2016-07-07 - NEUTRINO EK SENDS CRYPMIC (EITEST & PSEUDO-DARKLEECH CAMPAIGNS)

ASSOCIATED FILES:

  • 2016-07-07-EITest-Neutrino-EK-after-musicmix.co.pcap   (533,751 bytes)
  • 2016-07-07-pseudoDarkleech-Neutrino-EK-after-drupatis.com.pcap   (397,296 bytes)
  • 2016-07-07-pseudoDarkleech-Neutrino-EK-after-gennaroespositomilano.it.pcap   (430,794 bytes)
  • 2016-07-07-pseudoDarkleech-Neutrino-EK-after-lawrenceparkah.com.pcap   (196,694 bytes)
  • 2016-07-07-pseudoDarkleech-Neutrino-EK-after-toronto-annex.com.pcap   (447,507 bytes)
  • 2016-07-07-EITest-CrypMIC-decrypt-instructions.BMP   (3,276,854 bytes)
  • 2016-07-07-EITest-CrypMIC-decrypt-instructions.HTML   (238,186 bytes)
  • 2016-07-07-EITest-CrypMIC-decrypt-instructions.TXT   (1,658 bytes)
  • 2016-07-07-EITest-Neutrino-EK-landing-page-after-musicmix.co.txt   (3,247 bytes)
  • 2016-07-07-EITest-Neutrino-EK-payload-CrypMIC-after-musicmix.co.dll   (67,584 bytes)
  • 2016-07-07-EITest-flash-redirect-from-freedtd.ml.swf   (3,070 bytes)
  • 2016-07-07-page-from-drupatis.com-with-injected-script.txt   (15,920 bytes)
  • 2016-07-07-page-from-gennaroespositomilano.it-with-injected-script.txt   (15,984 bytes)
  • 2016-07-07-page-from-lawrenceparkah.com-with-injected-script.txt   (39,581 bytes)
  • 2016-07-07-page-from-musicmix.co-with-injected-script.txt   (135,268 bytes)
  • 2016-07-07-pseudoDarkleech-CrypMIC-decrypt-instructions.BMP   (3,276,854 bytes)
  • 2016-07-07-pseudoDarkleech-CrypMIC-decrypt-instructions.HTML   (238,191 bytes)
  • 2016-07-07-pseudoDarkleech-CrypMIC-decrypt-instructions.TXT   (1,663 bytes)
  • 2016-07-07-pseudoDarkleech-Neutrino-EK-flash-exploit-after-drupatis.com.swf   (79,069 bytes)
  • 2016-07-07-pseudoDarkleech-Neutrino-EK-flash-exploit-after-lawrenceparkah.com.swf   (78,379 bytes)
  • 2016-07-07-pseudoDarkleech-Neutrino-EK-flash-exploit-after-toronto-annex.com.swf   (78,377 bytes)
  • 2016-07-07-pseudoDarkleech-Neutrino-EK-landing-page-after-drupatis.com.txt   (3,151 bytes)
  • 2016-07-07-pseudoDarkleech-Neutrino-EK-landing-page-after-gennaroespositomilano.it.txt   (3,155 bytes)
  • 2016-07-07-pseudoDarkleech-Neutrino-EK-landing-page-after-lawrenceparkah.com.txt   (3,291 bytes)
  • 2016-07-07-pseudoDarkleech-Neutrino-EK-landing-page-after-toronto-annex.com.txt   (3,233 bytes)
  • 2016-07-07-pseudoDarkleech-Neutrino-EK-payload-CrypMIC-after-drupatis.com-and-gennaroespositomilano.it.dll   (67,584 bytes)
  • 2016-07-07-pseudoDarkleech-Neutrino-EK-payload-CrypMIC-after-lawrenceparkah.com-and-toronto-annex.com.dll   (67,584 bytes)

NOTES:


Shown above:  Decrypt instructions from CrypMIC samples on 2016-07-07.

 

TRAFFIC


Shown above:  Traffic from the first pcap filtered in Wireshark.   Filter:  http.request or (!(tcp.port eq 80) and tcp.flags eq 0x0002)


Shown above:  Traffic from the second pcap filtered in Wireshark.


Shown above:  Traffic from the third pcap filtered in Wireshark.


Shown above:  Traffic from the 4th pcap filtered in Wireshark.


Shown above:  Traffic from the 5th pcap filtered in Wireshark.

 

ASSOCIATED DOMAINS:

DOMAINS FROM THE DECRYPT INSTRUCTIONS:

 

FILE HASHES

NEUTRINO EK FLASH EXPLOITS:

CRYPMIC PAYLOADS:

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.