2016-04-27 - EITEST GATE GENERATES NEUTRINO EK AND ANGLER EK

ASSOCIATED FILES:

• ZIP archive of the 2 pcaps:  2016-04-27-EK-traffic-from-EITest-campaign.zip   1.1 MB (1,098,041 bytes)

• 2016-04-27-EITest-Neutrino-EK-sends-TeslaCrypt.pcap   (578,450 bytes)
• 2016-04-27-EITest-Angler-EK-sends-something-else.pcap   (928,748 bytes)

• ZIP archive of the malware and artifacts:  2016-04-27-malware-and-artifacts-from-EITest-campaign.zip   859.4 kB (859,440 bytes)

• 2016-04-27-EITest-Angler-EK-extracted-DLL-from-silverlight-exploit-GrmBL2Lnhwx.dll   (209,408 bytes)
• 2016-04-27-EITest-Angler-EK-flash-exploit.swf   (54,444 bytes)
• 2016-04-27-EITest-Angler-EK-landing-page.txt   (96,150 bytes)
• 2016-04-27-EITest-Angler-EK-payload.exe   (65,024 bytes)
• 2016-04-27-EITest-Angler-EK-silverlight-exploit.xap   (169,132 bytes)
• 2016-04-27-EITest-Neutrino-EK-flash-exploit.swf   (72,607 bytes)
• 2016-04-27-EITest-Neutrino-EK-landing-page.txt   (968 bytes)
• 2016-04-27-EITest-Neutrino-EK-payload-TeslaCrypt.exe   (434,176 bytes)
• 2016-04-27-EITest-flash-file-from-volide.tk.swf   (15,596 bytes)
• 2016-04-27-EITest-flash-file-sent-by-istera.tk.swf   (15,596 bytes)
• 2016-04-27-TeslaCrypt-decrypt-instructions.html   (1,401 bytes)
• 2016-04-27-TeslaCrypt-decrypt-instructions.png   (20,848 bytes)
• 2016-04-27-TeslaCrypt-decrypt-instructions.txt   (572 bytes)

 

NOTES:

• On Saturday 2016-04-23, broadanalysis.com saw the EITest gate lead to Nuclear EK sending TeslaCrypt ( link ).
• Today, I saw the EITest gate point to Neutrino EK sending TeslaCrypt.  Later, I saw it point to Angler EK sending something else.
• Background on the EITest campaign can be found here.

 

TRAFFIC

Shown above:  Pcap of traffic from the first infection (Neutrino EK --> TeslaCrypt) filtered in Wireshark.

Shown above:  Pcap of traffic from the second infection (Angler EK --> something else) filtered in Wireshark.

 

ASSOCIATED DOMAINS - NEUTRINO EK SENDS TESLACRYPT:

• 85.93.0.68 port 80 - volide.tk - EITest gate
• 185.58.224.173 port 80 - oleelzds.jothoxe.eu - Neutrino EK
• 94.124.120.61 port 80 - www.teacherassist.info - POST /_ini.php   [post-infection TeslaCrypt callback]

 

ASSOCIATED DOMAINS - ANGLER EK SENDS SOMETHING ELSE:

• 85.93.0.68 port 80 - istera.tk - EITest gate
• 185.141.25.155 port 80 - jb1nvr.ea6yo5.top - Angler EK
• www.msn.com - GET /   [post-infection connectivity check]
• 74.121.30.151 port 80 - GET /space HTTP/1.0   [post-infection callback]

 

IMAGES

Shown above:  An example of injected EITest script in page from the compromised website.

 

Shown above:  Desktop of the first infected Windows host after Neutrino EK sent TeslaCrypt.  Who is TeslaCrypt impersonating this week?

 

Shown above:  Post-infection callback from the second Windows host after the Angler EK infection.

 

FINAL NOTES

Once again, here are the associated files:

• ZIP archive of the 2 pcaps:  2016-04-27-EK-traffic-from-EITest-campaign.zip   1.1 MB (1,098,041 bytes)
• ZIP archive of the malware and artifacts:  2016-04-27-malware-and-artifacts-from-EITest-campaign.zip   859.4 kB (859,440 bytes)

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.