2016-02-12 - NEUTRINO EK FROM 45.32.181.74 SENDS NECURS

PCAP AND MALWARE:

• ZIP archive of the above three PCAPs:  2016-02-12-Neutrino-EK-traffic.zip  345.7 kB (345,722 bytes)
• ZIP archive of the malware and artifacts:  2016-02-12-Neutrino-EK-malware-and-artifacts.zip  165.6 kB (165,607 bytes)

 

NOTES:

• Malware payload appears to be the same thing I saw from Neutrino EK on 2015-10-21.

 

CHAIN OF EVENTS

Shown above:  Today's pcap filtered in Wireshark.

 

DATE/TIME OF THE INFECTION:  2016-02-12 18:19 UTC

• www.utensileriecorag.it - Compromised website
• 92.63.111.204 port 80 - sid.nussvital.com.ar - Redirect/gate
• 45.32.181.74 port 80 - lwejkszzt.uinvolve.link and hgomee.uinvolve.link - Neutrino EK

 

IP ADDRESSES/DOMAINS FROM ANALYSIS OF THE PAYLOAD:

• 195.22.28.194 - HTTP traffic
• 91.234.33.206 - HTTP traffic
• 134.176.88.228 - UDP traffic
• 161.116.208.90 - UDP traffic
• 1.230.169.185 - UDP traffic
• 179.29.188.64 - UDP traffic
• 169.142.32.162 - npkxghmoru.biz - DNS query resolved, but no traffic to the IP

 

PRELIMINARY MALWARE ANALYSIS

File name:  2016-02-12-Neutrino-EK-flash-exploit.swf
File size:  87.7 KB (89,833 bytes)
MD5 hash:  b61c58e7bb6f3e027184257d4c6e4782
SHA1 hash:  fdc73a42ac46973d04db93d9fdf3bd3096ed561c
SHA256 hash:  de2c4e5744b1d415c1f7e8efc3ed1965ddc8e7cb2a9c89bfb50c3f289151a596
Detection ratio:  3 / 53
First submission:  2016-02-12 19:03:51 UTC
VirusTotal link:  https://www.virustotal.com/en/file/de2c4e5744b1d415c1f7e8efc3ed1965ddc8e7cb2a9c89bfb50c3f289151a596/analysis/

 

File name:  2016-02-12-Neutrino-EK-malware-payload.exe
File size:  114.5 KB (117,248 bytes)
MD5 hash:  fe929245ee022e3410b22456be10c4f1
SHA1 hash:  a80c0616adffcbc0064bf1ba8c3746ac5a7d3570
SHA256 hash:  42d15597c83ee42ec736b80cbb9c667d5538a4b14faa1bff2e4db981ab980097
Detection ratio:  40 / 54
First submission:  2016-02-05 15:13:21 UTC
VirusTotal link:  https://www.virustotal.com/en/file/42d15597c83ee42ec736b80cbb9c667d5538a4b14faa1bff2e4db981ab980097/analysis/
Malwr link:  https://malwr.com/analysis/MDQ3NTdhNDkwMjZjNGYxOTllNGI3ZDBlZjg2ZDVhNjA/
Hybrid-Analysis link:  https://www.hybrid-analysis.com/sample/42d15597c83ee42ec736b80cbb9c667d5538a4b14faa1bff2e4db981ab980097?environmentId=4

Shown above:  HTTP traffic generated by the payload.

Shown above:  UDP traffic generated by the payload.

Shown above:  Some of the DNS queries generated by the payload.

 

SCREENSHOTS

Shown above:  Injected script in page from compromised website.

 

Shown above:  Redirect/gate URL returned iframe pointing to Neutrino EK landing page.

 

FINAL NOTES

Once again, here are the associated files:

• ZIP archive of the above three PCAPs:  2016-02-12-Neutrino-EK-traffic.zip  345.7 kB (345,722 bytes)
• ZIP archive of the malware and artifacts:  2016-02-12-Neutrino-EK-malware-and-artifacts.zip  165.6 kB (165,607 bytes)

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.