Malware-Traffic-Analysis.net - 2016-06-30

2016-06-30 - NEUTRINO EK DATA DUMP

NOTES:

Background on the Afraidgate campaign is located here.
Background on the EITest campaign can be found here.
Background on the pseudoDarkleech campaign is available here.

ASSOCIATED FILES:

ZIP archive of the pcaps: 2016-06-30-Neutrino-EK-data-dump-all-pcaps.zip 7.7 MB (7,665,627 bytes)

2016-06-30-Afraidgate-Neutrino-EK-sends-Locky-after-marketingguerilla.es.pcap (389,569 bytes)

2016-06-30-EITest-Neutrino-EK-sends-CryptXXX-after-4county.org.pcap (1,181,650 bytes)

2016-06-30-EITest-Neutrino-EK-sends-CryptXXX-after-cliniqueh.dk.pcap (1,350,829 bytes)

2016-06-30-EITest-Neutrino-EK-sends-CryptXXX-after-pekabex.pl.pcap (1,269,719 bytes)

2016-06-30-pseudoDarkleech-Neutrino-EK-sends-CryptXXX-after-alphamedical02.fr.pcap (1,291,478 bytes)

2016-06-30-pseudoDarkleech-Neutrino-EK-sends-CryptXXX-after-chromechurch.com.pcap (1,173,364 bytes)

2016-06-30-psuedoDarkleech-Neutrino-EK-sends-CryptXXX-after-austinbioidenticaldoctor.com.pcap (940,549 bytes)

2016-06-30-realstatistics-gate-Neutrino-EK-sends-Gootkit-after-lostreschiles.com.pcap (383,704 bytes)

2016-06-30-realstatistics-gate-Neutrino-EK-sends-Gootkit-after-tne.mx.pcap (311,536 bytes)

ZIP archive of the malware/artifacts: 2016-06-30-Neutrino-EK-data-dump-malware-and-artifacts.zip 3.0 MB (2,980,754 bytes)

2016-06-30-Afraidgate-Neutrino-EK-flash-exploit-after-marketingguerilla.es.swf (87,898 bytes)

2016-06-30-Afraidgate-Neutrino-EK-landing-page-after-marketingguerilla.es.txt (1,169 bytes)

2016-06-30-Afraidgate-Neutrino-EK-payload-Locky-after-marketingguerilla.es.exe (240,130 bytes)

2016-06-30-Afraidgate-redirect-from-live.keeprunning.com.br-js-node.js.txt (276 bytes)

2016-06-30-EITest-CryptXXX-decrypt-instructions.bmp (3,686,454 bytes)

2016-06-30-EITest-CryptXXX-decrypt-instructions.html (36,201 bytes)

2016-06-30-EITest-CryptXXX-decrypt-instructions.txt (1,755 bytes)

2016-06-30-EITest-Neutrino-EK-flash-exploit-after-4county.org.swf (88,348 bytes)

2016-06-30-EITest-Neutrino-EK-flash-exploit-after-cliniqueh.dk.swf (88,348 bytes)

2016-06-30-EITest-Neutrino-EK-flash-exploit-after-pekabex.pl.swf (88,194 bytes)

2016-06-30-EITest-Neutrino-EK-landing-page-after-4county.org.txt (1,175 bytes)

2016-06-30-EITest-Neutrino-EK-landing-page-after-cliniqueh.dk.txt (1,191 bytes)

2016-06-30-EITest-Neutrino-EK-landing-page-after-pekabex.pl.txt (1,171 bytes)

2016-06-30-EITest-Neutrino-EK-payload-CryptXXX-after-4county.org.dll (504,832 bytes)

2016-06-30-EITest-Neutrino-EK-payload-CryptXXX-after-cliniqueh.dk.dll (464,384 bytes)

2016-06-30-EITest-Neutrino-EK-payload-CryptXXX-after-pekabex.pl.dll (469,504 bytes)

2016-06-30-EITest-flash-redirect-from-fryex.tk.swf (3,371 bytes)

2016-06-30-EITest-flash-redirect-from-lokffd.tk.swf (3,371 bytes)

2016-06-30-EITest-flash-redirect-from-uucilo.ml.swf (3,371 bytes)

2016-06-30-page-from-4county.org-with-injected-EITest-script.txt (66,057 bytes)

2016-06-30-page-from-alphamedical02.fr-with-injected-script-pointing-to-Neutrino-EK.txt (22,495 bytes)

2016-06-30-page-from-chromechurch.com-with-injected-script-pointing-to-Neutrino-EK.txt (7,762 bytes)

2016-06-30-page-from-cliniqueh.dk-with-injected-EITest-script.txt (20,522 bytes)

