2015-01-26 - NEUTRINO EK FROM 108.61.197[.]150 - PELILG.EFRAI2[.]EU:28623 SENDS VAWTRAK/NEVERQUEST

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• 2015-01-26-Neutrino-EK-traffic.pcap.zip
• 2015-01-26-Neutrino-EK-malware.zip

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

• 108.61.197[.]150 - pelilg.efrai2[.]eu:28623 - New Neurtino EK on TCP port 28623
• 46.63.127[.]64 - cpcloc[.]net - Post-infection traffic (Vawtrak/NeverQuest)
• 50.7.240[.]10 - 50.7.240[.]10 - non-ASCII traffic over port 8080

 

NEUTRINO EK:

• 2015-01-26 18:18:38 UTC - pelilg.efrai2[.]eu:28623 - GET /feeling.phtml?fumble=14777&spell=25068&jordan=14923&stupid=13334&arrangement=18494&
  awaken=47391&defeat=43164&flicker=52172&convince=83054&five=77037

• 2015-01-26 18:18:38 UTC - pelilg.efrai2[.]eu:28623 - GET /several.asp?determine=ladder&handkerchief=37049&mistake=toward&slice=about&cart=97268&
  breathe=lawn

• 2015-01-26 18:18:39 UTC - pelilg.efrai2[.]eu:28623 - GET /down/37050/furious/highest/splash/moonlight/connect/thirteen/short/goodness/fortunate/16523/
  arrive/49435/cliff/door/deal/conversation/coffee/flare/

• 2015-01-26 18:18:40 UTC - pelilg.efrai2[.]eu:28623 - GET /faith.pl?bile=demand&officer=17945&morrow=handkerchief

• 2015-01-26 18:18:40 UTC - pelilg.efrai2[.]eu:28623 - GET /fang.shtml?birthday=cell&slice=forth&steeple=77564&take=20083&variety=86262

 

POST-INFECTION TRAFFIC:

• 2015-01-26 18:19:04 UTC - cpcloc[.]net - POST /collection/0000003E/00/2C380B4C   [repeats]
• 2015-01-26 18:19:06 UTC - 50.7.240[.]10 port 8080 - non ASCII traffic

 

ALERTS

Signature hits from the Emerging Threats and ETPRO rulesets using Sguil on Security Onion (without ET POLICY or ET INFO events):

• 108.61.197[.]150 port 28623 - ET CURRENT_EVENTS Job314/Neutrino Reboot EK Flash Exploit Nov 20 2014 (sid:2019763)
• 108.61.197[.]150 port 28623 - ET CURRENT_EVENTS Job314/Neutrino Reboot EK Landing Nov 20 2014 (sid:2019761)
• 46.63.127[.]64 port 80 - ET TROJAN Vawtrak/NeverQuest Server Response (sid:2019499)
• 46.63.127[.]64 port 80 - ETPRO TROJAN Vawtrak/NeverQuest Posting Data (sid:2809464)

Signature hits from the Talos (Sourcefire VRT) ruleset using Snort 2.9.7.0 on Debian 7:

• 108.61.197[.]150 port 28623 - [1:32638:1] EXPLOIT-KIT Sweet Orange exploit kit Adobe Flash exploit on defined port
• 46.63.127[.]64 - [139:1:1] (spp_sdf) SDF Combination Alert (x2)
• 50.7.240[.]10 port 8080 - [120:3:1] (http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE
• 50.7.240[.]10 port 8080 - [119:31:1] (http_inspect) UNKNOWN METHOD

 

PRELIMINARY MALWARE ANALYSIS

FLASH EXPLOIT:

File name:  2015-01-26-Neutrino-EK-flash-exploit.swf
File size:  42,375 bytes
MD5 hash:  0d89ee85522cc508eca373dd3ec9c29b
Detection ratio:  1 / 57
First submission:  2015-01-26 21:15:14 UTC
VirusTotal link:  https://www.virustotal.com/en/file/0e618ceaada97a742cc2712ed43a961fc691355d080a092008bcfb45cf71d42d/analysis/

 

MALWARE PAYLOAD:

File name:  2015-01-26-Neutrino-EK-malware-payload.exe
File size:  376,832 bytes
MD5 hash:  f7728b78b60cc138d776f5199fc9650c
Detection ratio:  9 / 57
First submission:  2015-01-26 21:15:23 UTC
VirusTotal link:  https://www.virustotal.com/en/file/d8997858aadb4933e78d071862f54a2c5dfdc64f8d1a3203f2943f600b3b9681/analysis/

 

DROPPED MALWARE:

File name:  C:\ProggramData\ZedfOzbeb\TugeBucb.fec
File size:  290,816 bytes
MD5 hash:  579e5da03d3b0d1509cc2f2c2efae413
Detection ratio:  6 / 57
First submission:  2015-01-26 21:15:31 UTC
VirusTotal link:  https://www.virustotal.com/en/file/3220bc8be25f45390196ba669e8b27587e2b1938f44ea1ece9d457c1794ac8ba/analysis/

 

Click here to return to the main page.