2016-07-14 - AFRAIDGATE NEUTRINO EK FROM 5.2.72.236 SENDS LOCKY RANSOMWARE

ASSOCIATED FILES:

• ZIP archive of the pcaps:  2016-07-14-Afraidgate-Neutrino-EK-sends-Locky-ransomware-all-4-pcaps.zip   1.3 MB (1,305,008 bytes)

• 2016-07-14-Afraidgate-Neutrino-EK-sends-Locky-ransomware-example-1-of-4.pcap   (350,674 bytes)
• 2016-07-14-Afraidgate-Neutrino-EK-sends-Locky-ransomware-example-2-of-4.pcap   (313,210 bytes)
• 2016-07-14-Afraidgate-Neutrino-EK-sends-Locky-ransomware-example-3-of-4.pcap   (353,909 bytes)
• 2016-07-14-Afraidgate-Neutrino-EK-sends-Locky-ransomware-example-4-of-4.pcap   (375,592 bytes)

• ZIP archive of the malware:  2016-07-14-Afraidgate-Neutrino-EK-malware-and-artifacts.zip   1.2 MB (1,181,409 bytes)

• 2016-07-14-Afraidgate-Locky-decrypt-instructions.bmp   (3,721,466 bytes)
• 2016-07-14-Afraidgate-Locky-decrypt-instructions.html   (10,112 bytes)
• 2016-07-14-Afraidgate-Neutrino-EK-flash-exploit-example-1-of-4.swf   (82,629 bytes)
• 2016-07-14-Afraidgate-Neutrino-EK-flash-exploit-example-2-of-4.swf   (82,724 bytes)
• 2016-07-14-Afraidgate-Neutrino-EK-flash-exploit-example-3-of-4.swf   (82,724 bytes)
• 2016-07-14-Afraidgate-Neutrino-EK-flash-exploit-example-4-of-4.swf   (82,724 bytes)
• 2016-07-14-Afraidgate-Neutrino-EK-landing-page-example-1-of-4.txt   (2,233 bytes)
• 2016-07-14-Afraidgate-Neutrino-EK-landing-page-example-2-of-4.txt   (2,221 bytes)
• 2016-07-14-Afraidgate-Neutrino-EK-landing-page-example-3-of-4.txt   (2,233 bytes)
• 2016-07-14-Afraidgate-Neutrino-EK-landing-page-example-4-of-4.txt   (2,295 bytes)
• 2016-07-14-Afraidgate-Neutrino-EK-payload-Locky-example-1-of-4.exe   (24,9346 bytes)
• 2016-07-14-Afraidgate-Neutrino-EK-payload-Locky-example-2-of-4.exe   (24,9346 bytes)
• 2016-07-14-Afraidgate-Neutrino-EK-payload-Locky-example-3-of-4.exe   (24,9346 bytes)
• 2016-07-14-Afraidgate-Neutrino-EK-payload-Locky-example-4-of-4.exe   (24,9346 bytes)

NOTES:

• Background on the Afraidgate campaign can be found here.
• Looks like Afraidgate has switched back to sending Locky as its payload, at least for now.

 

TRAFFIC

Shown above:  Traffic from the first pcap filtered in Wireshark.

Shown above:  Traffic from the second pcap filtered in Wireshark.

Shown above:  Traffic from the third pcap filtered in Wireshark.

Shown above:  Traffic from the 4th pcap filtered in Wireshark.

 

AFRAIDGATE REDIRECTS:

• 188.166.38.125 port 80 - siber.activebeliever.com - GET /plugins/fancybox-for-wordpress/js/jquery.easing.1.3.min.js?ver=1.3
• 188.166.38.125 port 80 - zine.polatoglumimarlik.com - GET /scripts/jquery.sliderkit.1.9.2.pack.js
• 188.166.38.125 port 80 - zine.polatoglumimarlik.com - GET /html5shiv.js -
• 188.166.38.125 port 80 - zine.polatoglumimarlik.com - GET /to_top.js -

NEUTRINO EK DOMAINS:

• 5.2.72.236 port 80 - avukytj.oautumnyellow.top
• 5.2.72.236 port 80 - azbepfasz.yintored.top
• 5.2.72.236 port 80 - bkubf.bsuperpink.top
• 5.2.72.236 port 80 - mxoug.yintored.top
• 5.2.72.236 port 80 - yegoxmvzpx.bsuperpink.top

POST-INFECTION TRAFFIC FROM THE LOCKY RANSOMWARE:

• 5.187.0.137 port 80 - 5.187.0.137 - POST /upload/_dispatch.php
• 77.222.54.202 port 80 - 77.222.54.202 - POST /upload/_dispatch.php
• 185.5.250.135 port 80 - 185.5.250.135 - POST /upload/_dispatch.php
• 185.118.66.83 port 80 - 185.118.66.83 - POST /upload/_dispatch.php

DOMAINS FROM THE DECRYPTION INSTRUCTIONS:

• mphtadhci5mrdlju.tor2web.org
• mphtadhci5mrdlju.onion.to

 

FILE HASHES

FLASH EXPLOITS:

• SHA256 hash:  aba7ef7d8b6eb54945bebda597b74a2f40c7e73380f4f485e4a5bc7d6da452be
  File name:  2016-07-14-Afraidgate-Neutrino-EK-flash-exploit-example-1-of-4.swf

• SHA256 hash:  60a0537e7dfedbbf781b912dfe77f7aa804da54453cd58cb2130a750520c9d35
  File name:  2016-07-14-Afraidgate-Neutrino-EK-flash-exploit-example-2-of-4.swf

• SHA256 hash:  117d41a97b7f170233edf66ff04a35e948f3dd3eaad53a548745fe4c32aff816
  File name:  2016-07-14-Afraidgate-Neutrino-EK-flash-exploit-example-3-of-4.swf

• SHA256 hash:  f2d28ef0c4ce015ef3d9943d60405565323cbc2261904b4bb250cc68dd3e92ad
  File name:  2016-07-14-Afraidgate-Neutrino-EK-flash-exploit-example-4-of-4.swf

PAYLOADS:

• SHA256 hash:  c42c9b2ab7f8f4a0f3c3554f199bf62a75382447c98b7dc430e33a616e60ce65
  File name:  2016-07-14-Afraidgate-Neutrino-EK-payload-Locky-example-1-of-4.exe

• SHA256 hash:  844555caf160300f82e2bd08a3ee84aac093f40f7223177ef89f1f2bb55761cc
  File name:  2016-07-14-Afraidgate-Neutrino-EK-payload-Locky-example-2-of-4.exe
  File name:  2016-07-14-Afraidgate-Neutrino-EK-payload-Locky-example-3-of-4.exe
  File name:  2016-07-14-Afraidgate-Neutrino-EK-payload-Locky-example-4-of-4.exe

 

IMAGES

Shown above:  Infecting a Windows host with one of the Locky samples.

 

FINAL NOTES

Once again, here are the associated files:

• ZIP archive of the pcaps:  2016-07-14-Afraidgate-Neutrino-EK-sends-Locky-ransomware-all-4-pcaps.zip   1.3 MB (1,305,008 bytes)
• ZIP archive of the malware:  2016-07-14-Afraidgate-Neutrino-EK-malware-and-artifacts.zip   1.2 MB (1,181,409 bytes)

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.