2016-07-25 - EITEST NEUTRINO EK FROM 137.74.156[.]191 SENDS CRYPTXXX RANSOMWARE
NOTICE:
- The zip archives on this page have been updated, and they now use the new password scheme. For the new password, see the "about" page of this website.
ASSOCIATED FILES:
- 2016-07-25-EITest-Neutrino-EK-sends-CryptXXX-ransomware-after-dicodesrimes_com.pcap.zip 434.0 kB (433,992 bytes)
- 2016-07-25-EITest-Neutrino-EK-sends-CryptXXX-ransomware-after-dicodesrimes_com.pcap (475,451 bytes)
- l2016-07-25-malware-and-artifacts-from-EITest-Neutrino-EK-and-CryptXXX-ransomware.zip 331.1 kB (331,134 bytes)
- 2016-07-25-EITest-Neutrino-EK-flash-exploit.swf (76,702 bytes)
- 2016-07-25-EITest-Neutrino-EK-landing-page.txt (2,831 bytes)
- 2016-07-25-EITest-Neutrino-EK-payload-CryptXXX-ransomware.dll (330,240 bytes)
- 2016-07-25-EITest-flash-redirect-from-ibyfidy_xyz.swf (4,694 bytes)
- 2016-07-25-page-from-dicodesrimes_com-with-injected-EITest-script.txt (15,413 bytes)
NOTES:
- 2016-03-31 - Palo Alto Networks Unit 42 blog: How the EITest Campaign's Path to Angler EK Evolved Over Time.
- 2016-06-08 - SANS ISC diary: Neutrino EK and CryptXXX (campaigns using Angler EK switch to Neutrino EK)
- 2016-06-11 - Malware Don't Need Coffee: Is it the end of Angler?
- 2016-07-14 - Proofpoint Blog: Spam, Now With a Side of CryptXXX Ransomware!
From Proofpoint: "We believe that CryptXXX is in active development and possibly split off into two branches. The original branch is now up to version 5.001 (we wrote about the upgrade to version 3.100 near the end of May), while the new branch uses a different format for versioning and will require further analysis."
- I've seen both versions of CryptXXX since 2016-07-06, but I've only seen (what I think is) the original branch for this past week or so.
- MMS0 is still the entry point for loading this CryptXXX DLL.
- Problems getting the ransomware to run properly, so no decryption instructions and no post-infection traffic.
Shown above: Thanks again to @2xyo for another tweet about a compromised site.
Shown above: Flowchart for this infection traffic.
TRAFFIC
Shown above: Injected script in page from compromised website.
Shown above: Traffic from the pcap filtered in Wireshark.
ASSOCIATED DOMAINS:
- www.dicodesrimes[.]com - Compromised website
- 85.93.0[.]12 port 80 - ibyfidy[.]xyz - EITest gate
- 137.74.156[.]191 port 80 - monandria-kwigillingok.southernneckpain[.]co[.]uk - Neutrino EK
FILE HASHES
FLASH FILES:
- SHA256 hash: 0d1390a5446d75414f704f43ee9b1a8adb87e106170bebba2f61d051cf3486a9
File name: 2016-07-25-EITest-flash-redirect-from-ibyfidy_xyz.swf
- SHA256 hash: 9490766284805299026230a5a0c3d23d04b77e2d6f32626c6e8aeea7728df0f7
File name: 2016-07-25-EITest-Neutrino-EK-flash-exploit.swf
PAYLOAD:
- SHA256 hash: dc527934c6b26e65ce9cfdcd026795e978a53b7ee9a672551990ee583ed2a083
File name: 2016-07-25-EITest-Neutrino-EK-payload-CryptXXX-ransomware.dll
FINAL NOTES
Click here to return to the main page.