2016-07-07 - PIZZACRYPTS... REALLY?

ASSOCIATED FILES:

• ZIP archive of the pcaps:  2016-07-07-Neutrino-EK-sends-pizzacrypts.pcap.zip   254.4 kB (254,434 bytes)

• 2016-07-07-Neutrino-EK-sends-pizzacrypts.pcap   (273,028 bytes)

• ZIP archive of the malware:  2016-07-07-Neutrino-EK-sends-pizzacrypts-malware-and-artifacts.zip   194.5 kB (194,503 bytes)

• 2016-07-07-Neutrino-EK-flash-exploit.swf   (79,659 bytes)
• 2016-07-07-Neutrino-EK-landing-page.txt   (3,199 bytes)
• 2016-07-07-Neutrino-EK-payload-pizzacrypts.exe   (172,034 bytes)
• Pizzacrypts Info.txt   (772 bytes)

 

NOTES:

• Saw a campaign noted on malwardomainlist.com that used Neutrino EK to send ransomware.  This ransomware prominently used the term "pizzacrypts."
• Thanks to Malware Domain List for the info from their website at http://www.malwaredomainlist.com/mdl.php.

Shown above:  My initial tipper for today's traffic.

 

• This ransomware might be associated with the term "pizzacrypts," but the Proofpoint ET rule I saw on the post-infection traffic was created in early- to mid-June 2016.

Shown above:  EmergningThreats rule hit on the post-infection traffic.

 

TRAFFIC

Shown above:  Traffic from today's infection filtered in Wireshark.

ASSOCIATED DOMAINS:

• 93.190.140.110 port 80 - shoal.grahanusareadymix.com - GET /arais2.html - [initial URL]
• 68.233.35.11 port 80 - xczc.b2gmffy.eu - GET /vmh.cgi?4 - [redirect]
• 185.141.25.158 port 80 - j63d.lbhlp52.top - [Neutrino EK]
• 93.115.38.30 port 80 - avtoship.com - POST /123/index.php - [Post-infection traffic from the ransomware]

ADDRESSES FROM THE DECRYPT INSTRUCTIONS:

• Primary email: maestro@pizzacrypts.info
• Secondary email: pizzacrypts@protonmail.com
• Bitmessage: BM-NBRCUPTenKgYbLVCAfeVUHVsHFK6Ue2F

Shown above:  Whois data on pizzacrypts.info, registered 5 days ago.

 

FILE HASHES

FLASH EXPLOIT:

• SHA256 hash:  ba6a5230dbf6f0c016976a1be77796088e028899cd0e2bdf131fa452763b75d4
  File name:  2016-07-07-Neutrino-EK-flash-exploit.swf

MALWARE PAYLOAD:

• SHA256 hash:  d6818864dc9e10b15c88aca4d1e8fd971eff43572beba3001fd6c96028afd9f3
  File name:  2016-07-07-Neutrino-EK-payload-pizzacrypt.exe

 

OTHER IMAGES

Shown above:  Desktop of the infected Windows host.

 

FINAL NOTES

Once again, here are the associated files:

• ZIP archive of the pcaps:  2016-07-07-Neutrino-EK-sends-pizzacrypts.pcap.zip   254.4 kB (254,434 bytes)
• ZIP archive of the malware:  2016-07-07-Neutrino-EK-sends-pizzacrypts-malware-and-artifacts.zip   194.5 kB (194,503 bytes)

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.