2016-06-24 - PSEUDO-DARKLEECH NEUTRINO EK SENDS CRYPTXXX RANSOMWARE

ASSOCIATED FILES:

  • 2016-06-24-pseudoDarkleech-Neutrino-EK-after-fiocchidiriso.com.pcap   (1,170,037 bytes)
  • 2016-06-24-pseudoDarkleech-Neutrino-EK-after-sunlait.com.pcap   (1,390,485 bytes)
  • 2016-06-24-page-from-fiocchidiriso.com-with-injected-pseudoDarkleech-script.txt   (16,008 bytes)
  • 2016-06-24-page-from-sunlait.com-with-injected-pseudoDarkleech-script.txt   (79,532 bytes)
  • 2016-06-24-pseudoDarkleech-CryptXXX-decrypt-instructions.bmp   (3,686,454 bytes)
  • 2016-06-24-pseudoDarkleech-CryptXXX-decrypt-instructions.html   (36,201 bytes)
  • 2016-06-24-pseudoDarkleech-CryptXXX-decrypt-instructions.txt   (1,755 bytes)
  • 2016-06-24-pseudoDarkleech-Neutrino-EK-flash-exploit-after-fiocchidiriso.com.swf   (81,798 bytes)
  • 2016-06-24-pseudoDarkleech-Neutrino-EK-flash-exploit-after-sunlait.com.swf   (81,798 bytes)
  • 2016-06-24-pseudoDarkleech-Neutrino-EK-landing-page-after-fiocchidiriso.com.txt   (1,034 bytes)
  • 2016-06-24-pseudoDarkleech-Neutrino-EK-landing-page-after-sunlait.com.txt   (1,112 bytes)
  • 2016-06-24-pseudoDarkleech-Neutrino-EK-payload-CryptXXX-after-fiocchidiriso.com.dll   (362,496 bytes)
  • 2016-06-24-pseudoDarkleech-Neutrino-EK-payload-CryptXXX-after-sunlait.com.dll   (5329,92 bytes)

NOTES:

BACKGROUND INFO:


Shown above:  Flowchart for today's infection traffic.

 

TRAFFIC

ASSOCIATED DOMAINS:

 

IMAGES


Shown above:  Traffic from the first pcap filtered in Wireshark.   Filter: http.request or (!(tcp.port eq 80) and tcp.flags eq 0x0002)

 


Shown above:  Traffic from the second pcap filtered in Wireshark.

 

FINAL NOTES

Once again, here are the associated files:

 

Click here to return to the main page.