2016-07-13 - NEUTRINO EK DATA DUMP WITH "JUICYLEMON" BANDARCHOR

ASSOCIATED FILES:

  • 2016-07-12-pseudoDarkleech-Neutrino-EK-sends-CryptXXX-after-thewinegroup.com.pcap   (391,211 bytes)
  • 2016-07-13-EITest-Neutrino-EK-after-scarsboroughcricket.ca.pcap   (852,390 bytes)
  • 2016-07-13-other-Neutrino-EK-sends-Bandarchor-first-run.pcap   (238,878 bytes)
  • 2016-07-13-other-Neutrino-EK-sends-Bandarchor-second-run.pcap   (248,158 bytes)
  • 2016-07-13-pseudoDarkleech-Neutrino-EK-after-thewinegroup.com-first-run.pcap   (402,148 bytes)
  • 2016-07-13-pseudoDarkleech-Neutrino-EK-after-thewinegroup.com-second-run.pcap   (751,563 bytes)
  • 2016-07-12-page-from-thewinegroup.com-with-injected-script.txt   (19,110 bytes)
  • 2016-07-12-pseudoDarkleech-CryptXXX-decrypt-instructions.BMP   (3,276,854 bytes)
  • 2016-07-12-pseudoDarkleech-CryptXXX-decrypt-instructions.HTML   (238,186 bytes)
  • 2016-07-12-pseudoDarkleech-CryptXXX-decrypt-instructions.TXT   (1,658 bytes)
  • 2016-07-12-pseudoDarkleech-Neutrino-EK-landing-page.txt   (2,066 bytes)
  • 2016-07-12-pseudoDarkleech-Neutrino-EK-payload-CryptXXX.dll   (228,352 bytes)
  • 2016-07-13-Bandarchor-decrypt-instructions.txt   (765 bytes)
  • 2016-07-13-EITest-Neutrino-EK-flash-exploit.swf   (80,802 bytes)
  • 2016-07-13-EITest-Neutrino-EK-landing-page.txt   (2,096 bytes)
  • 2016-07-13-EITest-Neutrino-EK-payload.dll   (632,320 bytes)
  • 2016-07-13-EITest-flash-redirect-from-hemmox.xyz.swf   (4,032 bytes)
  • 2016-07-13-other-Neturino-EK-payload-bandarchor.exe   (147,584 bytes)
  • 2016-07-13-other-Neutrino-EK-flash-exploit-second-run.swf   (82,034 bytes)
  • 2016-07-13-other-Neutrino-EK-landing-page-first-run.txt   (2,058 bytes)
  • 2016-07-13-other-Neutrino-EK-landing-page-second-run.txt   (2,100 bytes)
  • 2016-07-13-page-from-scarboroughcricket.ca-with-injected-script.txt   (80,708 bytes)
  • 2016-07-13-page-from-thewinegroup.com-with-injected-script-first-run.txt   (19,345 bytes)
  • 2016-07-13-page-from-thewinegroup.com-with-injected-script-second-run.txt   (19,059 bytes)
  • 2016-07-13-pseudoDarkleech-Neutrino-EK-landing-page-first-run.txt   (2,178 bytes)
  • 2016-07-13-pseudoDarkleech-Neutrino-EK-landing-page-second-run.txt   (2,126 bytes)
  • 2016-07-13-pseudoDarkleech-Neutrino-EK-payload-first-run.dll   (378,368 bytes)
  • 2016-07-13-pseudoDarkleech-Neutrino-EK-payload-second-run.dll   (636,416 bytes)
  • 2016-07-13-pseudoDarkleech-Neutrnio-EK-flash-exploit-first-run.swf   (81,943 bytes)
  • 2016-07-13-pseudoDarkleech-Neutrnio-EK-flash-exploit-second-run.swf   (81,943 bytes)

NOTES:

 

TRAFFIC


Shown above:  Traffic from the first pcap filtered in Wireshark.


Shown above:  Traffic from the second pcap filtered in Wireshark.


Shown above:  Traffic from the third pcap filtered in Wireshark.


Shown above:  Traffic from the 4th pcap filtered in Wireshark.


Shown above:  Traffic from the 5th pcap filtered in Wireshark.


Shown above:  Traffic from the 6th pcap filtered in Wireshark.

 

ASSOCIATED DOMAINS:

DOMAINS FROM THE DECRYPT INSTRUCTIONS:

 

FILE HASHES

FLASH REDIRECTS/EXPLOITS:

PAYLOADS:

 

IMAGES


Shown above:  Injected script (from pseudoDarkleech campaign) in page from compromised site thewinegroup.com.

 


Shown above:  Injected EITest script in page from compromised site scarboroughcricket.ca.

 


Shown above:  URLs that kicked off the "other" Neutrino EK that led to Bandarchor ransomware.

 


Shown above:  How personal files looked after one of the Bandarchor infections.

 


Shown above:  Decryption instructions from today's Bandarchor ransomware.

 


Shown above:  Decryption instructions from yesterday's CryptXXX sample (2016-07-12).

 


Shown above:  Decryption instructions from one of today's CryptXXX samples (2016-07-13).

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.