Malware-Traffic-Analysis.net - 2016-07-14 - Neutrino EK from 185.141.25.57 sends Bandarchor ransomware

2016-07-14 - NEUTRINO EK FROM 185.141.25.57 SENDS BANDARCHOR RANSOMWARE

ASSOCIATED FILES:

ZIP archive of the pcaps: 2016-07-14-other-Neutrino-EK-sends-Bandarchor-ransomware.pcap.zip 245.9 kB (245,924 bytes)

2016-07-14-other-Neutrino-EK-sends-Bandarchor-ransomware.pcap (262,607 bytes)

ZIP archive of the malware: 2016-07-14-other-Neutrino-EK-sends-Bandarchor-malware-and-artifacts.zip 190.2 kB (190,225 bytes)

2016-07-14-other-Neutrino-EK-flash-exploit.swf (92,022 bytes)

2016-07-14-other-Neutrino-EK-landing-page.txt (2,209 bytes)

2016-07-14-other-Neutrino-EK-payload-Bandarchor-ransomware-decryption-instructions.txt (1,156 bytes)

2016-07-14-other-Neutrino-EK-payload-Bandarchor-ransomware.exe (147,458 bytes)

NOTES:

More information on Bandarchor ransomware can be found here and here.

Shown above: My tipper for this traffic at http://www.malwaredomainlist.com/mdl.php.

TRAFFIC

Shown above: Traffic from the pcap filtered in Wireshark.

ASSOCIATED DOMAINS:

93.190.140.110 port 80 - personal.editura-amsibiu.ro - Redirect/gate pointing to Neutrino EK
185.141.25.57 port 80 - yqhf8.wuwfti.top - Neutrino EK
192.169.82.86 port 80 - withloveforyou.com - Post-infection traffic

DOMAINS FROM THE DECRYPT INSTRUCTIONS:

Primary email: sos@juicylemon.biz
Secondary email: juicylemon@protonmail.com
Bitmessage: BM-NBRCUPTenKgYbLVCAfeVUHVsHFK6Ue2F

FILE HASHES

FLASH EXPLOIT:

SHA256 hash: 93864387ee4a5796ea950c3fa5e826ecfb5d5a1c4146563d7366069b261ebe18
File name: 2016-07-14-other-Neutrino-EK-flash-exploit.swf

PAYLOAD:

SHA256 hash: 4c0855466cc65cfc273f8cd953c9bf328656732879a0ce387cbdf9c78b9827a1
File name: 2016-07-14-other-Neutrino-EK-payload-Bandarchor-ransomware.exe

IMAGES

Shown above: An example of the encrypted files (10-digit numbers changed in this picture).

Shown above: The decryption instructions.

Shown above: The payload EXE's icon looks like a pig from Angry Birds.

FINAL NOTES

Once again, here are the associated files:

ZIP archive of the pcaps: 2016-07-14-other-Neutrino-EK-sends-Bandarchor-ransomware.pcap.zip 245.9 kB (245,924 bytes)
ZIP archive of the malware: 2016-07-14-other-Neutrino-EK-sends-Bandarchor-malware-and-artifacts.zip 190.2 kB (190,225 bytes)

ZIP files are password-protected with the standard password. If you don't know it, look at the "about" page of this website.

Click here to return to the main page.