Malware-Traffic-Analysis.net - 2016-08-24 - PseudoDarkleech Neutrino EK from 74.208.154[.]9 sends CrypMIC ransomware

2016-08-29 - PSEUDO-DARKLEECH NEUTRINO EK FROM 74.208.154[.]9 SENDS CRYPMIC RANSOMWARE

NOTICE:

The zip archives on this page have been updated, and they now use the new password scheme. For the new password, see the "about" page of this website.

ASSOCIATED FILES:

2016-08-29-pseudoDarkleech-Neutrino-EK-sends-CrypMIC-ransomware.pcap.zip 246.5 kB (246,542 bytes)

2016-08-29-pseudoDarkleech-Neutrino-EK-sends-CrypMIC-ransomware.pcap (263,534 bytes)

2016-08-29-pseudoDarkleech-Neutrino-EK-malware-and-artifacts.zip 199.5 kB (199,510 bytes)

2016-08-29-CrypMIC-ransomware-decryption-instructions.bmp (2,457,654 bytes)

2016-08-29-CrypMIC-ransomware-decryption-instructions.txt (1,660 bytes)

2016-08-29-page-from-nucleocorp_com_co-with-injected-script.txt (28,363 bytes)

2016-08-29-pseudoDarkleech-Neutrino-EK-flash-exploit.swf (79,465 bytes)

2016-08-29-pseudoDarkleech-Neutrino-EK-landing-page.txt (2,386 bytes)

2016-08-29-pseudoDarkleech-Neutrino-EK-payload-CrypMIC-ransomware.dll (166,912 bytes)

BACKGROUND ON THE PSEUDO-DARKLEECH CAMPAIGN::

Something I wrote on exploit kit (EK) fundamentals: link
2016-03-22 - PaloAlto Networks Unit 42 blog: Campaign Evolution: Darkleech to Pseudo-Darkleech and Beyond
2016-07-02 - SANS ISC diary: Change in patterns for the pseudoDarkleech campaign

BACKGROUND ON CRYPMIC RANSOMWARE:

2016-07-06 - SANS ISC diary: CryptXXX ransomware updated [The date I first noticed this new branch of ransomware.]

2016-07-14 - From the Proofpoint blog [link]: "We believe that CryptXXX is in active development and possibly split off into two branches. The original branch is now up to version 5.001 (we wrote about the upgrade to version 3.100 near the end of May), while the new branch uses a different format for versioning and will require further analysis."

2016-07-20 - TrendLabs Security Intelligence Blog - CrypMIC Ransomware Wants to Follow CryptXXX's Footsteps [TrendLabs analyzes the new branch and names it.]

Shown above: Flowchart for this infection traffic.

TRAFFIC

Shown above: Injected script from the pseudoDarkleech campaign in page from the compromised site.

Shown above: Traffic from the pcap filtered in Wireshark. Wireshark filter: http.request or (!(tcp.port eq 80) and tcp.flags eq 0x0002)

ASSOCIATED DOMAINS:

nucleocorp[.]com[.]co - Compromised site
74.208.65[.]129 port 80 - kjretyer-patinador.gnhotels[.]co - Neutrino EK
85.14.243[.]9 port 443 - Post-infection callback traffic (no response from the server)

DOMAINS FROM THE DECRYPT INSTRUCTIONS:

xijymvzq4zkyubfe[.]onion[.]to
xijymvzq4zkyubfe[.]onion[.]city

NOTE: The above 2 domains from the decrypt instructions have changed since I last documented CrypMIC from the pseudoDarkleech campaign on 2016-08-24.

FILE HASHES

FLASH EXPLOIT:

SHA256 hash: 763f3a3778036905394670fec161ccfd34a94f64a965bfd83fd6dc65165d966c
File name: 2016-08-29-pseudoDarkleech-Neutrino-EK-flash-exploit.swf

PAYLOAD:

SHA256 hash: a67970dcf5d76537588bff59310be8c796891b6da1e09a6e9c3d86e20d55d0e5
File name: 2016-08-29-pseudoDarkleech-Neutrino-EK-payload-CrypMIC-ransomware.dll

IMAGES

Shown above: Desktop of an infected Windows host after rebooting.

Click here to return to the main page.