2016-07-15 - PSEUDODARKLEECH NEUTRINO EK FROM 74.208.75.94 SENDS CRYPTXXX RANSOMWARE
ASSOCIATED FILES:
- ZIP archive of the pcaps: 2016-07-15-pseudoDarkleech-Neutrino-EK-sends-CryptXXX.pcap.zip 1.1 MB (1,133,835 bytes)
- 2016-07-15-pseudoDarkleech-Neutrino-EK-sends-CryptXXX.pcap (1,239,508 bytes)
- ZIP archive of the malware: 2016-07-15-pseudoDarkleech-Neutrino-EK-malware-and-artifacts.zip 403.5 kB (403,535 bytes)
- 2016-07-15-page-from-encouragingbibleversesabout.com-with-injected-script.txt (39,126 bytes)
- 2016-07-15-pseudoDarkleech-CryptXXX-decrypt-instructions.BMP (1,843,254 bytes)
- 2016-07-15-pseudoDarkleech-CryptXXX-decrypt-instructions.HTML (14,569 bytes)
- 2016-07-15-pseudoDarkleech-Neutrino-EK-flash-exploit.swf (82,630 bytes)
- 2016-07-15-pseudoDarkleech-Neutrino-EK-landing-page.txt (2,261 bytes)
- 2016-07-15-pseudoDarkleech-Neutrino-EK-payload-CryptXXX.dll (379,392 bytes)
NOTES:
- 2016-07-02 - SANS ISC diary: Change in patterns for the pseudoDarkleech campaign
- 2016-07-06 - SANS ISC diary: CryptXXX ransomware updated
- 2016-07-07 - Bleeping Computer: New CryptXXX changes name to Microsoft Decryptor
- 2016-07-14 - Proofpoint Blog: Spam, Now With a Side of CryptXXX Ransomware!
"We believe that CryptXXX is in active development and possibly split off into two branches. The original branch is now up to version 5.001 (we wrote about the upgrade to version 3.100 near the end of May), while the new branch uses a different format for versioning and will require further analysis."
- I've posted both versions of CryptXXX since 2016-07-06. The CryptXXX in today's blog is, I think, from the original branch.
Shown above: Flowchart for today's infection traffic.
TRAFFIC
Shown above: Injected script in page from compromised website.
Shown above: Traffic from the first pcap filtered in Wireshark.
ASSOCIATED DOMAINS:
- encouragingbibleversesabout.com - compromised website used in pseudoDarkleech campaign
- 74.208.75.94 port 80 - bitfields.aboutflights.co.uk - Neutrino EK
- 188.0.236.9 port 443 - CryptXXX post-infection traffic
DOMAINS FROM THE DECRYPT INSTRUCTIONS:
- lkpe6tr2yuk4f246.onion.to
- lkpe6tr2yuk4f246.onion.cab
- lkpe6tr2yuk4f246.onion.city
FILE HASHES
FLASH EXPLOIT:
- SHA256 hash: 090eb197ce41a5ceaf076bf7118f033f7d580cce816f0fd110a87af63c1f83eb
File name: 2016-07-15-pseudoDarkleech-Neutrino-EK-flash-exploit.swf
PAYLOAD:
- SHA256 hash: 427029cb7166d1ace6dfbd697effcb2f277648f04a9d674d5becbfa5a4cc3ec0
File name: 2016-07-15-pseudoDarkleech-Neutrino-EK-payload-CryptXXX.dll
IMAGES
Shown above: The CryptXXX .dll file loaded during the infection.
Shown above: The infected Windows host after rebooting.
FINAL NOTES
Once again, here are the associated files:
- ZIP archive of the pcaps: 2016-07-15-pseudoDarkleech-Neutrino-EK-sends-CryptXXX.pcap.zip 1.1 MB (1,133,835 bytes)
- ZIP archive of the malware: 2016-07-15-pseudoDarkleech-Neutrino-EK-malware-and-artifacts.zip 403.5 kB (403,535 bytes)
ZIP files are password-protected with the standard password. If you don't know it, look at the "about" page of this website.
Click here to return to the main page.