2016-07-01 - NEUTRINO EK AND "REALSTATISTICS" GATE CHANGE

NOTES:

ASSOCIATED FILES:

  • 2016-07-01-pseudoDarkleech-Neutrino-EK-sends-CryptXXX-after-gennaroespositomilano.it.pcap   (715,824 bytes)
  • 2016-07-01-pseudoDarkleech-Neutrino-EK-sends-CryptXXX-second-example.pcap   (1,136,508 bytes)
  • 2016-07-01-realstatistics-gate-traffic-after-tne.mx.pcap   (6,655 bytes)
  • ZIP archive of the malware/artifacts:  2016-07-01-pseudoDarkleech-Neutrino-EK-malware-and-artifacts.zip   845.3 kB (845,257 bytes)
    • 2016-07-01-page-from-gennaroespositomilano.it-with-injected-pseudoDarkleech-script.txt   (15,990 bytes)
    • 2016-07-01-pseudoDarkleech-CryptXXX-decrypt-instructions.bmp   (3,686,454 bytes)
    • 2016-07-01-pseudoDarkleech-CryptXXX-decrypt-instructions.html   (36,201 bytes)
    • 2016-07-01-pseudoDarkleech-CryptXXX-decrypt-instructions.txt   (1,755 bytes)
    • 2016-07-01-pseudoDarkleech-Neutrino-EK-flash-exploit-after-gennaroespositomilano.it.swf   (86,405 bytes)
    • 2016-07-01-pseudoDarkleech-Neutrino-EK-flash-exploit-second-example.swf   (85,196 bytes)
    • 2016-07-01-pseudoDarkleech-Neutrino-EK-landing-page-after-gennaroespositomilano.it.txt   (1,025 bytes)
    • 2016-07-01-pseudoDarkleech-Neutrino-EK-landing-page-second-example.txt   (1,105 bytes)
    • 2016-07-01-pseudoDarkleech-Neutrino-EK-payload-CryptXXX-after-gennaroespositomilano.it.dll   (458,752 bytes)
    • 2016-07-01-pseudoDarkleech-Neutrino-EK-payload-CryptXXX-second-example.dll   (368,640 bytes)

     

    TRAFFIC

    ASSOCIATED DOMAINS:

     

    FILE HASHES

    FLASH EXPLOITS:

     

    MALWARE PAYLOADS:

     

    IMAGES


    Shown above:  Injected script pointing to the "realstatistics" gate from a compromised website yesterday.

     


    Shown above:  Injected script from the same site pointing to a different "realstatistics" gate today.

     


    Shown above:  As you can see, the new "realstatistics" domain is using a different IP address and a slightly different URL.

     


    Shown above:  Unfortunately, I haven't been able to get past this new gate.  The iframe looks like it's using a placeholder.

     


    Shown above:  Neutrino EK and CryptXXX ransomware traffic kicked off by viewing gennaroespositomilano.it.

     


    Shown above:  Injected pseudoDarkleech script in a page from a second compromised site.

     


    Shown above:  Neutrino EK and CryptXXX ransomware traffic kicked off by viewing the second compromised site.

     

    FINAL NOTES

    Once again, here are the associated files:

    The ZIP file is password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

    Click here to return to the main page.