2016-06-23 - NEUTRINO EK FROM 108.163.224.94 SENDS CRYPTXXX

ASSOCIATED FILES:

• ZIP archive of the pcap:  2016-06-23-Neutrino-EK-sends-CryptXXX-after-visajourney.com.pcap.zip   1.2 MB (1,211,391 bytes)

• 2016-06-23-Neutrino-EK-sends-CryptXXX-after-visajourney.com.pcap   (1,319,971 bytes)

• ZIP archive of the malware and artifacts:  2016-06-23-Neutrino-EK-sends-CryptXXX-malware-and-artifacts.zip   422.3 kB (422,274 bytes)

• 2016-06-23-CryptXXX-decrypt-instructions.bmp   (3,686,454 bytes)
• 2016-06-23-CryptXXX-decrypt-instructions.html   (36,201 bytes)
• 2016-06-23-CryptXXX-decrypt-instructions.txt   (1,758 bytes)
• 2016-06-23-Neutrino-EK-flash-exploit.swf   (81,045 bytes)
• 2016-06-23-Neutrino-EK-landing-page.txt   (841 bytes)
• 2016-06-23-Neutrino-EK-payload-CryptXXX.dll   ( 479,232 bytes)
• 2016-06-23-gate-support-a.online-knowledgebase-core-bootstrap.min.js.txt   (6,670 bytes)
• 2016-06-23-page-from-visajourney.com-with-malicious-injected-script.txt   (97,624 bytes)

 

NOTES:

• I saw the same type of gate patterns on 2016-06-02 with from an infection chain kicked off by woogerworks.com (link).
• This appears to be the same campaign reported by Cyphort Labs on 2016-05-17 (link).
• This is not the Afraidgate, EITest, or pseudoDarkleech campaigns that've been delivering CryptXXX ransomware lately.
• This is a different campaign, but it's using the same type of domain shadowing I'm used to seeing from the pseudoDarkleech campaign.

 

TRAFFIC

Shown above:  Traffic from today's infection filtered in Wireshark.   Filter: http.request or (!(tcp.port eq 80) and tcp.flags eq 0x0002)

 

ASSOCIATED DOMAINS:

• 212.231.129.64 port 80 - support-a.online - GET /knowledgebase/core/bootstrap.min.js   [gate]
• 108.163.224.94 port 80 - umfragefsymfunny.bettercarlighting.com - Neutrino EK
• 185.49.68.215 port 443 - CryptXXX callback traffic

 

IMAGES

Shown above:  Rundll32.exe loading the Neutrino EK payload (the CryptXXX .dll) shown in Process Explorer.

 

Shown above:  Injected script in page from visajourney.com that kicked off this infection chain.

 

FINAL NOTES

Once again, here are the associated files:

• ZIP archive of the pcap:  2016-06-23-Neutrino-EK-sends-CryptXXX-after-visajourney.com.pcap.zip   1.2 MB (1,211,391 bytes)
• ZIP archive of the malware and artifacts:  2016-06-23-Neutrino-EK-sends-CryptXXX-malware-and-artifacts.zip   422.3 kB (422,274 bytes)

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

 

Click here to return to the main page.