Malware-Traffic-Analysis.net - 2016-07-25 - EITest Neutrino EK from 137.74.156[.]191 sends CryptXXX ransomware

2016-07-25 - EITEST NEUTRINO EK FROM 137.74.156[.]191 SENDS CRYPTXXX RANSOMWARE

NOTICE:

The zip archives on this page have been updated, and they now use the new password scheme. For the new password, see the "about" page of this website.

ASSOCIATED FILES:

2016-07-25-EITest-Neutrino-EK-sends-CryptXXX-ransomware-after-dicodesrimes_com.pcap.zip 434.0 kB (433,992 bytes)

2016-07-25-EITest-Neutrino-EK-sends-CryptXXX-ransomware-after-dicodesrimes_com.pcap (475,451 bytes)

l2016-07-25-malware-and-artifacts-from-EITest-Neutrino-EK-and-CryptXXX-ransomware.zip 331.1 kB (331,134 bytes)

2016-07-25-EITest-Neutrino-EK-flash-exploit.swf (76,702 bytes)

2016-07-25-EITest-Neutrino-EK-landing-page.txt (2,831 bytes)

2016-07-25-EITest-Neutrino-EK-payload-CryptXXX-ransomware.dll (330,240 bytes)

2016-07-25-EITest-flash-redirect-from-ibyfidy_xyz.swf (4,694 bytes)

2016-07-25-page-from-dicodesrimes_com-with-injected-EITest-script.txt (15,413 bytes)

NOTES:

2016-03-31 - Palo Alto Networks Unit 42 blog: How the EITest Campaign's Path to Angler EK Evolved Over Time.
2016-06-08 - SANS ISC diary: Neutrino EK and CryptXXX (campaigns using Angler EK switch to Neutrino EK)
2016-06-11 - Malware Don't Need Coffee: Is it the end of Angler?
2016-07-14 - Proofpoint Blog: Spam, Now With a Side of CryptXXX Ransomware!
From Proofpoint: "We believe that CryptXXX is in active development and possibly split off into two branches. The original branch is now up to version 5.001 (we wrote about the upgrade to version 3.100 near the end of May), while the new branch uses a different format for versioning and will require further analysis."
I've seen both versions of CryptXXX since 2016-07-06, but I've only seen (what I think is) the original branch for this past week or so.

MMS0 is still the entry point for loading this CryptXXX DLL.
Problems getting the ransomware to run properly, so no decryption instructions and no post-infection traffic.

Shown above: Thanks again to @2xyo for another tweet about a compromised site.

Shown above: Flowchart for this infection traffic.

TRAFFIC

Shown above: Injected script in page from compromised website.

Shown above: Traffic from the pcap filtered in Wireshark.

ASSOCIATED DOMAINS:

www.dicodesrimes[.]com - Compromised website
85.93.0[.]12 port 80 - ibyfidy[.]xyz - EITest gate
137.74.156[.]191 port 80 - monandria-kwigillingok.southernneckpain[.]co[.]uk - Neutrino EK

FILE HASHES

FLASH FILES:

SHA256 hash: 0d1390a5446d75414f704f43ee9b1a8adb87e106170bebba2f61d051cf3486a9
File name: 2016-07-25-EITest-flash-redirect-from-ibyfidy_xyz.swf

SHA256 hash: 9490766284805299026230a5a0c3d23d04b77e2d6f32626c6e8aeea7728df0f7
File name: 2016-07-25-EITest-Neutrino-EK-flash-exploit.swf

PAYLOAD:

SHA256 hash: dc527934c6b26e65ce9cfdcd026795e978a53b7ee9a672551990ee583ed2a083
File name: 2016-07-25-EITest-Neutrino-EK-payload-CryptXXX-ransomware.dll

FINAL NOTES

Click here to return to the main page.