2016-08-01 - PSEUDO-DARKLEECH NEUTRINO EK FROM 64.150.187.10 SENDS CRYPMIC RANSOMWARE

ASSOCIATED FILES:

  • 2016-08-01-pseudoDarkleech-Neutrino-EK-sends-CrypMIC.pcap   (627,510 bytes)
  • 2016-08-01-page-from-theelectroniccigarette.ca-with-injected-script.txt   (41,415 bytes)
  • 2016-08-01-pseudoDarkleech-CrypMIC-decrypt-instructions.BMP   (3,276,854 bytes)
  • 2016-08-01-pseudoDarkleech-CrypMIC-decrypt-instructions.HTML   (238,187 bytes)
  • 2016-08-01-pseudoDarkleech-CrypMIC-decrypt-instructions.TXT   (1,654 bytes)
  • 2016-08-01-pseudoDarkleech-Neutrino-EK-flash-exploit.swf   (76,929 bytes)
  • 2016-08-01-pseudoDarkleech-Neutrino-EK-landing-page.txt   (2,470 bytes)
  • 2016-08-01-pseudoDarkleech-Neutrino-EK-payload-CrypMIC.dll   (306,688 bytes)

 

BACKGROUND ON THE PSEUDO-DARKLEECH CAMPAIGN::

 

BACKGROUND ON CRYPMIC RANSOMWARE:

 

NOTE:  The compromised site also had injected script from the Admedia campaign that was active eariler this year.  It's no longer active, but we'll sometimes find relics of this now dead campaign.  For background, see the following links:

 


Shown above:  Flowchart for this infection traffic.

 

TRAFFIC


Shown above:  Injected script from the Admedia campaign in page from the compromised site.

 


Shown above:  Injected script from the pseudoDarkleech campaign in same page from the compromised site.

 


Shown above:  Traffic from the pcap filtered in Wireshark.   Wireshark filter: http.request or (!(tcp.port eq 80) and tcp.flags eq 0x0002)

 

ASSOCIATED DOMAINS:

DOMAINS FROM THE DECRYPT INSTRUCTIONS:

NOTE: The above 2 domains from the decrypt instructions are the same seen from CrypMIC last week.

 

FILE HASHES

FLASH EXPLOIT:

PAYLOAD:

 

IMAGES


Shown above:  Desktop of an infected Windows host after rebooting.

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.