2016-06-21 - DATA DUMP - NEUTRINO EK SENDS CRYPTXXX

ASSOCIATED FILES:

• ZIP archive of the pcaps:  2016-06-21-Neutrino-EK-pcaps.zip   3.0 MB (3,034,875 bytes)

• 2016-06-21-Afraidgate-Neutrino-EK-sends-CryptXXX.pcap   (1,166,861 bytes)
• 2016-06-21-EITest-Neutrino-EK-sends-CryptXXX.pcap   (1,184,332 bytes)
• 2016-06-21-pseudoDarkleech-Neutrino-EK-sends-CryptXXX-after-fsm-europe.eu.pcap   (447,648 bytes)
• 2016-06-21-pseudoDarkleech-Neutrino-EK-sends-CryptXXX-after-xenon.com.au.pcap   (446,789 bytes)

• ZIP archive of the malware:  2016-06-21-Neutrino-EK-malware-and-artifacts.zip   1.1 MB (1,133,314 bytes)

• 2016-06-21-Afraidgate-CryptXXX-decrypt-instructions.bmp   (8,294,454 bytes)
• 2016-06-21-Afraidgate-CryptXXX-decrypt-instructions.html   (36,201 bytes)
• 2016-06-21-Afraidgate-CryptXXX-decrypt-instructions.txt   (1,755 bytes)
• 2016-06-21-Afraidgate-Neutrino-EK-flash-exploit.swf   (82,631 bytes)
• 2016-06-21-Afraidgate-Neutrino-EK-landing-page.txt   (817 bytes)
• 2016-06-21-Afraidgate-Neutrino-EK-payload-CryptXXX.dll   (303,104 bytes)
• 2016-06-21-Afraidgate-galop.serviciosgeologicos.com.ar-script-widget.js.txt   (231 bytes)
• 2016-06-21-EITest-CryptXXX-decrypt-instructions.bmp   (3,686,454 bytes)
• 2016-06-21-EITest-CryptXXX-decrypt-instructions.html   (36,201 bytes)
• 2016-06-21-EITest-CryptXXX-decrypt-instructions.txt   (1,755 bytes)
• 2016-06-21-EITest-Neutrino-EK-flash-exploit.swf   (82,632 bytes)
• 2016-06-21-EITest-Neutrino-EK-landing-page.txt   (817 bytes)
• 2016-06-21-EITest-Neutrino-EK-payload-CryptXXX.dll   (303,104 bytes)
• 2016-06-21-EITest-flash-redirect-from-dertyt.ml.swf   (15,832 bytes)
• 2016-06-21-page-from-fsm-europe.eu-with-injected-pseudoDarkleech-script.txt   (82,298 bytes)
• 2016-06-21-page-from-jkanime.net-with-injected-Afraidgate-script.txt   (122,934 bytes)
• 2016-06-21-page-from-ladepresion.org-with-injected-EITest-script.txt   (41,907 bytes)
• 2016-06-21-page-from-xenon.com.au-with-injected-pseudoDarkleech-script.txt   (56,463 bytes)
• 2016-06-21-pseudoDarkleech-CryptXXX-decrypt-instructions.bmp   (8,294,454 bytes)
• 2016-06-21-pseudoDarkleech-CryptXXX-decrypt-instructions.html   (36,201 bytes)
• 2016-06-21-pseudoDarkleech-CryptXXX-decrypt-instructions.txt   (1,755 bytes)
• 2016-06-21-pseudoDarkleech-Neutrino-EK-flash-exploit-after-fsm-europe.eu.swf   (82,626 bytes)
• 2016-06-21-pseudoDarkleech-Neutrino-EK-flash-exploit-after-xenon.com.au.swf   (82,629 bytes)
• 2016-06-21-pseudoDarkleech-Neutrino-EK-landing-page-after-fsm-europe.eu.txt   (803 bytes)
• 2016-06-21-pseudoDarkleech-Neutrino-EK-landing-page-after-xenon.com.au.txt   (893 bytes)
• 2016-06-21-pseudoDarkleech-Neutrino-EK-payload-CryptXXX.dll   (303,104 bytes)

 

NOTES:

• A list of Proofpoint's blog posts about CryptXXX ransomware can be found here.
• Background on the Afraidgate campaign is here.
• Background on the EITest campaign is here.
• Background on the pseudoDarkleech campaign is here.
• A blog about campaigns switching from Angler EK to Neutrino EK is here.

• Compromised websites for today's two pseudoDarkleech infections were found on malwaredomainlist.com (link).
• The compromised website for today's Afraidgate traffic was found in a report published by Forcepoint (link).
• The compromised website for today's EITest traffic was found on Broadanalysis.com (link).

• CryptXXX infections from Neutrino EK are no longer copying rundll32.exe to the same folder as the CryptXXX .dll file and renaming it.
• In today's infections, C:\Windows\SysWOW64\rundll32.exe loaded the CryptXXX .dll file.

Shown above:  An example of rundll32.exe and the CryptXXX .dll file in Process Explorer.

 

Shown above:  Flow charts for these Neutrino EK --> CryptXXX infections.

 

TRAFFIC

ASSOCIATED DOMAINS:

• 146.185.173.25 port 80 - galop.serviciosgeologicos.com.ar - GET /script/widget.js - Afraidgate redirect
• 85.93.0.43 port 80 - dertyt.ml - EITest gate

• 74.208.77.101 port 80 - contentview.rtbb.co.uk - Neutrino EK from the pseudoDarkleech pcaps
• 74.208.166.84 port 80 - faro0prokaryo.rubymcguire.co.uk - Neutrino EK from the Afraidgate pcap
• 74.208.161.216 port 80 - miserons-burchten.scillcharity.co.uk - Neutrino EK from the EITest pcap

• 185.49.68.215 port 443 - CryptXXX callback traffic from all the pcaps

 

Shown above:  pseudoDarkleech --> Neutrino EK --> CryptXXX infection after viewing xenon.com.au.

 

Shown above:  pseudoDarkleech --> Neutrino EK --> CryptXXX infection after viewing fsm-europe.eu.

 

Shown above:  Afraidgate --> Neutrino EK --> CryptXXX infection after jkanime.net.

 

Shown above:  EITest --> Neutrino EK --> CryptXXX infection after ladepresion.org.

 

IMAGES

Shown above:  An example of an infected Windows desktop, rebooted after one of today's Neutrino EK --> CryptXXX infections.

 

FINAL NOTES

Once again, here are the associated files:

• ZIP archive of the pcaps:  2016-06-21-Neutrino-EK-pcaps.zip   3.0 MB (3,034,875 bytes)
• ZIP archive of the malware:  2016-06-21-Neutrino-EK-malware-and-artifacts.zip   1.1 MB (1,133,314 bytes)

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.