2015-10-21 - NEUTRINO EK FROM 89.38.150.119 SENDS NECURS

ASSOCIATED FILES:

• ZIP file of the PCAP:  2015-10-21-Neutrino-EK-traffic.zip   364.1 kB (364,124 bytes)
• ZIP file of the malware:  2015-10-21-Neutrino-EK-malware-and-artifacts.zip   201.0 kB (200,965 bytes)

 

NOTES:

• Pretty much the same thing seen last week on 2015-10-13, except this time, Neutrino EK by this actor was using port 80.
• In this case, I am unable to share information on the compromised website.
• Todays infection is a different actor than the Magento server infections associated with Neutrino EK that Sucuri (link) and Malwarebytes (link) have blogged about... Different traffic patterns.

 

CHAIN OF EVENTS

Shown above:  Results in Security Onion after using tcpreplay on the pcap.

 

ASSOCIATED DOMAINS:

• 178.33.200.128 port 80 - vid.fotografofamoso.com.br - Redirect/Gate pointing to Neutrino EK
• 89.38.150.119 port 80 - btsjywn.xmqbsmyofchd.gq - Neutrino EK
• 95.22.28.194 port 80 - 195.22.28.194 - Necurs-related post-infection callback
• 195.22.28.222 port 80 - sso.anbtr.com - Post-infection traffic
• various IP addresses, various ports - UDP traffic and attempted TCP connections (see pcap for details)

 

REDIRECT/GATE:

• 2015-10-21 00:44:44 UTC - vid.fotografofamoso.com.br - GET /js/script.js

 

NEUTRINO EK:

• 2015-10-21 00:44:45 UTC - btsjywn.xmqbsmyofchd.gq - GET /1999/04/17/visit/band/back/everywhere-consult-view.html
• 2015-10-21 00:44:45 UTC - btsjywn.xmqbsmyofchd.gq - GET /mister/kindness-platform-column-10247547
• 2015-10-21 00:44:46 UTC - btsjywn.xmqbsmyofchd.gq - GET /southern/emd1bnE
• 2015-10-21 00:44:47 UTC - btsjywn.xmqbsmyofchd.gq - GET /yesterday/cnRsa2E
• 2015-10-21 00:44:49 UTC - btsjywn.xmqbsmyofchd.gq - GET /2009/06/20/lawn/short/feast/hour-exceeding-knowledge-young-mankind-shine-bloom.html

 

POST-INFECTION TRAFFIC:

• 2015-10-21 00:45:12 UTC - 195.22.28.194 - POST /forum/db.php
• 2015-10-21 00:45:13 UTC - sso.anbtr.com - GET /domain/195.22.28.194
• 2015-10-21 00:45:19 UTC - 195.22.28.194 - POST /forum/db.php
• 2015-10-21 00:45:19 UTC - sso.anbtr.com - GET /domain/195.22.28.194
• 2015-10-21 00:45:38 UTC - 195.22.28.194 - POST /forum/db.php
• 2015-10-21 00:45:38 UTC - sso.anbtr.com - GET /domain/195.22.28.194
• 2015-10-21 00:45:56 UTC - 195.22.28.194 - POST /forum/db.php
• 2015-10-21 00:45:56 UTC - sso.anbtr.com - GET /domain/195.22.28.194
• 2015-10-21 00:46:10 UTC - 195.22.28.194 - POST /forum/db.php
• 2015-10-21 00:46:11 UTC - sso.anbtr.com - GET /domain/195.22.28.194
• 2015-10-21 00:46:25 UTC - 195.22.28.194 - POST /forum/db.php
• 2015-10-21 00:46:25 UTC - sso.anbtr.com - GET /domain/195.22.28.194
• 2015-10-21 00:46:31 UTC - 195.22.28.194 - POST /forum/db.php
• 2015-10-21 00:46:31 UTC - sso.anbtr.com - GET /domain/195.22.28.194
• 2015-10-21 00:46:46 UTC - 195.22.28.194 - POST /forum/db.php
• 2015-10-21 00:46:47 UTC - sso.anbtr.com - GET /domain/195.22.28.194
• 2015-10-21 00:46:49 UTC - 195.22.28.194 - POST /forum/db.php
• 2015-10-21 00:46:49 UTC - sso.anbtr.com - GET /domain/195.22.28.194

 

PRELIMINARY MALWARE ANALYSIS

FLASH EXPLOIT:

File name:  2015-10-21-Neutrino-EK-flash-exploit.swf
File size:  92.9 KB ( 95138 bytes )
MD5 hash:  97bedff81331b2198b0f07b1088d6bcb
SHA1 hash:  1b3777daf1090eb60559e57f388f22342b7751df
SHA256 hash:  497a23fa67dd737b81e00481240e9e9e3e4e1bab7d6f74f211717a2873a203d5
Detection ratio:  0 / 56
First submission:  2015-10-21 16:46:22 UTC
VirusTotal link:  https://www.virustotal.com/en/file/497a23fa67dd737b81e00481240e9e9e3e4e1bab7d6f74f211717a2873a203d5/analysis/

 

MALWARE PAYLOAD:

File name:  2015-10-21-Neutrino-EK-malware-payload.exe
File name:  C:\Windows\Installer\{D9420F8B-C520-4316-D4D2-8B77B4998B1C}\syshost.exe
File size:  194.5 KB ( 199168 bytes )
MD5 hash:  3251e5ebe7c0e61aac2d2f74b3423e12
SHA1 hash:  f752e081246dda766aa87ff89615824d684a9d40
SHA256 hash:  3e2a76ed82bd9320700deb079a8d6fdcb5236c37b8f5c2b0e72683fd8dacb048
Detection ratio:  8 / 56
First submission:  2015-10-21 08:41:28 UTC
VirusTotal link:  https://www.virustotal.com/en/file/3e2a76ed82bd9320700deb079a8d6fdcb5236c37b8f5c2b0e72683fd8dacb048/analysis/
Malwr link:  https://malwr.com/analysis/NTYzOWRmYmVmZGQwNDcxMzg5Y2IxMDdjYzIwNjRlMzc/
Hybrid-Analysis link:  https://www.hybrid-analysis.com/sample/3e2a76ed82bd9320700deb079a8d6fdcb5236c37b8f5c2b0e72683fd8dacb048?environmentId=4

 

REGISTRY KEYS:

Shown above:  One of the registry keys created or updated by this malware.

 

• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\syshost32
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\syshost32

• Value name:  ImagePath
• Value type:  REG_EXPAND_SZ
• Value data:  "C:\Windows\Installer\{D9420F8B-C520-4316-D4D2-8B77B4998B1C}\syshost.exe" /service

 

FINAL NOTES

Once again, here are the associated files:

• ZIP file of the PCAP:  2015-10-21-Neutrino-EK-traffic.zip   364.1 kB (364,124 bytes)
• ZIP file of the malware:  2015-10-21-Neutrino-EK-malware-and-artifacts.zip   201.0 kB (200,965 bytes)

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.