2016-06-30-page-from-lostreschiles.com-with-injected-script-pointing-to-realstatistics-gate.txt (8,737 bytes)

2016-06-30-page-from-marketingguerilla.es-with-injected-script-pointing-to-Afraidgate-domain.txt (19,742 bytes)

2016-06-30-page-from-pekabex.pl-with-injected-EITest-script.txt (44,707 bytes)

2016-06-30-page-from-tne.mx-with-injected-script-pointing-to-realstatistics-gate.txt (7,378 bytes)

2016-06-30-pseudoDarkleech-CryptXXX-decrypt-instructions.bmp (3,686,454 bytes)

2016-06-30-pseudoDarkleech-CryptXXX-decrypt-instructions.html (36,201 bytes)

2016-06-30-pseudoDarkleech-CryptXXX-decrypt-instructions.txt (1,755 bytes)

2016-06-30-psuedoDarkleech-Neutrino-EK-flash-exploit-after-alphamedical02.fr.swf (88,194 bytes)

2016-06-30-psuedoDarkleech-Neutrino-EK-flash-exploit-after-austinbioidenticaldoctor.com.swf (88,194 bytes)

2016-06-30-psuedoDarkleech-Neutrino-EK-landing-page-after-alphamedical02.fr.txt (1,181 bytes)

2016-06-30-psuedoDarkleech-Neutrino-EK-landing-page-after-austinbioidenticaldoctor.com.txt (1,153 bytes)

2016-06-30-psuedoDarkleech-Neutrino-EK-landing-page-after-chromechurch.com.txt (1,241 bytes)

2016-06-30-psuedoDarkleech-Neutrino-EK-payload-CryptXXX-after-alphamedical02.fr.dll (486,912 bytes)

2016-06-30-psuedoDarkleech-Neutrino-EK-payload-CryptXXX-after-austinbioidenticaldoctor.com.dll (507,392 bytes)

2016-06-30-psuedoDarkleech-Neutrino-EK-payload-CryptXXX-after-chromechurch.com.dll (466,432 bytes)

2016-06-30-realstatistics-gate-Neutrino-EK-flash-exploit-after-lostreschiles.com.swf (89,109 bytes)

2016-06-30-realstatistics-gate-Neutrino-EK-flash-exploit-after-tne.mx.swf (83,743 bytes)

2016-06-30-realstatistics-gate-Neutrino-EK-landing-page-after-lostreschiles.com.txt (1,141 bytes)

2016-06-30-realstatistics-gate-Neutrino-EK-landing-page-after-tne.mx.txt (1,012 bytes)

2016-06-30-realstatistics-gate-Neutrino-EK-payload-Gootkit-after-lostreschiles.com.exe (249,856 bytes)

2016-06-30-realstatistics-gate-Neutrino-EK-payload-Gootkit-after-tne.mx.exe (192,512 bytes)

TRAFFIC

ASSOCIATED DOMAINS:

85.25.95.39 port 80 - realstatistics.info - "realstatistics" gate
85.93.0.43 port 80 - fryex.tk - EITest gate
85.93.0.43 port 80 - lokffd.tk - EITest gate
85.93.0.43 port 80 - uucilo.ml - EITest gate
139.59.191.79 port 80 - live.keeprunning.com.br - GET /js/node.js - Afraidgate redirect

5.2.72.17 port 80 - bdhvbntu.uwxdpb.xyz - realstatistics gate Neutrino EK
78.46.167.130 port 80 - iavevp.uvukzf.xyz - realstatistics gate Neutrino EK
78.46.167.130 port 80 - pcricdl.snhmht.xyz - Afraidgate Neutrino EK
85.25.107.188 port 80 - 1fissure.dinsystems.co.uk - pseudoDarkleech Neutrino EK
184.154.136.86 port 80 - bacillisirtisanoutuminen.doctorbargain.co.uk - EITest Neutrino EK
184.154.136.86 port 80 - geschaeftsjahre.doctorbargain.co.uk - EITest & pseudoDarkleech Neutrino EK
184.154.136.86 port 80 - lensvogsulphamino.databasewebeditor.co.uk - EITest & pseudoDarkleech Neutrino EK

5.196.70.240 port 80 - dcjtojmwdrpjs.ru - POST /upload/_dispatch.php - Locky callback after Afraidgate Neutrino EK
185.49.68.215 port 443 - CryptXXX callback traffic

FILE HASHES

FLASH EXPLOITS/EITEST FLASH REDIRECTS:

