2016-06-17 - PSEUDO-DARKLEECH NEUTRINO EK FROM 45.63.25.106

ASSOCIATED FILES:

• ZIP archive of the pcap:  2016-06-17-pseudoDarkleech-Neutrino-EK-sends-CryptXXX-pcaps.zip   2.1 MB (2,122,604 bytes)

• 2016-06-17-pseudoDarkleech-Neutrino-EK-sends-CryptXXX-after-ex.technor.com.pcap   (990,812 bytes)
• 2016-06-17-pseudoDarkleech-Neutrino-EK-sends-CryptXXX-after-nuvon.com.pcap   (1,359,082 bytes)

• ZIP archive of the malware and artifacts:  2016-06-17-pseudoDarkleech-Neutrino-EK-malware-and-artifacts.zip   459.0 kB (459,028 bytes)

• 2016-06-17-page-from-ex.technor.com-with-injected-pseudoDarkleech-script   (33092 bytes)
• 2016-06-17-page-from-nuvon.com-with-injected-pseudoDarkleech-script.txt   (40157 bytes)
• 2016-06-17-pseudoDarkleech-CryptXXX-decrypt-instructions.bmp   (3686454 bytes)
• 2016-06-17-pseudoDarkleech-CryptXXX-decrypt-instructions.html   (36201 bytes)
• 2016-06-17-pseudoDarkleech-CryptXXX-decrypt-instructions.txt   (1755 bytes)
• 2016-06-17-pseudoDarkleech-Neutrino-EK-flash-exploit-after-ex.technor.com.swf   (79872 bytes)
• 2016-06-17-pseudoDarkleech-Neutrino-EK-flash-exploit-after-nuvon.com.swf   (79871 bytes)
• 2016-06-17-pseudoDarkleech-Neutrino-EK-landing-page-after-ex.technor.com.txt   (841 bytes)
• 2016-06-17-pseudoDarkleech-Neutrino-EK-landing-page-after-nuvon.com.txt   (805 bytes)
• 2016-06-17-pseudoDarkleech-Neutrino-EK-payload.dll   (526336 bytes)

NOTES:

• This is a follow-up to a Twitter post I did earlier:  link.

BACKGROUND INFO:

• A PaloAlto Network blog post with background on the pseudoDarkleech campaign:  link.
• An ISC diary I wrote about pseudo-Darkleech causing Angler EK/Bedep/CryptXXX infections:  link.
• The latest Proofpoint post about CryptXXX ransomware:  link.

Shown above:  Flowchart for today's infection traffic.

 

TRAFFIC

ASSOCIATED DOMAINS:

• 45.63.25.106 port 80 - clyburnjtrennten.japaneseknotweedremovals.com - Neutrino EK
• 188.0.236.7 port 443 - CryptXXX callback (attempted TCP connections, no response)
• 85.25.194.116 port 443 - CryptXXX callback traffic

 

IMAGES

Shown above:  What I found on Malware Domain List earlier today.

 

Shown above:  HTTP GET request to the first website returns pseudoDarkleech script.

 

Shown above:  HTTP GET request to the second website returns pseudoDarkleech script.

 

Shown above:  First pcap of the traffic filtered in Wireshark.

 

Shown above:  Second pcap of the traffic filtered in Wireshark.

 

FINAL NOTES

Once again, here are the associated files:

• ZIP archive of the pcap:  2016-06-17-pseudoDarkleech-Neutrino-EK-sends-CryptXXX-pcaps.zip   2.1 MB (2,122,604 bytes)
• ZIP archive of the malware and artifacts:  2016-06-17-pseudoDarkleech-Neutrino-EK-malware-and-artifacts.zip   459.0 kB (459,028 bytes)

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

 

Click here to return to the main page.