2016-07-25 - PSEUDO-DARKLEECH NEUTRINO EK SENDS CRYPTXXX RANSOMWARE

ASSOCIATED FILES:

  • 2016-07-25-pseudoDarkleech-Neutrino-EK-sends-CryptXXX-after-depressivedisorder.xyz.pcap   (345,017 bytes)
  • 2016-07-25-pseudoDarkleech-Neutrino-EK-sends-CryptXXX-after-sinyimusic.com.pcap   (453,294 bytes)
  • 2016-07-25-page-from-depressivedisorder.xyz-with-injected-script.txt   (32,201 bytes)
  • 2016-07-25-page-from-sinyimusic.com-with-injected-script.txt   (18,028 bytes)
  • 2016-07-25-pseudoDarkleech-CryptXXX-decrypt-instructions.BMP   (5,424,934 bytes)
  • 2016-07-25-pseudoDarkleech-CryptXXX-decrypt-instructions.HTML   (17,785 bytes)
  • 2016-07-25-pseudoDarkleech-Neutrino-EK-flash-exploit-after-depressivedisorder.xyz.swf   (78,000 bytes)
  • 2016-07-25-pseudoDarkleech-Neutrino-EK-flash-exploit-after-sinyimusic.com.swf   (78,000 bytes)
  • 2016-07-25-pseudoDarkleech-Neutrino-EK-landing-page-after-depressivedisorder.xyz.txt   (2,731 bytes)
  • 2016-07-25-pseudoDarkleech-Neutrino-EK-landing-page-after-sinyimusic.com.txt   (2,777 bytes)
  • 2016-07-25-pseudoDarkleech-Neutrino-EK-payload-CryptXXX-after-depressivedisorder.xyz.dll   (352,256 bytes)
  • 2016-07-25-pseudoDarkleech-Neutrino-EK-payload-CryptXXX-after-sinyimusic.com.dll   (352,256 bytes)

NOTES:

 


Shown above:  Flowchart for this infection traffic.

 

TRAFFIC


Shown above:  Injected script in page from the first compromised website.

 


Shown above:  Traffic from the first pcap filtered in Wireshark.

 


Shown above:  Injected script in page from the second compromised website.

 


Shown above:  Traffic from the second pcap filtered in Wireshark.

 

ASSOCIATED DOMAINS:

DOMAINS FROM THE DECRYPT INSTRUCTIONS:

 

FILE HASHES

FLASH EXPLOITS:

PAYLOADs:

 

IMAGES


Shown above:  Decryption instructions (the .bmp image).

 


Shown above:  Decryption instructions (the .html file).

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.