2015-04-06 - NEUTRINO EK

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• 2015-04-06-Neutrino-EK-traffic.pcap.zip
• 2015-04-06-sandbox-analysis-of-Neutrino-EK-payload.pcap.zip
• 2015-04-06-Neutrino-EK-malware-and-artifacts.zip

 

TRAFFIC

ASSOCIATED DOMAINS:

• 185.44.105[.]39 port 22127 - wjslsbljk.eebwcaioztsmvfl[.]ml:22127 - Neutrino EK
• 110.201.227[.]51 - ns1.nadefolt[.]net - DNS query and result, no actual traffic
• 179.163.128[.]148 - ns8.nadefolt[.]net - DNS query and result, no actual traffic
• 85.17.142[.]11 port 53 - TCP traffic caused by the malware payload (malformed packet/not DNS)
• 95.211.15[.]37 port 53 - TCP traffic caused by the malware payload (malformed packet/not DNS)
• 130.185.108[.]130 port 53 - TCP traffic caused by the malware payload (malformed packet/not DNS)

 

NEUTRINO EK TRAFFIC:

• wjslsbljk.eebwcaioztsmvfl[.]ml:22127 - GET /direction.html?speech=miserable&shoulder=cottage&descend=80678&decide=hour&mist=86052&fully=sailor&discover=35926&
  harm=33245&swallow=49417&cloth=13858
• wjslsbljk.eebwcaioztsmvfl[.]ml:22127 - GET /traffic.shtml?comfortable=unless&choose=myrtle&bounce=61588&hour=97296
• wjslsbljk.eebwcaioztsmvfl[.]ml:22127 - GET /skull.shtml?clear=74387&warrior=90346&drug=7772&shelf=93610&quality=78756&roof=76218&disappoint=74171&cling=43658
• wjslsbljk.eebwcaioztsmvfl[.]ml:22127 - GET /terrorist/27234/master/40281/heir/stumble/speak/hurry/machine/kick/attic/74548/
• wjslsbljk.eebwcaioztsmvfl[.]ml:22127 - GET /convey.asp?palace=1461&mood=93292&feather=2896&hurried=20624

 

ALERTS

EMERGING THREATS / ETPRO:

• 185.44.105[.]39 port 80 - ET CURRENT_EVENTS Job314/Neutrino Reboot EK Flash Exploit Nov 20 2014 (sid:2019763)
• 185.44.105[.]39 port 80 - ET CURRENT_EVENTS Job314/Neutrino Reboot EK Landing Jan 27 2015 (sid:2020321)
• 185.44.105[.]39 port 80 - ET CURRENT_EVENTS Job314/Neutrino Reboot EK Payload Nov 20 2014 (sid:2020388)
• 85.17.142[.]11 port 53 - ETPRO TROJAN Trojan/Win32.Zbot Covert Channel 2 port 53 (sid:2807561)
• 95.211.15[.]37 port 53 - ETPRO TROJAN Trojan/Win32.Zbot Covert Channel 2 port 53 (sid:2807561)
• 130.185.108[.]130 port 53 - ETPRO TROJAN Trojan/Win32.Zbot Covert Channel 2 port 53 (sid:2807561)
• 85.17.142[.]11 port 53 - ETPRO TROJAN Trojan/Win32.Zbot Covert Channel port 53 (sid:2808226)
• 95.211.15[.]37 port 53 - ETPRO TROJAN Trojan/Win32.Zbot Covert Channel port 53 (sid:2808226)
• 130.185.108[.]130 port 53 - ETPRO TROJAN Trojan/Win32.Zbot Covert Channel port 53 (sid:2808226)

 

SOURCEFIRE VRT (TALOS):

• 185.44.105[.]39 port 80 - [1:32638:1] EXPLOIT-KIT Sweet Orange exploit kit Adobe Flash exploit on defined port
• 85.17.142[.]11 port 53 - [1:28996:4] MALWARE-CNC Win.Trojan.Bunitu variant outbound connection
• 95.211.15[.]37 port 53 - [1:28996:4] MALWARE-CNC Win.Trojan.Bunitu variant outbound connection
• 130.185.108[.]130 port 53 - [1:28996:4] MALWARE-CNC Win.Trojan.Bunitu variant outbound connection

 

MALWARE

• File name: 2015-04-06-Neutrino-EK-Flash-exploit.swf
• https://www.virustotal.com/en/file/b4f51b4d9cdd9c4d31bf7cc0407b138669aeddf63383a41f3a7bac4c90300332/analysis/

• File name: 2015-04-06-Neutrino-EK-malware-payload.exe
• https://www.virustotal.com/en/file/65d81bf968495684016057f1a870ea7c104f34d85d2ceb0893ed682720464bed/analysis/

• File name: 2015-04-06-dpasydb.dll (file dropped by the malware)
• https://www.virustotal.com/en/file/cdfba978322605cd23f43fbc2768a8eca1137704758b527a2e28935ec17f19a5/analysis/

 

Click here to return to the main page.