2016-07-19 - EITST NEUTRINO EK FROM 74.208.185.198 SENDS CRYPTXXX RANSOMWARE

ASSOCIATED FILES:

• ZIP archive of the pcaps:  2016-07-19-EITest-Neutrino-EK-sends-CryptXXX-ransomware.pcap.zip   1.0 MB (1,038,634 bytes)

• 2016-07-19-EITest-Neutrino-EK-sends-CryptXXX-ransomware.pcap   (1,154,711 bytes)

• ZIP archive of the malware:  2016-07-19-EITest-Neutrino-EK-sends-CryptXXX-malware-and-artifacts.zip   491.9 kB (491,878 bytes)

• 2016-07-19-EITest-CryptXXX-decrypt-instructions.BMP   (3,686,454 bytes)
• 2016-07-19-EITest-CryptXXX-decrypt-instructions.HTML   (20,472 bytes)
• 2016-07-19-EITest-Neutrino-EK-flash-exploit.swf   (88,151 bytes)
• 2016-07-19-EITest-Neutrino-EK-landing-page.txt   (3,859 bytes)
• 2016-07-19-EITest-Neutrino-EK-payload-CryptXXX.dll   (365,056 bytes)
• 2016-07-19-EITest-flash-redirect-from-anfilc.xyz.swf   (4,446 bytes)
• 2016-07-19-page-from-gymvibe.net-with-injected-EITest-script.txt   (26,968 bytes)

NOTES:

• 2016-03-31 - Palo Alto Networks Unit 42 blog:  How the EITest Campaign's Path to Angler EK Evolved Over Time.
• 2016-06-08 - SANS ISC diary:  Neutrino EK and CryptXXX  (campaigns using Angler EK switch to Neutrino EK)
• 2016-06-11 - Malware Don't Need Coffee:  Is it the end of Angler?
• 2016-07-06 - SANS ISC diary:  CryptXXX ransomware updated
• 2016-07-14 - Proofpoint Blog:  Spam, Now With a Side of CryptXXX Ransomware!

  Reported by Proofpoint:  "We believe that CryptXXX is in active development and possibly split off into two branches. The original branch is now up to version 5.001 (we wrote about the upgrade to version 3.100 near the end of May), while the new branch uses a different format for versioning and will require further analysis."

• I believe the CryptXXX in this blog is from the original branch.

 

Shown above:  Flowchart for this infection traffic.

 

TRAFFIC

Shown above:  Injected script in page from compromised website.

 

Shown above:  Traffic from the pcap filtered in Wireshark.   Filter:  http.request or (!(tcp.port eq 80) and tcp.flags eq 0x0002)

 

ASSOCIATED DOMAINS:

• gymvibe.net - Compromised website
• 85.93.0.12 port 80 - anfilc.xyz - EITest gate
• 74.208.185.198 port 80 - mietteit.cambs-sep.co.uk - Neutrino EK
• 188.0.236.9 port 443 - CryptXXX post-infection traffic (custom encoded, not SSL)

DOMAINS FROM THE DECRYPT INSTRUCTIONS:

• 5bjte3wc7vn7wkrv.onion.to
• 5bjte3wc7vn7wkrv.onion.cab
• 5bjte3wc7vn7wkrv.onion.city

 

FILE HASHES

FLASH FILES:

• SHA256 hash:  cf16de04310cceb203c8323b0bfd7ebdf53bb1fdad464f237db8c95dab8de59f
  File name:  2016-07-19-EITest-flash-redirect-from-anfilc.xyz.swf

• SHA256 hash:  594201039b3465e1d0aaf5c33e364adb4cc130224d64356f9c57d66fcff40f76
  File name:  2016-07-19-EITest-Neutrino-EK-flash-exploit.swf

PAYLOAD:

• SHA256 hash:  976090b6e091be012bb89ab9148399b3cf83af10e5a407304c74426ea4bea758
  File name:  2016-07-19-EITest-Neutrino-EK-payload-CryptXXX.dll

 

IMAGES

Shown above:  The CryptXXX .dll file loaded during the infection.

 

Shown above:  The infected Windows host after rebooting.

 

FINAL NOTES

Once again, here are the associated files:

• ZIP archive of the pcaps:  2016-07-19-EITest-Neutrino-EK-sends-CryptXXX-ransomware.pcap.zip   1.0 MB (1,038,634 bytes)
• ZIP archive of the malware:  2016-07-19-EITest-Neutrino-EK-sends-CryptXXX-malware-and-artifacts.zip   491.9 kB (491,878 bytes)

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.