Malware-Traffic-Analysis.net - 2016-07-19 - Afraidgate Neutrino EK from 5.2.72.114 sends Locky ransomware

2016-07-19 - AFRAIDGATE NEUTRINO EK FROM 5.2.72.114 SENDS LOCKY RANSOMWARE

ASSOCIATED FILES:

ZIP archive of the pcaps: 2016-07-19-Afraidgate-Neutrino-EK-sends-Locky-ransomware.pcap.zip 363.9 kB (363,923 bytes)

2016-07-19-Afraidgate-Neutrino-EK-sends-Locky-ransomware.pcap (392,756 bytes)

ZIP archive of the malware: 2016-07-19-Afraidgate-Neutrino-EK-sends-Locky-malware-and-artifacts.zip 294.2 kB (294,176 bytes)

2016-07-19-Afraidgate-Locky-decryption-instructions.bmp (3,436,338 bytes)

2016-07-19-Afraidgate-Locky-decryption-instructions.html (10,049 bytes)

2016-07-19-Afraidgate-Neutrino-EK-flash-exploit.swf (85,855 bytes)

2016-07-19-Afraidgate-Neutrino-EK-landing-page.txt (3,785 bytes)

2016-07-19-Afraidgate-Neutrino-EK-payload-Locky.exe (234,496 bytes)

2016-07-19-nepal.laderatutors.com-rokmediaqueries.js.txt (293 bytes)

NOTES:

Background on the Afraidgate campaign can be found here.

Shown above: Flowchart for this infection traffic.

TRAFFIC

Shown above: Injected script in page from compromised website.

Shown above: Traffic from the pcap filtered in Wireshark.

ASSOCIATED DOMAINS:

www.marketingguerrilla.es - Compromised site
188.166.38.125 port 80 - nepal.laderatutors.com - GET /rokmediaqueries.js - Afraidgate redirect
5.2.72.114 port 80 - iynwzttqd.hautumngreen.top - Neutrino EK
77.222.54.202 port 80 - 77.222.54.202 - POST /upload/_dispatch.php - Locky post-infection traffic

DOMAINS FROM THE DECRYPT INSTRUCTIONS:

mphtadhci5mrdlju.tor2web.org
mphtadhci5mrdlju.onion.to

FILE HASHES

FLASH EXPLOIT:

SHA256 hash: e7cea58bd999aa30ad1ec32f1e7027aab6723349f6bf00621de501157633298f
File name: 2016-07-19-Afraidgate-Neutrino-EK-flash-exploit.swf

PAYLOAD:

SHA256 hash: 04d7c91e686953571d67678d4c99e78fba53f82e3a2ff18c405ff6ccbb8b8daa
File name: 2016-07-19-Afraidgate-Neutrino-EK-payload-Locky.exe

IMAGES

Shown above: The infected Windows host after rebooting.

FINAL NOTES

Once again, here are the associated files:

ZIP archive of the pcaps: 2016-07-19-Afraidgate-Neutrino-EK-sends-Locky-ransomware.pcap.zip 363.9 kB (363,923 bytes)
ZIP archive of the malware: 2016-07-19-Afraidgate-Neutrino-EK-sends-Locky-malware-and-artifacts.zip 294.2 kB (294,176 bytes)

ZIP files are password-protected with the standard password. If you don't know it, look at the "about" page of this website.

Click here to return to the main page.