2016-07-08 - EK DATA DUMP - NEUTRINO EK SENDS CRYPTXXX & GOOTKIT, RIG EK SENDS CRYPTOBIT

ASSOCIATED FILES:

• ZIP archive of the pcaps:  2016-07-08-EK-data-dump-all-5-pcaps.zip   3.6 MB (3,591,406 bytes)

• 2016-07-08-EITest-Neutrino-EK-sends-CryptXXX-after-musicmix.co.pcap   (1,068,438 bytes)
• 2016-07-08-Rig-EK-sends-CryptoBit.pcap   (153,982 bytes)
• 2016-07-08-other-Neutrino-EK-sends-gootkit.pcap   (451,652 bytes)
• 2016-07-08-pseudoDarkleech-Neutrino-EK-sends-CryptXXX-after-eielectronics.com.pcap   (1,154,728 bytes)
• 2016-07-08-pseudoDarkleech-Neutrino-EK-sends-CryptXXX-after-toronto-annex.com.pcap   (1,177,430 bytes)

• ZIP archive of the malware:  2016-07-08-EK-data-dump-malware-and-artifacts.zip   1.4 MB (1,398,155 bytes)

• 2016-07-08-Cryptobit-decrypt-instructions.txt   (1,300 bytes)
• 2016-07-08-EITest-CryptXXX-decrypt-instructions.BMP   (3,686,454 bytes)
• 2016-07-08-EITest-CryptXXX-decrypt-instructions.HTML   (19,095 bytes)
• 2016-07-08-EITest-Neutrino-EK-flash-exploit.swf   (78,771 bytes)
• 2016-07-08-EITest-Neutrino-EK-landing-page.txt   (3,179 bytes)
• 2016-07-08-EITest-Neutrino-EK-payload-CryptXXX.dll   (527,360 bytes)
• 2016-07-08-EITest-flash-redirector-from-fin7.tk.swf   (3,070 bytes)
• 2016-07-08-Rig-EK-flash-exploit.swf   (18,975 bytes)
• 2016-07-08-Rig-EK-landing-page.txt   (5,506 bytes)
• 2016-07-08-Rig-EK-payload-Cryptobit.exe   (152,397 bytes)
• 2016-07-08-other-Neutrino-EK-flash-exploit.swf   (78,158 bytes)
• 2016-07-08-other-Neutrino-EK-landing-page.txt   (3,295 bytes)
• 2016-07-08-other-Neutrino-EK-malware-dropped-after-infection-svszclp.dll   (102,400 bytes)
• 2016-07-08-other-Neutrino-EK-payload-Gootkit.exe   (227,328 bytes)
• 2016-07-08-page-from-eielectronics-with-injected-script.txt   (443 bytes)
• 2016-07-08-page-from-musicmix.co-with-injected-script.txt   (135,261 bytes)
• 2016-07-08-page-from-toronto-annex.com-with-injected-script.txt   (53,785 bytes)
• 2016-07-08-pseudoDarkleech-CryptXXX-decrypt-instructions.BMP   (3,686,454 bytes)
• 2016-07-08-pseudoDarkleech-CryptXXX-decrypt-instructions.HTML   (20,105 bytes)
• 2016-07-08-pseudoDarkleech-Neutrino-EK-flash-exploit-after-eielectronics.com.swf   (78,861 bytes)
• 2016-07-08-pseudoDarkleech-Neutrino-EK-flash-exploit-after-toronto-annex.com.swf   (77,708 bytes)
• 2016-07-08-pseudoDarkleech-Neutrino-EK-landing-page-after-eielectronics.com.txt   (3,211 bytes)
• 2016-07-08-pseudoDarkleech-Neutrino-EK-landing-page-after-toronot-annex.com.txt   (3,201 bytes)
• 2016-07-08-pseudoDarkleech-Neutrino-EK-payload.dll   (512,000 bytes)

GOOTKIT NOTES:

• 2016-07-05 - Broadanalysis.com:  Neutrino EK and Rig EK send GootKit - A Brief Comparison

CRYPTOBIT (CRIPTOBIT/MOBEF) NOTES:

• 2016-07-07 - Palo Alto Networks Unit 42 Blog:  CryptoBit: Another Ransomware Family Gets an Update

CRYPTXXX NOTES:

• 2016-06-08 - SANS ISC diary:  Neutrino EK and CryptXXX (EITest & pseudoDarkleech campaigns switch from Angler EK to Neutrino EK)
• 2016-06-11 - Malware Don't Need Coffee:  Is it the end of Angler?
• 2016-07-02 - SANS ISC diary:  Change in patterns for the pseudoDarkleech campaign
• 2016-07-06 - SANS ISC diary:  CryptXXX ransomware updated
• 2016-07-07 - Bleeping Computer:  New CryptXXX changes name to Microsoft Decryptor

• NOTE:  Today CryptXXX was updated again, and it looks more like it did before the changes seen earlier this week.
• For CryptXXX, no more sending the TXT and HTML decryption instructions in the clear over TCP port 443.
• For CryptXXX, we're also back to "UltraDeCrypter" on the decryption instructions website for the ransom payment.

Shown above:  Infected Windows desktop from CryptXXX samples on Friday 2016-07-08.

Shown above:  One of the CryptXXX infections, where the ransomware is loaded by rundll32.exe.

 

TRAFFIC

Shown above:  Traffic from the first pcap filtered in Wireshark.   Filter:  http.request or (!(tcp.port eq 80) and tcp.flags eq 0x0002)

Shown above:  Traffic from the second pcap filtered in Wireshark (Neutrino EK sends Gootkit).

