2014-12-01 - NEW VERSION OF NEUTRINO EK FROM 107.191.118.231 AND 168.235.69.123

ASSOCIATED FILES:

• ZIP of the pcaps:  2014-12-01-Neutrino-EK-all-5-pcaps.zip
• ZIP of the malware:  2014-12-01-Neutrino-EK-malware-and-artifacts.zip

NOTES:

• On 2014-11-20, Kafeine blogged about the newest version of Neutrino EK at: http://malware.dontneedcoffee.com/2014/11/neutrino-come-back.html
• Please read the Kafeine's blog post for a good timeline on this reboot of Neutrino EK.

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

• 213.186.33.3 - www.lejardindasie.be - Compromised website
• 185.14.28.151 - stat.diegostellet.com - Redirect
• 168.235.69.123 - cjcpevng.kommonly.eu:10852 - Neutrino EK (2014-11-29 first run)
• 168.235.69.123 - quftaugmfx.kommonly.eu:4708 - Neutrino EK (2014-11-29 second run)
• 107.191.118.231 - prerbwh.freedlyaccupay.eu:37360 & oiqgp.freedlyaccupay.eu:34149 - Neutrino EK (2014-12-01 first run)
• 107.191.118.231 - vosng.freedlyaccupay.eu:5434 - Neutrino EK (2014-12-01 second run)

 

2014-11-29 19:07 UTC - NEUTRINO EK:

• cjcpevng.kommonly.eu:10852/grotesque/46410/giant/84184/mount/26401/radio/46304/
• ajax.googleapis.com/ajax/libs/swfobject/2.2/swfobject.js
• cjcpevng.kommonly.eu:10852/alive/29654/ernest/26753/chin/52122/arise/96261/fever/81853/sometime/92179/alien/49927/profession/42540/
• cjcpevng.kommonly.eu:10852/astonishment/76854/crew/47392/print/82155/spear/30478/force/90970/
• cjcpevng.kommonly.eu:10852/goodness.pl?drift=4414&snow=65138&poor=improve&colonel=63120&temple=queer&hunter=21866

 

2014-11-29 19:19 UTC - NEUTRINO EK:

• quftaugmfx.kommonly.eu:4708/signal.htm?argue=39728&chimney=60885&awake=94780
• ajax.googleapis.com/ajax/libs/swfobject/2.2/swfobject.js
• quftaugmfx.kommonly.eu:4708/stretch.htm?front=88446&fleet=54817&opinion=83474&anyone=positive&instrument=98417&scatter=38876&nerve=44949
• quftaugmfx.kommonly.eu:4708/shape/worse/steady/83519/separate/98797/amaze/66671/utter/61788/suppress/52966/establish/38105/dispose/76907/
• quftaugmfx.kommonly.eu:4708/express.htm?bomb=belt&careful=weave&victim=78403&goblet=49191&daylight=1948&patience=91948&secret=6985&indifferent=
  61695&image=23116&knock=68315

 

2014-12-01 14:02 UTC - NEUTRINO EK:

• prerbwh.freedlyaccupay.eu:37360/advance/36/tuck/72714/museum/97859/confusion/apart/distress/38507/knot/16036/truth/rush/apple/47614/howl/91485/magical/noon/
• ajax.googleapis.com/ajax/libs/swfobject/2.2/swfobject.js
• prerbwh.freedlyaccupay.eu:37360/appearance.php?thus=31500&sense=70841&apparent=bathroom&swoop=painful&think=75994
• oiqgp.freedlyaccupay.eu:34149/goblin.asp?distance=wonderful¬ice=87709&grip=shallow&control=patience&thing=96205&extra=64520&bother=39196
• oiqgp.freedlyaccupay.eu:34149/bring/41416/moon/70814/smash/grateful/extend/chin/burst/87343/robe/6975/shine/67111/wreck/17795/

 

2014-12-01 14:43 UTC - NEUTRINO EK:

• vosng.freedlyaccupay.eu:5434/effort.phtml?hold=62507&champion=shadowy&thomas=74035&joke=82117
• ajax.googleapis.com/ajax/libs/swfobject/2.2/swfobject.js
• vosng.freedlyaccupay.eu:5434/robot/flight/mistress/72497/lend/warrior/stone/74358/world/everybody/address/that/lack/81366/love/station/pass/10872/climb/60315/
  wander/74311/
• vosng.freedlyaccupay.eu:5434/mystery/54456/between/license/solitary/36243/petunia/98984/miss/path/
• vosng.freedlyaccupay.eu:5434/blossom/64094/reason/15504/double/62037/stretch/plan/waistcoat/across/wade/83340/

 

MALWR.COM ANALYSIS OF THE MALWARE PAYLOAD (SAME PAYLOAD FROM ALL 4 INFECTIONS):

