2016-06-17 - PSEUDO-DARKLEECH NEUTRINO EK FROM 45.63.25.106

ASSOCIATED FILES:

  • 2016-06-17-pseudoDarkleech-Neutrino-EK-sends-CryptXXX-after-ex.technor.com.pcap   (990,812 bytes)
  • 2016-06-17-pseudoDarkleech-Neutrino-EK-sends-CryptXXX-after-nuvon.com.pcap   (1,359,082 bytes)
  • 2016-06-17-page-from-ex.technor.com-with-injected-pseudoDarkleech-script   (33092 bytes)
  • 2016-06-17-page-from-nuvon.com-with-injected-pseudoDarkleech-script.txt   (40157 bytes)
  • 2016-06-17-pseudoDarkleech-CryptXXX-decrypt-instructions.bmp   (3686454 bytes)
  • 2016-06-17-pseudoDarkleech-CryptXXX-decrypt-instructions.html   (36201 bytes)
  • 2016-06-17-pseudoDarkleech-CryptXXX-decrypt-instructions.txt   (1755 bytes)
  • 2016-06-17-pseudoDarkleech-Neutrino-EK-flash-exploit-after-ex.technor.com.swf   (79872 bytes)
  • 2016-06-17-pseudoDarkleech-Neutrino-EK-flash-exploit-after-nuvon.com.swf   (79871 bytes)
  • 2016-06-17-pseudoDarkleech-Neutrino-EK-landing-page-after-ex.technor.com.txt   (841 bytes)
  • 2016-06-17-pseudoDarkleech-Neutrino-EK-landing-page-after-nuvon.com.txt   (805 bytes)
  • 2016-06-17-pseudoDarkleech-Neutrino-EK-payload.dll   (526336 bytes)

NOTES:

BACKGROUND INFO:


Shown above:  Flowchart for today's infection traffic.

 

TRAFFIC

ASSOCIATED DOMAINS:

 

IMAGES


Shown above:  What I found on Malware Domain List earlier today.

 


Shown above:  HTTP GET request to the first website returns pseudoDarkleech script.

 


Shown above:  HTTP GET request to the second website returns pseudoDarkleech script.

 


Shown above:  First pcap of the traffic filtered in Wireshark.

 


Shown above:  Second pcap of the traffic filtered in Wireshark.

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

 

Click here to return to the main page.