2015-07-16 - NEUTRINO EK FROM 82.211.30[.]153 PORT 31251

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• 2015-07-16-Neutrino-EK-traffic.pcap.zip
• 2015-07-16-Neutrino-EK-malware-and-artifacts.zip

NOTES:

• Kafeine has already posted about Neutrino EK having the lastest Flash exploits from the Hacking Team compromise:
  https://malware.dontneedcoffee.com/2015/07/cve-2015-5122-hackingteam-0d-two-flash.html

 

TRAFFIC

ASSOCIATED DOMAINS:

• 82.211.30[.]153 port 31251 - tbbddrbnqn.fqjzehjmmkbdigu[.]gq - Neutrino EK
• 52.27.18[.]173 port 80 - classjump[.]com - Post-infection traffic
• 74.208.44[.]87 port 80 - mobilesuccessblueprints[.]com - Post-infection traffic
• 62.76.184[.]59 port 80 - 62.76.184[.]59 - Post-infection traffic

NEUTRINO EK:

• 2015-07-16 17:41:33 UTC - tbbddrbnqn.fqjzehjmmkbdigu[.]gq:31251 - GET /hunter.pl?advice=32745&rise=8778&rabbit=57317&bowl=answer&within=beat&torment=3824&normal=51524&cheap=anyhow&painful=willow&toast=helmet

• 2015-07-16 17:41:34 UTC - tbbddrbnqn.fqjzehjmmkbdigu[.]gq:31251 - GET /shadowy.htm?ever=loud&doze=camp&ankh=15261&noise=65822&bargain=brave&unpleasant=detail&staff=potter&opportunity=sneak

• 2015-07-16 17:41:35 UTC - tbbddrbnqn.fqjzehjmmkbdigu[.]gq:31251 - GET /vain.html?awful=77941&alas=morrow&bold=unseen&graceful=ancient&statement=40102&distract=91457&most=75571&oxford=irish&stool=doom&they=30683

• 2015-07-16 17:41:35 UTC - tbbddrbnqn.fqjzehjmmkbdigu[.]gq:31251 - GET /clumsy.asp?foot=heaven&shine=78211&puzzle=93507&comment=72550&hearty=95637

 

POST-INFECTION TRAFFIC:

• 2015-07-16 17:41:52 UTC - classjump[.]com - POST /c/classjump/images/index.php
• 2015-07-16 17:41:55 UTC - mobilesuccessblueprints[.]com - GET /blog/wp-content/uploads/optpress/images_comingsoon/logo.jpg
• 2015-07-16 17:41:59 UTC - classjump[.]com - POST /c/classjump/images/index.php
• 2015-07-16 17:42:01 UTC - mobilesuccessblueprints[.]com - GET /blog/wp-content/uploads/optpress/images_comingsoon/image.jpg
• 2015-07-16 17:42:04 UTC - classjump[.]com - POST /c/classjump/images/index.php
• 2015-07-16 17:42:08 UTC - 62.76.184[.]59 - POST /security/mylittle_pony/gate.php
• 2015-07-16 17:42:56 UTC - classjump[.]com - POST /c/classjump/images/index.php

 

Click here to return to the main page.