• 2014-12-02 16:16:49 UTC - 192.168.56.101:1025 - 192.168.56.1:53 - DNS query for: facebook.com (resolved to 173.252.120.6)
• 2014-12-02 16:16:50 UTC - 192.168.56.101:1039 - 173.252.120.6:80 - TCP connection, but no traffic
• 2014-12-02 16:16:50 UTC - 192.168.56.101:1025 - 192.168.56.1:53 - DNS query for: djrzadayat.com (reply: No such name)
• 2014-12-02 16:16:50 UTC - 192.168.56.101:1042 - 192.168.56.1:53 - DNS query for: lnvrbbcyzmeepnp.com (reply: No such name)
• 2014-12-02 16:16:50 UTC - 192.168.56.101:1040 - 192.168.56.1:53 - DNS query for: ypxnwfddnh.com (reply: No such name)
• 2014-12-02 16:16:50 UTC - 192.168.56.101:1041 - 192.168.56.1:53 - DNS query for: xchnixpdkbyyt.com (reply: No such name)
• 2014-12-02 16:16:52 UTC - 192.168.56.101:1046 - 192.121.170.170:53 - DNS query for: miodzaki.bit (reply: No such name)

 

SNORT EVENTS

Emerging Threats and ETPRO rulesets from Sguil on Security Onion using Suricata:

• 2014-12-01 14:02:51 UTC - 192.168.204.171:49180 - 107.191.118.231:37360 - ET POLICY HTTP Request on Unusual Port Possibly Hostile (sid:2006408)
• 2014-12-01 14:02:52 UTC - 107.191.118.231:37360 - 192.168.204.171:49180 - ET CURRENT_EVENTS Job314/Neutrino Reboot EK Landing Nov 20 2014 (sid:2019762)
• 2014-12-01 14:02:53 UTC - 192.168.204.171:49180 - 107.191.118.231:37360 - ET POLICY Outdated Windows Flash Version IE (sid:2014726)
• 2014-12-01 14:02:58 UTC - 192.168.204.171:49183 - 107.191.118.231:34149 - ET MALWARE User-Agent (Mozilla) - Possible Spyware Related (sid:2007854)
• 2014-12-01 14:02:58 UTC - 192.168.204.171:49183 - 107.191.118.231:34149 - ET CURRENT_EVENTS Job314/Neutrino Reboot EK Payload Nov 20 2014 (sid:2019764)
• 2014-12-01 14:03:44 UTC - 185.14.28.151:80 - 192.168.204.171:49178 - ET CURRENT_EVENTS Malicious Iframe Leading to EK (sid:2019798)

Sourcefire VRT ruleset from Snort 2.9.6.2 on Debian 7:

• 2014-12-01 14:02:46 UTC - 213.186.33.3:80 - 192.168.204.171:49171 - [1:32481:1] POLICY-OTHER Remote non-JavaScript file found in script tag src attribute
• 2014-12-01 14:02:47 UTC - 213.186.33.3:80 - 192.168.204.171:49171 - [1:3679:12] INDICATOR-OBFUSCATION Multiple Products IFRAME src javascript code execution
• 2014-12-01 14:02:49 UTC - 213.186.33.3 - 192.168.204.171 - [139:1:1] (spp_sdf) SDF Combination Alert
• 2014-12-01 14:02:57 UTC - 192.168.204.171:49182 - 107.191.118.231:34149 - [1:19786:4] BLACKLIST User-Agent known malicious user agent - Mozilla
• 2014-12-01 14:02:58 UTC - 192.168.204.171:49183 - 107.191.118.231:34149 - [1:19786:4] BLACKLIST User-Agent known malicious user agent - Mozilla

 

PRELIMINARY MALWARE ANALYSIS

FLASH EXPLOIT

File name:  2014-12-01-Neutrino-EK-flash-exploit.swf
File size:  40.5 KB ( 41512 bytes )
MD5 hash:  52fab50c4012980a6879f1880cb8bc4f
Detection ratio:  0 / 55
First submission:  2014-11-27 17:46:34 UTC
VirusTotal link:  https://www.virustotal.com/en/file/1409423b38599e7d1bc66298d1793fcf7dcc7de13689c5fc34afd5309e476477/analysis/

 

MALWARE PAYLOAD

File name:  2014-12-01-Neutrino-EK-malware-payload.exe
File size:  133.5 KB ( 136704 bytes )
MD5 hash:  80e090c484d6fd131baaafbfdbf109b4
Detection ratio:  13 / 55
First submission:  2014-12-02 16:18:07 UTC
VirusTotal link:  https://www.virustotal.com/en/file/a85101aaa1863d119847f1cc8271343d1a911f304641a02af953c17ecdae84d6/analysis/
Malwr link:  https://malwr.com/analysis/YjMwYTFlNTk0NDg3NDhiMWIxZDdjNTc2MzM4YTJiYzk/

 

HIGHLIGHTS FROM THE TRAFFIC ON 2014-11-29

Embedded iframe in page from compromised website (same in all 4 examples):

 

Redirect (same URL in all 4 examples):

 

Neutrino EK landing page:

 

Neutrino EK calls for javascript from ajax.googleapis.com:

 

Neutrino EK delivers Flash exploit:

 

Encrypted EXE payload sent after successful Flash exploit:

 

One last GET request by the EK returns a 404 Not Found:

 

FINAL NOTES

Once again, here are the associated files:

• ZIP of the pcaps:  2014-12-01-Neutrino-EK-all-5-pcaps.zip
• ZIP of the malware:  2014-12-01-Neutrino-EK-malware-and-artifacts.zip

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.