2016-07-14 - AFRAIDGATE NEUTRINO EK FROM 5.2.72.236 SENDS LOCKY RANSOMWARE

ASSOCIATED FILES:

  • 2016-07-14-Afraidgate-Neutrino-EK-sends-Locky-ransomware-example-1-of-4.pcap   (350,674 bytes)
  • 2016-07-14-Afraidgate-Neutrino-EK-sends-Locky-ransomware-example-2-of-4.pcap   (313,210 bytes)
  • 2016-07-14-Afraidgate-Neutrino-EK-sends-Locky-ransomware-example-3-of-4.pcap   (353,909 bytes)
  • 2016-07-14-Afraidgate-Neutrino-EK-sends-Locky-ransomware-example-4-of-4.pcap   (375,592 bytes)
  • 2016-07-14-Afraidgate-Locky-decrypt-instructions.bmp   (3,721,466 bytes)
  • 2016-07-14-Afraidgate-Locky-decrypt-instructions.html   (10,112 bytes)
  • 2016-07-14-Afraidgate-Neutrino-EK-flash-exploit-example-1-of-4.swf   (82,629 bytes)
  • 2016-07-14-Afraidgate-Neutrino-EK-flash-exploit-example-2-of-4.swf   (82,724 bytes)
  • 2016-07-14-Afraidgate-Neutrino-EK-flash-exploit-example-3-of-4.swf   (82,724 bytes)
  • 2016-07-14-Afraidgate-Neutrino-EK-flash-exploit-example-4-of-4.swf   (82,724 bytes)
  • 2016-07-14-Afraidgate-Neutrino-EK-landing-page-example-1-of-4.txt   (2,233 bytes)
  • 2016-07-14-Afraidgate-Neutrino-EK-landing-page-example-2-of-4.txt   (2,221 bytes)
  • 2016-07-14-Afraidgate-Neutrino-EK-landing-page-example-3-of-4.txt   (2,233 bytes)
  • 2016-07-14-Afraidgate-Neutrino-EK-landing-page-example-4-of-4.txt   (2,295 bytes)
  • 2016-07-14-Afraidgate-Neutrino-EK-payload-Locky-example-1-of-4.exe   (24,9346 bytes)
  • 2016-07-14-Afraidgate-Neutrino-EK-payload-Locky-example-2-of-4.exe   (24,9346 bytes)
  • 2016-07-14-Afraidgate-Neutrino-EK-payload-Locky-example-3-of-4.exe   (24,9346 bytes)
  • 2016-07-14-Afraidgate-Neutrino-EK-payload-Locky-example-4-of-4.exe   (24,9346 bytes)

NOTES:

 

TRAFFIC


Shown above:  Traffic from the first pcap filtered in Wireshark.


Shown above:  Traffic from the second pcap filtered in Wireshark.


Shown above:  Traffic from the third pcap filtered in Wireshark.


Shown above:  Traffic from the 4th pcap filtered in Wireshark.

 

AFRAIDGATE REDIRECTS:

NEUTRINO EK DOMAINS:

POST-INFECTION TRAFFIC FROM THE LOCKY RANSOMWARE:

DOMAINS FROM THE DECRYPTION INSTRUCTIONS:

 

FILE HASHES

FLASH EXPLOITS:

PAYLOADS:

 

IMAGES


Shown above:  Infecting a Windows host with one of the Locky samples.

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.