Malware-Traffic-Analysis.net - 2016-07-21 - EITest Neutrino EK from 185.106.120.219 sends Bandarchor ransomware

2016-07-20 - EITEST NEUTRINO EK FROM 185.106.120.219 SENDS BANDARCHOR RANSOMWARE

ASSOCIATED FILES:

ZIP archive of the pcaps: 2016-07-21-EITest-Neutrino-EK-sends-Bandarchor-after-chitralekha.com.pcap.zip 228.9 kB (228,940 bytes)

2016-07-21-EITest-Neutrino-EK-sends-Bandarchor-after-chitralekha.com.pcap (423,136 bytes)

ZIP archive of the malware: 2016-07-21-EITest-Neutrino-EK-sends-Bandarchor-after-chitralekha.com-malware-and-artifacts.zip 231.0 kB (230,972 bytes)

2016-07-21-EITest-Neutrino-EK-flash-exploit-after-chitralekha.com.swf (87,493 bytes)

2016-07-21-EITest-Neutrino-EK-landing-page-after-chitralekha.com.txt (3,959 bytes)

2016-07-21-EITest-Neutrino-EK-payload-Bandarchor-after-chitralekha.com.exe (163,840 bytes)

2016-07-21-EITest-flash-redirect-from-fehehub.xyz.swf (4,271 bytes)

2016-07-21-page-from-chitralekha.com-with-injected-EITest-script.txt (189,986 bytes)

NOTES:

2016-03-31 - Palo Alto Networks Unit 42 blog: How the EITest Campaign's Path to Angler EK Evolved Over Time.
2016-06-08 - SANS ISC diary: Neutrino EK and CryptXXX (campaigns using Angler EK switch to Neutrino EK)
2016-06-11 - Malware Don't Need Coffee: Is it the end of Angler?

This is the same Bandarchor ransomware (same file hash) as seen in the other Neutrino EK from earlier today (link).
This sample of Bandarchor ransomware is VM-aware. See my previous post for the indictors of post-infection traffic.

Shown above: Thanks to @dez_ for a tweet about the compromised site.

Shown above: Flowchart for this infection traffic.

TRAFFIC

Shown above: Injected script in page from compromised website.

Shown above: Traffic from the pcap filtered in Wireshark.

ASSOCIATED DOMAINS:

chitralekha.com - Compromised website
85.93.0.12 port 80 - fehehub.xyz - EITest redirect
185.106.120.219 port 80 - wkq0hw.sbvn1bhg.top - Neutrino EK

FILE HASHES

FLASH FILES:

SHA256 hash: 0d50d784c646780689166fc809a811b6849303e2c17612085bf9278e98095664
File name: 2016-07-21-EITest-flash-redirect-from-fehehub.xyz.swf

SHA256 hash: 0fe7cfcabdd1ce2c3e8db591226eb0d52467c92f5769e1f40693c87d54f47c38
File name: 2016-07-21-EITest-Neutrino-EK-flash-exploit-after-chitralekha.com.swf

PAYLOAD:

SHA256 hash: f3115be9877ef36cafae26f18002528ea63377e5441c3870c02b4a737b9e127b
File name: 2016-07-21-EITest-Neutrino-EK-payload-Bandarchor-after-chitralekha.com.exe

FINAL NOTES

Once again, here are the associated files:

ZIP archive of the pcaps: 2016-07-21-EITest-Neutrino-EK-sends-Bandarchor-after-chitralekha.com.pcap.zip 228.9 kB (228,940 bytes)
ZIP archive of the malware: 2016-07-21-EITest-Neutrino-EK-sends-Bandarchor-after-chitralekha.com-malware-and-artifacts.zip 231.0 kB (230,972 bytes)

ZIP files are password-protected with the standard password. If you don't know it, look at the "about" page of this website.

Click here to return to the main page.