Malware-Traffic-Analysis.net - 2015-07-16 - Neutrino EK from 82.211.30.153 port 31251

2015-07-16 - NEUTRINO EK FROM 82.211.30.153 PORT 31251

PCAP AND MALWARE:

NOTES:

Kafeine has already posted about Neutrino EK having the lastest Flash exploits from the Hacking Team compromise:
http://malware.dontneedcoffee.com/2015/07/cve-2015-5122-hackingteam-0d-two-flash.html

ASSOCIATED DOMAINS:

NEUTRINO EK:

2015-07-16 17:41:33 UTC - tbbddrbnqn.fqjzehjmmkbdigu.gq:31251 - GET /hunter.pl?advice=32745&rise=8778&rabbit=57317&bowl=answer&within=beat&torment=3824&normal=51524&cheap=anyhow&painful=willow&toast=helmet

2015-07-16 17:41:34 UTC - tbbddrbnqn.fqjzehjmmkbdigu.gq:31251 - GET /shadowy.htm?ever=loud&doze=camp&ankh=15261&noise=65822&bargain=brave&unpleasant=detail&staff=potter&opportunity=sneak

2015-07-16 17:41:35 UTC - tbbddrbnqn.fqjzehjmmkbdigu.gq:31251 - GET /vain.html?awful=77941&alas=morrow&bold=unseen&graceful=ancient&statement=40102&distract=91457&most=75571&oxford=irish&stool=doom&they=30683

2015-07-16 17:41:35 UTC - tbbddrbnqn.fqjzehjmmkbdigu.gq:31251 - GET /clumsy.asp?foot=heaven&shine=78211&puzzle=93507&comment=72550&hearty=95637

POST-INFECTION TRAFFIC:

2015-07-16 17:41:52 UTC - classjump.com - POST /c/classjump/images/index.php
2015-07-16 17:41:55 UTC - mobilesuccessblueprints.com - GET /blog/wp-content/uploads/optpress/images_comingsoon/logo.jpg
2015-07-16 17:41:59 UTC - classjump.com - POST /c/classjump/images/index.php
2015-07-16 17:42:01 UTC - mobilesuccessblueprints.com - GET /blog/wp-content/uploads/optpress/images_comingsoon/image.jpg
2015-07-16 17:42:04 UTC - classjump.com - POST /c/classjump/images/index.php
2015-07-16 17:42:08 UTC - 62.76.184.59 - POST /security/mylittle_pony/gate.php
2015-07-16 17:42:56 UTC - classjump.com - POST /c/classjump/images/index.php

Once again, here are the associated files:

Zip archives are password-protected with the standard password. If you don't know it, look at the "about" page of this website.

Click here to return to the main page.