2016-07-06 - PCAP AND MALWARE FOR AN ISC DIARY

ASSOCIATED FILES:

• ZIP archive of the pcaps:  2016-07-06-pseudoDarkleech-Neutrino-EK-sends-CrypMIC.pcap.zip   332.1 kB (332,059 bytes)

• 2016-07-06-pseudoDarkleech-Neutrino-EK-sends-CrypMIC.pcap   (531,107 bytes)

• ZIP archive of the malware:  2016-07-06-pseudoDarkleech-Neutrino-EK-sends-CrypMIC-malware-and-artifacts.zip   192.3 kB (192,277 bytes)

• 2016-07-06-CrypMIC-decrypt-instructions.BMP   (3,276,854 bytes)
• 2016-07-06-CrypMIC-decrypt-instructions.HTML   (238,187 bytes)
• 2016-07-06-CrypMIC-decrypt-instructions.TXT   (1,654 bytes)
• 2016-07-06-pseudoDarkleech-Neutrino-EK-landing-page.txt   (3,151 bytes)
• 2016-07-06-pseudoDarkleech-Neutrino-EK-payload-CrypMIC.dll   (252,928 bytes)

 

NOTES:

• The associated ISC diary is here.
• Had an issue with packet loss in the pcap, and I wasn't able to retrive the Flash exploit.
• ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

 

FOLLOW-UP NOTES:

• Since publishing the ISC diary, TrendLabs analyzed this new branch of CryptXXX and named it "CrypMIC".  I've updated this page to reflect the new information.

• 2016-07-14 - From the Proofpoint blog [link]: "We believe that CryptXXX is in active development and possibly split off into two branches. The original branch is now up to version 5.001 (we wrote about the upgrade to version 3.100 near the end of May), while the new branch uses a different format for versioning and will require further analysis."

• 2016-07-20 - TrendLabs Security Intelligence Blog - CrypMIC Ransomware Wants to Follow CryptXXX's Footsteps   [TrendLabs analyzes the new branch and names it.]

 

FILE HASHES:

• SHA256 hash:  272eb6ff1aaa98dc3e36b35a0a9bd10ce8e79344cbf2c33104a4d470be8a9eac
File name:  2016-07-06-Neutrino-EK-payload-CrypMIC.dll

 

Click here to return to the main page.