Neutrino encounter at www.pennystomatoes[.]com

pennys-neutrinoFor some background on Neutrino, please see the following posts:

As there has already been some great analysis on the kit and this encounter seems typical, I’ll make this a quick analysis for awareness.

Initially the injected Javascript creates an iframe that loads content from www.bluejeans[.]co/xmlrpc.php?counter=US&rnd=0.052883837715120285 which in turn responds with a 302 redirect to the exploit landing page at jkpkgwxlptwwfclbmjjl.is-an-artist[.]com:8000/gwyvcupw?twxvjhbh=3105984:

pennys-injection

Decoded:

pennys-injection-decodedpennys-302

For this encounter, Java archive (CVE-2013-2465) was delivered from: jkpkgwxlptwwfclbmjjl.is-an-artist[.]com:8000/rvwkskfbg?jtfbutsheuvn=pknhvwcmvfw

Followed by the encoded payload: jkpkgwxlptwwfclbmjjl.is-an-artist[.]com:8000/fzolglbluiwqe?jipmjvm=pknhvwcmvfw

pennys-payload-encoded

(as noted by malwaremustdie, this kit makes a number of requests for .css and various image files; all junk and not worth wasting time on but it’s good to be aware of this behavior as it appears to be an attempt to deceive analysts and pose as interactions with a legitimate site.)

pennys-neutrino-junk

Geolocation using j.maxmind.com/app/geoip.js seen immediately after binary download.
Followed by initial communication with known ZeroAccess CnC at 194.165.17.4.

pennys-zeroaccess

VirusTotal:
Java Archive: https://www.virustotal.com/en/file/5394fea060ee504cc3bd1234adf19b0807b7b76102adc6918ab1cecb5b3b39e3/analysis/1380071664/

Payload:
https://www.virustotal.com/en/file/a6be5de112ade8b42db001c48477c7070cbea8efb12002316b5ca4fccfd4fd92/analysis/1380071836/

* With this encounter I observed an errant Java request for /META-INF/services/javax.xml.datatype.DatatypeFactory from the compromised domain.
Not sure if this is unique to this encounter or a potential indicator.

neutrino-meta-inf