Malware-Traffic-Analysis.net - 2016-07-07 - Neutrino EK sends CrypMIC (EITest and pseudo-Darkleech campaigns)

2016-07-07 - NEUTRINO EK SENDS CRYPMIC (EITEST & PSEUDO-DARKLEECH CAMPAIGNS)

ASSOCIATED FILES:

ZIP archive of the pcaps: 2016-07-07-Neutrino-EK-data-dump-all-5-pcaps.zip 906.2 kB (906,205 bytes)

2016-07-07-EITest-Neutrino-EK-after-musicmix.co.pcap (533,751 bytes)

2016-07-07-pseudoDarkleech-Neutrino-EK-after-drupatis.com.pcap (397,296 bytes)

2016-07-07-pseudoDarkleech-Neutrino-EK-after-gennaroespositomilano.it.pcap (430,794 bytes)

2016-07-07-pseudoDarkleech-Neutrino-EK-after-lawrenceparkah.com.pcap (196,694 bytes)

2016-07-07-pseudoDarkleech-Neutrino-EK-after-toronto-annex.com.pcap (447,507 bytes)

ZIP archive of the malware: 2016-07-07-Neutrino-EK-data-dump-malware-and-artifacts.zip 525.9 kB (525,869 bytes)

2016-07-07-EITest-CrypMIC-decrypt-instructions.BMP (3,276,854 bytes)

2016-07-07-EITest-CrypMIC-decrypt-instructions.HTML (238,186 bytes)

2016-07-07-EITest-CrypMIC-decrypt-instructions.TXT (1,658 bytes)

2016-07-07-EITest-Neutrino-EK-landing-page-after-musicmix.co.txt (3,247 bytes)

2016-07-07-EITest-Neutrino-EK-payload-CrypMIC-after-musicmix.co.dll (67,584 bytes)

2016-07-07-EITest-flash-redirect-from-freedtd.ml.swf (3,070 bytes)

2016-07-07-page-from-drupatis.com-with-injected-script.txt (15,920 bytes)

2016-07-07-page-from-gennaroespositomilano.it-with-injected-script.txt (15,984 bytes)

2016-07-07-page-from-lawrenceparkah.com-with-injected-script.txt (39,581 bytes)

2016-07-07-page-from-musicmix.co-with-injected-script.txt (135,268 bytes)

2016-07-07-pseudoDarkleech-CrypMIC-decrypt-instructions.BMP (3,276,854 bytes)

2016-07-07-pseudoDarkleech-CrypMIC-decrypt-instructions.HTML (238,191 bytes)

2016-07-07-pseudoDarkleech-CrypMIC-decrypt-instructions.TXT (1,663 bytes)

2016-07-07-pseudoDarkleech-Neutrino-EK-flash-exploit-after-drupatis.com.swf (79,069 bytes)

2016-07-07-pseudoDarkleech-Neutrino-EK-flash-exploit-after-lawrenceparkah.com.swf (78,379 bytes)

2016-07-07-pseudoDarkleech-Neutrino-EK-flash-exploit-after-toronto-annex.com.swf (78,377 bytes)

2016-07-07-pseudoDarkleech-Neutrino-EK-landing-page-after-drupatis.com.txt (3,151 bytes)

2016-07-07-pseudoDarkleech-Neutrino-EK-landing-page-after-gennaroespositomilano.it.txt (3,155 bytes)

2016-07-07-pseudoDarkleech-Neutrino-EK-landing-page-after-lawrenceparkah.com.txt (3,291 bytes)

2016-07-07-pseudoDarkleech-Neutrino-EK-landing-page-after-toronto-annex.com.txt (3,233 bytes)

2016-07-07-pseudoDarkleech-Neutrino-EK-payload-CrypMIC-after-drupatis.com-and-gennaroespositomilano.it.dll (67,584 bytes)

2016-07-07-pseudoDarkleech-Neutrino-EK-payload-CrypMIC-after-lawrenceparkah.com-and-toronto-annex.com.dll (67,584 bytes)

NOTES:

2016-06-08 - SANS ISC diary: Neutrino EK and CryptXXX (EITest & pseudoDarkleech campaigns switch from Angler EK to Neutrino EK)
2016-06-11 - Malware Don't Need Coffee: Is it the end of Angler?
2016-07-02 - SANS ISC diary: Change in patterns for the pseudoDarkleech campaign
2016-07-06 - SANS ISC diary: CryptXXX ransomware updated
2016-07-07 - Bleeping Computer: New CryptXXX changes name to Microsoft Decryptor

2016-07-14 - From the Proofpoint blog [link]: "We believe that CryptXXX is in active development and possibly split off into two branches. The original branch is now up to version 5.001 (we wrote about the upgrade to version 3.100 near the end of May), while the new branch uses a different format for versioning and will require further analysis."

2016-07-20 - TrendLabs Security Intelligence Blog - CrypMIC Ransomware Wants to Follow CryptXXX's Footsteps [TrendLabs analyzes the new branch and names it.]

Shown above: Decrypt instructions from CrypMIC samples on 2016-07-07.

TRAFFIC

Shown above: Traffic from the first pcap filtered in Wireshark. Filter: http.request or (!(tcp.port eq 80) and tcp.flags eq 0x0002)

Shown above: Traffic from the second pcap filtered in Wireshark.

Shown above: Traffic from the third pcap filtered in Wireshark.

Shown above: Traffic from the 4th pcap filtered in Wireshark.

Shown above: Traffic from the 5th pcap filtered in Wireshark.

ASSOCIATED DOMAINS:

85.93.0.43 port 80 - freedtd.ml - EITest flash redirect
74.208.162.191 port 80 - komplementaeres.tdsk.uk - EITest Neutrino EK
74.208.162.236 port 80 - tilflytt.ramsgatebeachbar.uk - pseudoDarkleech Neutrino EK
216.250.117.135 port 80 - itisestfortlora.net-gen.uk - pseudoDarkleech Neutrino EK
216.250.117.135 port 80 - oiloftro-admirantisque.net-gen.uk - pseudoDarkleech Neutrino EK
91.220.131.147 port 443 - CrypMIC post-infection traffic, custom encoded (not SSL)

DOMAINS FROM THE DECRYPT INSTRUCTIONS:

2dzmdacevbadfjvu.onion.to - EITest CrypMIC decrypt domain
2dzmdacevbadfjvu.onion.city - EITest CrypMIC decrypt domain

ccjlwb22w6c22p2k.onion.to - pseudoDarkleech CrypMIC decrypt domain
ccjlwb22w6c22p2k.onion.city - EITest CrypMIC decrypt domain

FILE HASHES

NEUTRINO EK FLASH EXPLOITS:

CRYPMIC PAYLOADS:

FINAL NOTES

Once again, here are the associated files:

ZIP archive of the pcaps: 2016-07-07-Neutrino-EK-data-dump-all-5-pcaps.zip 906.2 kB (906,205 bytes)
ZIP archive of the malware: 2016-07-07-Neutrino-EK-data-dump-malware-and-artifacts.zip 525.9 kB (525,869 bytes)

ZIP files are password-protected with the standard password. If you don't know it, look at the "about" page of this website.

Click here to return to the main page.