-10-Neutrino-EK-malware.zip

Zip archives are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.