2016-07-25 - EITEST NEUTRINO EK FROM 137.74.156.191 SENDS CRYPTXXX RANSOMWARE

ASSOCIATED FILES:

• ZIP archive of the pcap:  2016-07-25-EITest-Neutrino-EK-sends-CryptXXX-after-dicodesrimes.com.pcap.zip   434.0 kB (433,970 bytes)

• 2016-07-25-EITest-Neutrino-EK-sends-CryptXXX-after-dicodesrimes.com.pcap   (475,451 bytes)

• ZIP archive of the malware:  2016-07-25-EITest-Neutrino-EK-sends-CryptXXX-malware-and-artifacts.zip   330.0 kB (330,012 bytes)

• 2016-07-25-EITest-Neutrino-EK-flash-exploit.swf   (76,702 bytes)
• 2016-07-25-EITest-Neutrino-EK-landing-page.txt   (2,831 bytes)
• 2016-07-25-EITest-Neutrino-EK-payload-CryptXXX.dll   (330,240 bytes)
• 2016-07-25-EITest-flash-redirect-from-ibyfidy.xyz.swf   (4,694 bytes)
• 2016-07-25-page-from-dicodesrimes.com-with-injected-EITest-script.txt   (15,413 bytes)

NOTES:

• 2016-03-31 - Palo Alto Networks Unit 42 blog:  How the EITest Campaign's Path to Angler EK Evolved Over Time.
• 2016-06-08 - SANS ISC diary:  Neutrino EK and CryptXXX  (campaigns using Angler EK switch to Neutrino EK)
• 2016-06-11 - Malware Don't Need Coffee:  Is it the end of Angler?
• 2016-07-14 - Proofpoint Blog:  Spam, Now With a Side of CryptXXX Ransomware!

  From Proofpoint: "We believe that CryptXXX is in active development and possibly split off into two branches. The original branch is now up to version 5.001 (we wrote about the upgrade to version 3.100 near the end of May), while the new branch uses a different format for versioning and will require further analysis."

• I've seen both versions of CryptXXX since 2016-07-06, but I've only seen (what I think is) the original branch for the last week or so.

• MMS0 is still the entry point for loading this CryptXXX DLL.
• Problems getting the ransomware to run properly, so no decryption instructions and no post-infection traffic.

Shown above:  Thanks again to @2xyo for another tweet about a compromised site.

 

Shown above:  Flowchart for this infection traffic.

 

TRAFFIC

Shown above:  Injected script in page from compromised website.

 

Shown above:  Traffic from the pcap filtered in Wireshark.

 

ASSOCIATED DOMAINS:

• www.dicodesrimes.com - Compromised website
• 85.93.0.12 port 80 - ibyfidy.xyz - EITest gate
• 137.74.156.191 port 80 - monandria-kwigillingok.southernneckpain.co.uk - Neutrino EK

 

FILE HASHES

FLASH FILES:

• SHA256 hash:  0d1390a5446d75414f704f43ee9b1a8adb87e106170bebba2f61d051cf3486a9
  File name:  2016-07-25-EITest-flash-redirect-from-ibyfidy.xyz.swf

• SHA256 hash:  9490766284805299026230a5a0c3d23d04b77e2d6f32626c6e8aeea7728df0f7
  File name:  2016-07-25-EITest-Neutrino-EK-flash-exploit.swf

PAYLOAD:

• SHA256 hash:  dc527934c6b26e65ce9cfdcd026795e978a53b7ee9a672551990ee583ed2a083
  File name:  2016-07-25-EITest-Neutrino-EK-payload-CryptXXX.dll

 

FINAL NOTES

Once again, here are the associated files:

• ZIP archive of the pcap:  2016-07-25-EITest-Neutrino-EK-sends-CryptXXX-after-dicodesrimes.com.pcap.zip   434.0 kB (433,970 bytes)
• ZIP archive of the malware:  2016-07-25-EITest-Neutrino-EK-sends-CryptXXX-malware-and-artifacts.zip   330.0 kB (330,012 bytes)

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.