2016-07-08 - EK DATA DUMP - NEUTRINO EK SENDS CRYPTXXX & GOOTKIT, RIG EK SENDS CRYPTOBIT

ASSOCIATED FILES:

  • 2016-07-08-EITest-Neutrino-EK-sends-CryptXXX-after-musicmix.co.pcap   (1,068,438 bytes)
  • 2016-07-08-Rig-EK-sends-CryptoBit.pcap   (153,982 bytes)
  • 2016-07-08-other-Neutrino-EK-sends-gootkit.pcap   (451,652 bytes)
  • 2016-07-08-pseudoDarkleech-Neutrino-EK-sends-CryptXXX-after-eielectronics.com.pcap   (1,154,728 bytes)
  • 2016-07-08-pseudoDarkleech-Neutrino-EK-sends-CryptXXX-after-toronto-annex.com.pcap   (1,177,430 bytes)
  • 2016-07-08-Cryptobit-decrypt-instructions.txt   (1,300 bytes)
  • 2016-07-08-EITest-CryptXXX-decrypt-instructions.BMP   (3,686,454 bytes)
  • 2016-07-08-EITest-CryptXXX-decrypt-instructions.HTML   (19,095 bytes)
  • 2016-07-08-EITest-Neutrino-EK-flash-exploit.swf   (78,771 bytes)
  • 2016-07-08-EITest-Neutrino-EK-landing-page.txt   (3,179 bytes)
  • 2016-07-08-EITest-Neutrino-EK-payload-CryptXXX.dll   (527,360 bytes)
  • 2016-07-08-EITest-flash-redirector-from-fin7.tk.swf   (3,070 bytes)
  • 2016-07-08-Rig-EK-flash-exploit.swf   (18,975 bytes)
  • 2016-07-08-Rig-EK-landing-page.txt   (5,506 bytes)
  • 2016-07-08-Rig-EK-payload-Cryptobit.exe   (152,397 bytes)
  • 2016-07-08-other-Neutrino-EK-flash-exploit.swf   (78,158 bytes)
  • 2016-07-08-other-Neutrino-EK-landing-page.txt   (3,295 bytes)
  • 2016-07-08-other-Neutrino-EK-malware-dropped-after-infection-svszclp.dll   (102,400 bytes)
  • 2016-07-08-other-Neutrino-EK-payload-Gootkit.exe   (227,328 bytes)
  • 2016-07-08-page-from-eielectronics-with-injected-script.txt   (443 bytes)
  • 2016-07-08-page-from-musicmix.co-with-injected-script.txt   (135,261 bytes)
  • 2016-07-08-page-from-toronto-annex.com-with-injected-script.txt   (53,785 bytes)
  • 2016-07-08-pseudoDarkleech-CryptXXX-decrypt-instructions.BMP   (3,686,454 bytes)
  • 2016-07-08-pseudoDarkleech-CryptXXX-decrypt-instructions.HTML   (20,105 bytes)
  • 2016-07-08-pseudoDarkleech-Neutrino-EK-flash-exploit-after-eielectronics.com.swf   (78,861 bytes)
  • 2016-07-08-pseudoDarkleech-Neutrino-EK-flash-exploit-after-toronto-annex.com.swf   (77,708 bytes)
  • 2016-07-08-pseudoDarkleech-Neutrino-EK-landing-page-after-eielectronics.com.txt   (3,211 bytes)
  • 2016-07-08-pseudoDarkleech-Neutrino-EK-landing-page-after-toronot-annex.com.txt   (3,201 bytes)
  • 2016-07-08-pseudoDarkleech-Neutrino-EK-payload.dll   (512,000 bytes)

GOOTKIT NOTES:

CRYPTOBIT (CRIPTOBIT/MOBEF) NOTES:

CRYPTXXX NOTES:


Shown above:  Infected Windows desktop from CryptXXX samples on Friday 2016-07-08.


Shown above:  One of the CryptXXX infections, where the ransomware is loaded by rundll32.exe.

 

TRAFFIC


Shown above:  Traffic from the first pcap filtered in Wireshark.   Filter:  http.request or (!(tcp.port eq 80) and tcp.flags eq 0x0002)


Shown above:  Traffic from the second pcap filtered in Wireshark (Neutrino EK sends Gootkit).


Shown above:  Traffic from the third pcap filtered in Wireshark (Rig EK sends CryptoBit).


Shown above:  Traffic from the 4th pcap filtered in Wireshark.


Shown above:  Traffic from the 5th pcap filtered in Wireshark.

 

ASSOCIATED DOMAINS:

DOMAINS/EMAILS FROM THE DECRYPT INSTRUCTIONS:

 

FILE HASHES

FLASH REDIRECTOR OR FLASH EXPLOITS:

MALWARE (EXE OR DLL FILES):

 

OTHER IMAGES


Shown above:  Gootkit made persistent through a scheduled task, note the DLL file location.

 


Shown above:  Part of the Windows desktop after the Rig EK --> CryptoBit infection.

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.