Shown above:  Traffic from the third pcap filtered in Wireshark (Rig EK sends CryptoBit).

Shown above:  Traffic from the 4th pcap filtered in Wireshark.

Shown above:  Traffic from the 5th pcap filtered in Wireshark.

 

ASSOCIATED DOMAINS:

• 85.93.0.43 port 80 - fin7.tk - EITest flash redirect
• 69.162.116.166 port 80 - primordia.home-office-desk-chair.co.uk - EITest Neutrino EK
• 69.162.116.166 port 80 - tnessaarbeitsjubilaeum.home-office-desk-chair.co.uk - pseudoDarkleech Neutrino EK
• 188.138.125.31 port 80 - zugeschldorstyd.lightingandmirrors.co.uk - pseudoDarkleech Neutrino EK
• 188.0.236.9 port 443 - CryptXXX post-infection traffic, custom encoded (not SSL)

• 5.2.72.163 port 80 - tcptz.iwhateverblue.top - Other Neutrino EK
• 93.115.10.203 port 80 - domptorang.com - SSL traffic with MyCompany Ltd cert (probable Gootkit callback)

• 93.190.140.110 port 80 - cosmos.furnipict.com - GET /gsvot2.html - Redirector from malvertising
• 5.61.40.131 port 80 - wrbktrebtwb.droneboneyard.net - Rig EK
• 58.64.142.89 port 80 - laoismacau.com - Cryptobit post-infection traffic

DOMAINS/EMAILS FROM THE DECRYPT INSTRUCTIONS:

• i5tbhsq567bemcgp.onion.to - EITest CryptXXX decrypt domain
• i5tbhsq567bemcgp.onion.cab - EITest CryptXXX decrypt domain
• i5tbhsq567bemcgp.onion.city - EITest CryptXXX decrypt domain

• lkpe6tr2yuk4f246.onion.to - pseudoDarkleech CryptXXX decrypt domain
• lkpe6tr2yuk4f246.onion.cab - pseudoDarkleech CryptXXX decrypt domain
• lkpe6tr2yuk4f246.onion.city - pseudoDarkleech CryptXXX decrypt domain

• epiclesis@protonmail.ch - email from CryptoBit decrypt instructions
• kyklos@scryptmail.com - email from CryptoBit decrypt instructions
• malakia@openmailbox.org - email from CryptoBit decrypt instructions

 

FILE HASHES

FLASH REDIRECTOR OR FLASH EXPLOITS:

SHA256 hash:  c74757e31b335b0c668c19447733acd8ef306868ef2d0b12360c78c398bac1ce
File name:  2016-07-08-EITest-flash-redirector-from-fin7.tk.swf

SHA256 hash:  79762d761537af80add0e5b214990a7bfe6a1d835091e075dea0581766ff7f10
File name:  2016-07-08-EITest-Neutrino-EK-flash-exploit.swf

SHA256 hash:  3819f6c2a4044c4e61f8f2648aabd1f1b41fd8c77c59024ee365d7602848f6a4
File name:  2016-07-08-Rig-EK-flash-exploit.swf

SHA256 hash:  38ebddcf7b6b517d86f53ea8a534c985637249fe0b56f530d8155fa57e334e72
File name:  2016-07-08-other-Neutrino-EK-flash-exploit.swf

SHA256 hash:  2c7fbfbae04f17adfde081add27bc535412eb9ab79c54ff97c1446cab4239968
File name:  2016-07-08-pseudoDarkleech-Neutrino-EK-flash-exploit-after-eielectronics.com.swf

SHA256 hash:  a1d83d5f5d4b67fd166b05af8c671a4fefea2091db57ec641b3bf856062ecb04
File name:  2016-07-08-pseudoDarkleech-Neutrino-EK-flash-exploit-after-toronto-annex.com.swf

MALWARE (EXE OR DLL FILES):

SHA256 hash:  e40f89a16e44a65b53864fdfaa9dd70fc08382dcb2f3941d986056d2c50923ac
File name:  2016-07-08-EITest-Neutrino-EK-payload-CryptXXX.dll

SHA256 hash:  19a60e842a5da32b4c8540ff02a51366d2b85c12e6721c80bbcf3be88478d37c
File name:  2016-07-08-other-Neutrino-EK-malware-dropped-after-infection-svszclp.dll

SHA256 hash:  9eb5344f51f1694eabd602a08deb0899ff187d8319ffeb6807f194d8313cf206
File name:  2016-07-08-pseudoDarkleech-Neutrino-EK-payload.dll

SHA256 hash:  c37db7dcd15ab738517488625533fa9091b5984c5411abfaec5613b0ff205aef
File name:  2016-07-08-Rig-EK-payload-Cryptobit.exe

SHA256 hash:  5777c21bcc6e2cd8ff1981544550d51c5a5e1570956a5cdee1e20a102e78b398
File name:  2016-07-08-other-Neutrino-EK-payload-Gootkit.exe

 

OTHER IMAGES

Shown above:  Gootkit made persistent through a scheduled task, note the DLL file location.

 

Shown above:  Part of the Windows desktop after the Rig EK --> CryptoBit infection.

 

FINAL NOTES

Once again, here are the associated files:

• ZIP archive of the pcaps:  2016-07-08-EK-data-dump-all-5-pcaps.zip   3.6 MB (3,591,406 bytes)
• ZIP archive of the malware:  2016-07-08-EK-data-dump-malware-and-artifacts.zip   1.4 MB (1,398,155 bytes)

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.