2016-07-26 - PSEUDO-DARKLEECH NEUTRINO EK SENDS CRYPMIC RANSOMWARE

ASSOCIATED FILES:

• ZIP archive of the pcaps:  2016-07-26-pseudoDarkleech-Neutrino-EK-sends-CrypMIC-both-pcaps.zip   670.6 kB (670,598 bytes)

• 2016-07-26-pseudoDarkleech-Neutrino-EK-sends-CrypMIC-first-run.pcap   (588,250 bytes)
• 2016-07-26-pseudoDarkleech-Neutrino-EK-sends-CrypMIC-second-run.pcap   (585,697 bytes)

• ZIP archive of the malware:  2016-07-26-pseudoDarkleech-Neutrino-EK-sends-CrypMIC-malware-and-artifacts.zip   390.6 kB (390,603 bytes)

• 2016-07-26-page-from-calentejo.com-with-injected-script-first-run.txt   (18,346 bytes)
• 2016-07-26-page-from-calentejo.com-with-injected-script-second-run.txt   (18,343 bytes)
• 2016-07-26-pseudoDarkleech-CrypMIC-decryption-instructions.bmp   (3,276,854 bytes)
• 2016-07-26-pseudoDarkleech-CrypMIC-decryption-instructions.html   (238,182 bytes)
• 2016-07-26-pseudoDarkleech-CrypMIC-decryption-instructions.txt   (1,659 bytes)
• 2016-07-26-pseudoDarkleech-Neutrino-EK-flash-exploit-second-run.swf   (79,141 bytes)
• 2016-07-26-pseudoDarkleech-Neutrino-EK-landing-page-first-run.txt   (2,709 bytes)
• 2016-07-26-pseudoDarkleech-Neutrino-EK-landing-page-second-run.txt   (2,823 bytes)
• 2016-07-26-pseudoDarkleech-Neutrino-EK-payload-CrypMIC-first-run.dll   (222,208 bytes)
• 2016-07-26-pseudoDarkleech-Neutrino-EK-payload-CrypMIC-second-run.dll   (203,264 bytes)

NOTES:

• 2016-07-02 - SANS ISC diary:  Change in patterns for the pseudoDarkleech campaign
• 2016-07-06 - SANS ISC diary:  CryptXXX ransomware updated
• 2016-07-07 - Bleeping Computer:  New CryptXXX changes name to Microsoft Decryptor
• 2016-07-14 - Proofpoint Blog:  Spam, Now With a Side of CryptXXX Ransomware!

  From Proofpoint: "We believe that CryptXXX is in active development and possibly split off into two branches. The original branch is now up to version 5.001 (we wrote about the upgrade to version 3.100 near the end of May), while the new branch uses a different format for versioning and will require further analysis."

• 2016-07-20 - TrendLabs Security Intelligence Blog - CrypMIC Ransomware Wants to Follow CryptXXX's Footsteps   [TrendLabs analyzes the new branch and names it.]

 

Shown above:  Flowchart for this infection traffic.

 

TRAFFIC

Shown above:  Injected script in page from the first compromised website.

 

Shown above:  Traffic from the first pcap filtered in Wireshark.   Wireshark filter: http.request or (!(tcp.port eq 80) and tcp.flags eq 0x0002)

 

Shown above:  Injected script in page from the second compromised website.

 

Shown above:  Traffic from the second pcap filtered in Wireshark.   Wireshark filter: http.request or (!(tcp.port eq 80) and tcp.flags eq 0x0002)

 

ASSOCIATED DOMAINS:

• calentejo.com - Compromised site
• 173.45.70.67 port 80 - focarechtfertigt.painpartners.co.uk - Neutrino EK first run
• 77.221.144.25 port 80 - antidateraisbuchwertes.painjourney.co.uk - Neutrino EK second run
• 193.111.140.100 port 443 - CrypMIC post-infection traffic (custom encoded and plain text, not SSL)

DOMAINS FROM THE DECRYPT INSTRUCTIONS:

• ccjlwb22w6c22p2k.onion.to
• ccjlwb22w6c22p2k.onion.city

 

FILE HASHES

FLASH EXPLOITS:

• SHA256 hash:  b36f579c337ba046b65f61eaba3b075fd07e6b99c374296c5e02c1981f64d0dc
  File name:  2016-07-26-pseudoDarkleech-Neutrino-EK-flash-exploit-second-run.swf

PAYLOADS:

• SHA256 hash:  26b4c488af1ac86636287cae016302517d6b7fde7a28bbdf7a6809257525c0c0
  File name:  2016-07-26-pseudoDarkleech-Neutrino-EK-payload-CrypMIC-first-run.dll

• SHA256 hash:  9458e1f6c01f4924ea7c00257e0c735d188b2f93a0afec5e2b728206a26c2d4c
  File name:  2016-07-26-pseudoDarkleech-Neutrino-EK-payload-CrypMIC-second-run.dll

 

IMAGES

Shown above:  The CrypMIC DLL file as seen in process explorer.

 

Shown above:  Desktop of the infected Windows host.

 

Shown above:  Two .KEY files in the user's AppData\Local\Temp directory.

 

Shown above:  Going to the decryption instructions site (1 of 2).

 

Shown above:  Going to the decryption instructions site (2 of 2).

 

FINAL NOTES

Once again, here are the associated files:

• ZIP archive of the pcaps:  2016-07-26-pseudoDarkleech-Neutrino-EK-sends-CrypMIC-both-pcaps.zip   670.6 kB (670,598 bytes)
• ZIP archive of the malware:  2016-07-26-pseudoDarkleech-Neutrino-EK-sends-CrypMIC-malware-and-artifacts.zip   390.6 kB (390,603 bytes)

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.