2016-07-25 - PSEUDO-DARKLEECH NEUTRINO EK SENDS CRYPTXXX RANSOMWARE

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• 2016-07-25-pseudoDarkleech-Neutrino-EK-sends-CryptXXX-ransomware-both-pcaps.zip   741.9 kB (741,901 bytes)

• 2016-07-25-pseudoDarkleech-Neutrino-EK-sends-CryptXXX-ransomware-after-depressivedisorder_xyz.pcap   (345,017 bytes)
• 2016-07-25-pseudoDarkleech-Neutrino-EK-sends-CryptXXX-ransomware-after-sinyimusic_com.pcap   (453,294 bytes)

• 2016-07-25-malware-and-artifacts-from-pseudoDarkleech-Neutrino-EK-and-CryptXXX-ransomaware.zip   723.4 kB (723,382 bytes)

• 2016-07-25-page-from-depressivedisorder_xyz-with-injected-script.txt   (32,201 bytes)
• 2016-07-25-page-from-sinyimusic_com-with-injected-script.txt   (18,028 bytes)
• 2016-07-25-pseudoDarkleech-CryptXXX-ransomware-decrypt-instructions.BMP   (5,424,934 bytes)
• 2016-07-25-pseudoDarkleech-CryptXXX-ransomware-decrypt-instructions.HTML   (17,785 bytes)
• 2016-07-25-pseudoDarkleech-Neutrino-EK-flash-exploit-after-depressivedisorder_xyz.swf   (78,000 bytes)
• 2016-07-25-pseudoDarkleech-Neutrino-EK-flash-exploit-after-sinyimusic_com.swf   (78,000 bytes)
• 2016-07-25-pseudoDarkleech-Neutrino-EK-landing-page-after-depressivedisorder_xyz.txt   (2,731 bytes)
• 2016-07-25-pseudoDarkleech-Neutrino-EK-landing-page-after-sinyimusic_com.txt   (2,777 bytes)
• 2016-07-25-pseudoDarkleech-Neutrino-EK-payload-CryptXXX-ransomware-after-depressivedisorder_xyz.dll   (352,256 bytes)
• 2016-07-25-pseudoDarkleech-Neutrino-EK-payload-CryptXXX-ransomware-after-sinyimusic_com.dll   (352,256 bytes)

NOTES:

• 2016-07-02 - SANS ISC diary:  Change in patterns for the pseudoDarkleech campaign
• 2016-07-06 - SANS ISC diary:  CryptXXX ransomware updated
• 2016-07-07 - Bleeping Computer:  New CryptXXX changes name to Microsoft Decryptor
• 2016-07-14 - Proofpoint Blog:  Spam, Now With a Side of CryptXXX Ransomware!

  From Proofpoint: "We believe that CryptXXX is in active development and possibly split off into two branches. The original branch is now up to version 5.001 (we wrote about the upgrade to version 3.100 near the end of May), while the new branch uses a different format for versioning and will require further analysis."

• I've seen both versions of CryptXXX since 2016-07-06, but I've only seen (what I think is) the original branch for the last week or so.

• MMS0 is still the entry point for loading this CryptXXX DLL.  I checked post-infection traffic on another host, and it's still the same as it's been for a while now, at least for the original branch.

• Thanks to the email tipper on these two compromised websites (you know who you are)!

 

Shown above:  Flowchart for this infection traffic.

 

TRAFFIC

Shown above:  Injected script in page from the first compromised website.

 

Shown above:  Traffic from the first pcap filtered in Wireshark.

 

Shown above:  Injected script in page from the second compromised website.

 

Shown above:  Traffic from the second pcap filtered in Wireshark.

 

ASSOCIATED DOMAINS:

• depressivedisorder[.]xyz - Compromised website
• 188.165.201[.]224 port 80 - balilaisessabrutigam.southernmicrosuction[.]co[.]uk - Neutrino EK

• sinyimusic[.]com - Compromised website
• 137.74.156[.]191 port 80 - monandria-kwigillingok.southernneckpain[.]co[.]uk - Neutrino EK

• 188.0.236[.]9 port 443 - CryptXXX ransomware post-infection traffic (custom encoded, not SSL) - Not included in the pcaps.

DOMAINS FROM THE DECRYPT INSTRUCTIONS:

• lkpe6tr2yuk4f246.onion[.]to
• lkpe6tr2yuk4f246.onion[.]cab
• lkpe6tr2yuk4f246.onion[.]city

 

FILE HASHES

FLASH EXPLOITS:

• SHA256 hash:  e58df319ed3d98dbd118bb289c9a3bc936c7821c93bf4f0ec2c1305afdf1c754
  File name:  2016-07-25-pseudoDarkleech-Neutrino-EK-flash-exploit-after-depressivedisorder_xyz.swf

• SHA256 hash:  ad907ca2d10b43afe97f742b45e36f8306dbdd9db8ebaeb6b2bdf2d04b8a65c5
  File name:  2016-07-25-pseudoDarkleech-Neutrino-EK-flash-exploit-after-sinyimusic_com.swf

PAYLOADs:

• SHA256 hash:  91c47e89f36b714bf03256c612d321fbfc9fbaa35e4c8c0eab56511fa0e4e9ed
  File name:  2016-07-25-pseudoDarkleech-Neutrino-EK-payload-CryptXXX-ransomware-after-depressivedisorder_xyz.dll
File name:  2016-07-25-pseudoDarkleech-Neutrino-EK-payload-CryptXXX-ransomware-after-sinyimusic_com.dll

 

IMAGES

Shown above:  Decryption instructions (the .bmp image).

 

Shown above:  Decryption instructions (the .html file).

 

Click here to return to the main page.