Malware-Traffic-Analysis.net - 2016-07-22 - PseudoDarkleech Neutrino EK from 188.138.70.188 sends CryptXXX ransomware

2016-07-22 - PSEUDO-DARKLEECH NEUTRINO EK FROM 188.138.70.188 SENDS CRYPTXXX RANSOMWARE

ASSOCIATED FILES:

ZIP archive of the pcaps: 2016-07-22-pseudoDarkleech-Neutrino-EK-sends-CryptXXX-ransomware.pcap.zip 462.4 kB (462,413 bytes)

2016-07-22-pseudoDarkleech-Neutrino-EK-sends-CryptXXX-ransomware.pcap (490,851 bytes)

ZIP archive of the malware: 2016-07-22-pseudoDarkleech-Neutrino-EK-sends-CryptXXX-malware-and-artifacts.zip 428.8 kB (428,846 bytes)

2016-07-22-page-from-chromechurch.com-with-injected-script.txt (7,848 bytes)

2016-07-22-pseudoDarkleech-Neutrino-EK-flash-exploit.swf (77,210 bytes)

2016-07-22-pseudoDarkleech-Neutrino-EK-landing-page.txt (2,687 bytes)

2016-07-22-pseudoDarkleech-Neutrino-EK-payload-CryptXXX.dll (365,056 bytes)

NOTES:

2016-07-02 - SANS ISC diary: Change in patterns for the pseudoDarkleech campaign
2016-07-06 - SANS ISC diary: CryptXXX ransomware updated
2016-07-07 - Bleeping Computer: New CryptXXX changes name to Microsoft Decryptor

2016-07-14 - Proofpoint Blog: Spam, Now With a Side of CryptXXX Ransomware!
"We believe that CryptXXX is in active development and possibly split off into two branches. The original branch is now up to version 5.001 (we wrote about the upgrade to version 3.100 near the end of May), while the new branch uses a different format for versioning and will require further analysis."
I've seen both versions of CryptXXX since 2016-07-06. Not sure which version this sample is, though.

In the past 2 days, this infection showed MMS0 as the entry point when loading the CryptXXX DLL. However, I was unable to get today's sample to generate any post-infection activity from this sample. I've tried the sample on different virtual and physical hosts.

I've noticed chromechurch.com compromised as early as 2016-06-30 and redirecting to Neutrino EK.

Shown above: Flowchart for this infection traffic.

TRAFFIC

Shown above: Injected script in page from compromised website.

Shown above: Traffic from the pcap filtered in Wireshark.

ASSOCIATED DOMAINS:

chromechurch.com - Compromised website
188.138.70.188 port 80 - nagatoyu-cacamo.healthbusinessmatters.com - Neutrino EK

DOMAINS FROM THE DECRYPT INSTRUCTIONS:

Not applicable (wasn't able to get the CryptXXX binary to run).

FILE HASHES

FLASH FILES:

SHA256 hash: 59c8253d230af40ece96b4a6907be36e9c039a0798d622a0f40408cc45071e4a
File name: 2016-07-22-pseudoDarkleech-Neutrino-EK-flash-exploit.swf

PAYLOAD:

SHA256 hash: 13811980e883157e61ad3a2a2ac56764368daed5b886a78b79bd1c6fd798122c
File name: 2016-07-22-pseudoDarkleech-Neutrino-EK-payload-CryptXXX.dll

FINAL NOTES

Once again, here are the associated files:

ZIP archive of the pcaps: 2016-07-22-pseudoDarkleech-Neutrino-EK-sends-CryptXXX-ransomware.pcap.zip 462.4 kB (462,413 bytes)
ZIP archive of the malware: 2016-07-22-pseudoDarkleech-Neutrino-EK-sends-CryptXXX-malware-and-artifacts.zip 428.8 kB (428,846 bytes)

ZIP files are password-protected with the standard password. If you don't know it, look at the "about" page of this website.

Click here to return to the main page.