SHA256 hash: 4b0ef5ca48210a94a988fb5c75062c15af9d8bd1895908bbd602dd8448663c28
File name: 2016-06-30-Afraidgate-Neutrino-EK-flash-exploit-after-marketingguerilla.es.swf

SHA256 hash: 3d86f621f27c775bab9e6339be97f0373d6881c02d739fcff26e60861ff94abc
File name: 2016-06-30-EITest-Neutrino-EK-flash-exploit-after-4county.org.swf

SHA256 hash: a5cb4bf2678ead8d755befa08393095369381c2cda2f1eca4c20c51f3e5747ca
File name: 2016-06-30-EITest-Neutrino-EK-flash-exploit-after-cliniqueh.dk.swf

SHA256 hash: 43188c6f6e873194175d689618ac54301648d0205738ea3cb0c8fa0a684db59b
File name: 2016-06-30-EITest-Neutrino-EK-flash-exploit-after-pekabex.pl.swf

SHA256 hash: a1fee34de22442f9b4533b32ab35487924ad8d4e132ec0af4fdd2e0ef2b50c8a
File name: 2016-06-30-EITest-flash-redirect-from-fryex.tk.swf
File name: 2016-06-30-EITest-flash-redirect-from-lokffd.tk.swf
File name: 2016-06-30-EITest-flash-redirect-from-uucilo.ml.swf

SHA256 hash: 7a29e6c4be435a72aebd794d08dd071fffe6eef16ef938973d15cddaec9b4763
File name: 2016-06-30-psuedoDarkleech-Neutrino-EK-flash-exploit-after-alphamedical02.fr.swf

SHA256 hash: 45832482297b435918f16759d8e799998ad9942d35525281a109a13e58bafce4
File name: 2016-06-30-psuedoDarkleech-Neutrino-EK-flash-exploit-after-austinbioidenticaldoctor.com.swf

SHA256 hash: 43e9ec641a58b3914d4531d86be026f4ef166d71a8752c2da5054258710e004e
File name: 2016-06-30-realstatistics-gate-Neutrino-EK-flash-exploit-after-lostreschiles.com.swf

SHA256 hash: dceccc3bd9b399ddc7e69824b71d21289e6147b89ee2f271ce9e615e354b2688
File name: 2016-06-30-realstatistics-gate-Neutrino-EK-flash-exploit-after-tne.mx.swf

MALWARE PAYLOADS:

SHA256 hash: ddf25ecfc1cf5125af121e53a7619183d24c1beefdb9fd19ab3eebf3b86361dd
File name: 2016-06-30-Afraidgate-Neutrino-EK-payload-Locky-after-marketingguerilla.es.exe

SHA256 hash: 0c389f603c66c2ef4ac1979dda03ec84f2ca5072ff5448fe2354e10eb460e389
File name: 2016-06-30-EITest-Neutrino-EK-payload-CryptXXX-after-4county.org.dll

SHA256 hash: 3f18c7aa7080e5c0fe0e5d37f62078a80957f0ec68c36cbcfe19b23127ad0f75
File name: 2016-06-30-EITest-Neutrino-EK-payload-CryptXXX-after-cliniqueh.dk.dll

SHA256 hash: 249cc9c0e5c44831734ccd27aec0ce19289ae12d0a13bff6d188ff2039d8feab
File name: 2016-06-30-EITest-Neutrino-EK-payload-CryptXXX-after-pekabex.pl.dll

SHA256 hash: 5b57056fb8df8de170aa01f4e60c5b3252c60919dcb70ba61ad165100812ec48
File name: 2016-06-30-psuedoDarkleech-Neutrino-EK-payload-CryptXXX-after-alphamedical02.fr.dll

SHA256 hash: 48d992f01c65c1fc1e773c7ef377fb7d531e1d606244b30d2f3a31e4f48cb38e
File name: 2016-06-30-psuedoDarkleech-Neutrino-EK-payload-CryptXXX-after-austinbioidenticaldoctor.com.dll

SHA256 hash: 6f998cdd809f791e3b5aebee47395014e354f8bf7a7a26ec26f8df71eb05c06f
File name: 2016-06-30-psuedoDarkleech-Neutrino-EK-payload-CryptXXX-after-chromechurch.com.dll

SHA256 hash: 3bf9cb765560ec70afff424cc606d51adff8158b63145c22eeddbb47e14fd7fb
File name: 2016-06-30-realstatistics-gate-Neutrino-EK-payload-Gootkit-after-lostreschiles.com.exe

SHA256 hash: bdd58de2133eeb13d09180feaf3f678140c2e386006a178e1f76517097eb3444
File name: 2016-06-30-realstatistics-gate-Neutrino-EK-payload-Gootkit-after-tne.mx.exe