2016-07-20 - EITEST NEUTRINO EK FROM 131.72.139.201

ASSOCIATED FILES:

• ZIP archive of the pcaps:  2016-07-20-EITest-Neutrino-EK-after-classical959.com.pcap.zip   508.1 kB (508,074 bytes)

• 2016-07-20-EITest-Neutrino-EK-after-classical959.com.pcap   (589,327 bytes)

• ZIP archive of the malware:  2016-07-20-EITest-Neutrino-EK-malware-and-artifacts.zip   465.5 kB (465,510 bytes)

• 2016-07-20-EITest-Neutrino-EK-flash-exploit-after-classical959.com.swf   (87,945 bytes)
• 2016-07-20-EITest-Neutrino-EK-landing-page-after-classical959.com.txt   (3,813 bytes)
• 2016-07-20-EITest-Neutrino-EK-payload-after-classical959.com.exe   (447,488 bytes)
• 2016-07-20-EITest-flash-redirect-from-rsupcdn.xyz.swf   (4,446 bytes)
• 2016-07-20-page-from-classical959.com-with-injected-EITest-script.txt   (46,756 bytes)

NOTES:

• 2016-03-31 - Palo Alto Networks Unit 42 blog:  How the EITest Campaign's Path to Angler EK Evolved Over Time.
• 2016-06-08 - SANS ISC diary:  Neutrino EK and CryptXXX  (campaigns using Angler EK switch to Neutrino EK)
• 2016-06-11 - Malware Don't Need Coffee:  Is it the end of Angler?

• Not sure what this malware payload is.  See below for more information.

 

Shown above:  Flowchart for this infection traffic.

 

TRAFFIC

Shown above:  Injected script in page from compromised website.

 

Shown above:  Traffic from the pcap filtered in Wireshark.

 

ASSOCIATED DOMAINS:

• classical959.com - Compromised website
• 85.93.0.12 port 80 - rsupcdn.xyz - EITest gate
• 131.72.139.201 port 80 - jh6nov.r78s2ed8.top - Neutrino EK
• 54.235.146.190 port 80 - constitution.org - GET /usdeclar.txt - Connectivity check by the malware
• 31.41.44.219 port 443 - abolidissolvehastaxes.ru - post-infection SSL traffic

 

FILE HASHES

FLASH FILES:

• SHA256 hash:  cf16de04310cceb203c8323b0bfd7ebdf53bb1fdad464f237db8c95dab8de59f
  File name:  2016-07-20-EITest-flash-redirect-from-rsupcdn.xyz.swf

• SHA256 hash:  d39a66ee3d22edde47df32ddb0c190058bd5b29127fbc00a14ebfc6c1b30ffcb
  File name:  2016-07-20-EITest-Neutrino-EK-flash-exploit-after-classical959.com.swf

PAYLOAD:

• SHA256 hash:  42923683022f255205e9e0269abf1d6d676b4b4dfa4afec040fb4b21c24e0676
  File name:  2016-07-20-EITest-Neutrino-EK-payload-after-classical959.com.exe

 

IMAGES

Shown above:  Certificate in the SSL post-infection traffic to abolidissolvehastaxes.ru.

 

Shown above:  I used Security Onion with the ETPRO ruleset to get an idea of what this malware payload was.

 

Shown above:  I also tried to read the pcap in Snort using the Snort subscriber ruleset.

 

Shown above:  The malware payload moved itself and was made persistent through a registry update.

 

The user's AppData\Local\Temp folder had files with a .bin file extension; however, these were actually .zip archives containing text files.  The text files had system application info and commands that were typed on the infected host.  This malware payload probably trying to get passwords and account information.

Shown above:  Some of the files created by the malware.

 

FINAL NOTES

Once again, here are the associated files:

• ZIP archive of the pcaps:  2016-07-20-EITest-Neutrino-EK-after-classical959.com.pcap.zip   508.1 kB (508,074 bytes)
• ZIP archive of the malware:  2016-07-20-EITest-Neutrino-EK-malware-and-artifacts.zip   465.5 kB (465,510 bytes)

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.