2016-07-29 - EITEST NEUTRINO EK SENDS CRYPMIC RANSOMWARE

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• 2016-07-29-EITest-Neutrino-EK-sends-CrypMIC-ransomware-2-pcaps.zip   806.6 kB (806,580 bytes)

• 2016-07-29-EITest-Neutrino-EK-sends-CrypMIC-ransomware-after-nurseryrhymedaycare_ca.pcap   (606,244 bytes)
• 2016-07-29-EITest-Neutrino-EK-sends-CrypMIC-ransomware-after-redwood-inc_com.pcap   (1,271,323 bytes)

• 2016-07-29-EITest-Neutrino-EK-and-CrypMIC-ransomware-files.zip   355.7 kB (355,714 bytes)

• 2016-07-29-EITest-campaign-CrypMIC-ransomware-decrypt-instructions.BMP   (3,276,854 bytes)
• 2016-07-29-EITest-campaign-CrypMIC-ransomware-decrypt-instructions.HTML   (238,187 bytes)
• 2016-07-29-EITest-campaign-CrypMIC-ransomware-decrypt-instructions.TXT   (1,659 bytes)
• 2016-07-29-EITest-flash-redirect-from-tyjutu_xyz-and-ypabodid_xyz.swf   (4,354 bytes)
• 2016-07-29-EITest-Neutrino-EK-flash-exploit-after-nurseryrhymedaycare_ca.swf   (77,505 bytes)
• 2016-07-29-EITest-Neutrino-EK-flash-exploit-after-redwood-inc_com.swf   (80,034 bytes)
• 2016-07-29-EITest-Neutrino-EK-landing-page-after-nurseryrhymesdaycare_ca.txt   (2,376 bytes)
• 2016-07-29-EITest-Neutrino-EK-landing-page-after-redwood-inc_com.txt   (2,354 bytes)
• 2016-07-29-EITest-Neutrino-EK-payload-CrypMIC-ransomware.dll   (248,832 bytes)

 

BACKGROUND ON THE EITEST CAMPAIGN::

• Something I wrote on exploit kit (EK) fundamentals:  link
• 2016-03-31 - Palo Alto Networks Unit 42 blog:  How the EITest Campaign's Path to Angler EK Evolved Over Time.
• 2016-06-08 - SANS ISC diary:  Neutrino EK and CryptXXX  (campaigns using Angler EK switch to Neutrino EK)

 

BACKGROUND ON CRYPMIC RANSOMWARE:

• 2016-07-06 - SANS ISC diary:  CryptXXX ransomware updated   [The date I first noticed this new branch of ransomware.]

• 2016-07-14 - From the Proofpoint blog [link]: "We believe that CryptXXX is in active development and possibly split off into two branches. The original branch is now up to version 5.001 (we wrote about the upgrade to version 3.100 near the end of May), while the new branch uses a different format for versioning and will require further analysis."

• 2016-07-20 - TrendLabs Security Intelligence Blog - CrypMIC Ransomware Wants to Follow CryptXXX's Footsteps   [TrendLabs analyzes the new branch and names it.]

Shown above:  Thanks to @James_inthe_box for the tweet about a compromised site.

 

Shown above:  Flowchart for this infection traffic.

 

TRAFFIC

Shown above:  Injected script in page from the first compromised website.

 

Shown above:  Traffic from the first pcap filtered in Wireshark.   Wireshark filter: http.request or (!(tcp.port eq 80) and tcp.flags eq 0x0002)

 

Shown above:  Injected script in page from the second compromised website.

 

Shown above:  Traffic from the second pcap filtered in Wireshark.   Wireshark filter: http.request or (!(tcp.port eq 80) and tcp.flags eq 0x0002)

 

ASSOCIATED DOMAINS:

• nurseryrhymesdaycare[.]ca - Compromised site
• 85.93.0[.]12 port 80 - tykutu[.]xyz - EITest gate
• 188.42.195[.]86 port 80 - entomologicaloperatorene.pr9[.]uk - Neutrino EK
• 193.111.140[.]100 port 443 - CrypMIC ransomware post-infection traffic

• redwood-inc[.]com - Compromised site
• 85.93.0[.]12 port 80 - ypabodid[.]xyz - EITest gate
• 74.208.199[.]213 port 80 - ertragswhuhuista.suffolkdemolition[.]co[.]uk - Neutrino EK
• 193.111.140[.]100 port 443 - CrypMIC ransomware post-infection traffic

DOMAINS FROM THE DECRYPTION INSTRUCTIONS:

• 7aggi2bq4bms4dfo[.]onion[.]to
• 7aggi2bq4bms4dfo[.]onion[.]city

 

FILE HASHES

FLASH FILES:

• SHA256 hash:  8655f35da0da07af0d7f304bba994fe2fc29b9608d1950e7144259255b12345f
  File name:  2016-07-29-EITest-flash-redirect-from-tyjutu.xyz-and-ypabodid_xyz.swf

• SHA256 hash:  619e228eb31c9f0b922b315cac12582f3b68c15c35c7be45f1a6a996add8ee41
  File name:  2016-07-29-EITest-Neutrino-EK-flash-exploit-after-nurseryrhymedaycare_ca.swf

• SHA256 hash:  19d88a07a0e16b8035c7a8e8789263f6f08b4cf995ef1f1b00386589c71e76a4
  File name:  2016-07-29-EITest-Neutrino-EK-flash-exploit-after-redwood-inc_com.swf

PAYLOAD:

• SHA256 hash:  84884ac4dec173eff7fa47d2f749cff05cfbec047ff9cebb853fb73340a75d16
  File name:  2016-07-29-EITest-Neutrino-EK-payload-CrypMIC-ransomware.dll

 

IMAGES

Shown above:  Desktop of an infected Windows host after rebooting.

 

Click here to return to the main page.