2016-07-27 - AFRAIDGATE NEUTRINO EK FROM 185.140.33.99 SENDS LOCKY RANSOMWARE

ASSOCIATED FILES:

• ZIP archive of the pcaps:  2016-07-27-Afraidgate-Neutrino-EK-sends-Locky-all-4-pcaps.zip   1.2 MB (1,195,274 bytes)

• 2016-07-26-Afraidgate-Neutrino-EK-sends-Locky-first-run.pcap   (312,623 bytes)
• 2016-07-26-Afraidgate-Neutrino-EK-sends-Locky-second-run.pcap   (329,561 bytes)
• 2016-07-27-Afraidgate-Neutrino-EK-sends-Locky-first-run.pcap   (325,181 bytes)
• 2016-07-27-Afraidgate-Neutrino-EK-sends-Locky-second-run.pcap   (314,273 bytes)

• ZIP archive of the malware:  2016-07-27-Afraidgate-Neutrino-EK-malware-and-artifacts.zip   946.9 kB (946,905 bytes)

• 2016-07-26-Afraidgate-Neutrino-EK-flash-exploit-first-run.swf   (77,673 bytes)
• 2016-07-26-Afraidgate-Neutrino-EK-flash-exploit-second-run.swf   (77,565 bytes)
• 2016-07-26-Afraidgate-Neutrino-EK-lading-page-first-run.txt   (2,691 bytes)
• 2016-07-26-Afraidgate-Neutrino-EK-lading-page-second-run.txt   (2,799 bytes)
• 2016-07-26-Afraidgate-Neutrino-EK-payload-Locky-first-run.exe   (202,240 bytes)
• 2016-07-26-Afraidgate-Neutrino-EK-payload-Locky-second-run.exe   (202,240 bytes)
• 2016-07-27-Afraidgate-Locky-decrypt-instructions.bmp   (3,721,466 bytes)
• 2016-07-27-Afraidgate-Locky-decrypt-instructions.html   (9,656 bytes)
• 2016-07-27-Afraidgate-Neutrino-EK-flash-exploit-first-run.swf   (78,271 bytes)
• 2016-07-27-Afraidgate-Neutrino-EK-flash-exploit-second-run.swf   (78,271 bytes)
• 2016-07-27-Afraidgate-Neutrino-EK-lading-page-first-run.txt   (2,725 bytes)
• 2016-07-27-Afraidgate-Neutrino-EK-lading-page-second-run.txt   (2,739 bytes)
• 2016-07-27-Afraidgate-Neutrino-EK-payload-Locky-first-run.exe   (203,264 bytes)
• 2016-07-27-Afraidgate-Neutrino-EK-payload-Locky-second-run.exe   (203,264 bytes)

NOTES:

• Background on the Afraidgate campaign can be found here.
• These Locky payloads are the ".zepto" variant.
• After a month or two, domains from the decryption instructions for this variant finally changed today.

Shown above:  Flowchart for this infection traffic.

 

TRAFFIC

Shown above:  Traffic from the first pcap filtered in Wireshark.

 

Shown above:  Traffic from the second pcap filtered in Wireshark.

 

Shown above:  Traffic from the third pcap filtered in Wireshark.

 

Shown above:  Traffic from the 4th pcap filtered in Wireshark.

 

ASSOCIATED DOMAINS:

• 46.101.26.161 port 80 - motor.atchisoncountyrecorder.com - GET /scripts/custom.js - [Afriadgate redirect]
• 185.140.33.99 port 80 - rklfdprel.blueelizabeth.top - [Neutrino EK]

• 46.101.26.161 port 80 - oskol.migustapizza.com.br - GET /gantry-totop.js - [Afriadgate redirect]
• 185.140.33.99 port 80 - bkhrdfngwg.blueelizabeth.top - [Neutrino EK]

• 46.101.26.161 port 80 - snow.blautechnology.com - GET /scripts/libs.js - [Afriadgate redirect]
• 185.140.33.99 port 80 - drhffhveq.greenjessica.top - [Neutrino EK]

• 46.101.26.161 port 80 - motor.atchisoncountyrecorder.com - GET /js/blog.js - [Afriadgate redirect]
• 185.140.33.99 port 80 - clfdkbl.bluechristian.top - [Neutrino EK]

• 5.9.253.173 port 80 - 5.9.253.173 - POST /upload/_dispatch.php - [Locky post-infection traffic]

DOMAINS FROM THE DECRYPT INSTRUCTIONS:

• mphtadhci5mrdlju.tor2web.org - up through 2016-07-26
• mphtadhci5mrdlju.onion.to - up through 2016-07-26

• zjfq4lnfbs7pncr5.tor2web.org - as of 2016-07-27
• zjfq4lnfbs7pncr5.onion.to - as of 2016-07-27

 

FILE HASHES

FLASH EXPLOITS:

• SHA256 hash:  0fc2443a74c6ed9cfbf4dc7be68a36f91fcc2ebbade0a804d4a6ff9618bee2cf
  File name:  2016-07-26-Afraidgate-Neutrino-EK-flash-exploit-first-run.swf

• SHA256 hash:  9e632302435863bd29315268b8e952c30c8e660c3a815cf7ca6872d95080178d
  File name:  2016-07-26-Afraidgate-Neutrino-EK-flash-exploit-second-run.swf

• SHA256 hash:  f7a345b5b68f93fd1d184e4eac1bbffb538eef05f048288751492889c10f4436
  File name:  2016-07-27-Afraidgate-Neutrino-EK-flash-exploit-first-run.swf

• SHA256 hash:  2425fc0d9ef340909bd7aab7b6b3d10c3b4f99be7157f834e997d48acfff3350
  File name:  2016-07-27-Afraidgate-Neutrino-EK-flash-exploit-second-run.swf

PAYLOADS:

• SHA256 hash:  cab9aa5e67d41f82df7c5f14181e940b1d2757128c448c740b2bac7968faaf5f
  File name:  2016-07-26-Afraidgate-Neutrino-EK-payload-Locky-first-run.exe

• SHA256 hash:  d45477fc51a1052a65c72f382e884f5236c720f7582386613403711bca5ab050
  File name:  2016-07-26-Afraidgate-Neutrino-EK-payload-Locky-second-run.exe

• SHA256 hash:  4d9333fcd3ccde1e82ba45fbf6b17fb42c7b034a84ccb56b972b62640828eb7b
  File name:  2016-07-27-Afraidgate-Neutrino-EK-payload-Locky-first-run.exe

• SHA256 hash:  1481629831dcedc7a33dfec59e591e80d8e555125cfa1532a609e80a86c6ec03
  File name:  2016-07-27-Afraidgate-Neutrino-EK-payload-Locky-second-run.exe

 

IMAGES

Shown above:  Desktop of the infected Windows host.

 

FINAL NOTES

Once again, here are the associated files:

• ZIP archive of the pcaps:  2016-07-27-Afraidgate-Neutrino-EK-sends-Locky-all-4-pcaps.zip   1.2 MB (1,195,274 bytes)
• ZIP archive of the malware:  2016-07-27-Afraidgate-Neutrino-EK-malware-and-artifacts.zip   946.9 kB (946,905 bytes)

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.