2016-07-28 - PSEUDO-DARKLEECH NEUTRINO EK SENDS CRYPMIC RANSOMWARE

ASSOCIATED FILES:

• ZIP archive of the pcaps:  2016-07-28-pseudoDarkleech-Neutrino-EK-sends-CrypMIC-all-3-pcaps.zip   581.5 kB (581,543 bytes)

• 2016-07-28-pseudoDarkleech-Neutrino-EK-sends-CrypMIC-after-orthopet.net-first-run.pcap   (424,381 bytes)
• 2016-07-28-pseudoDarkleech-Neutrino-EK-sends-CrypMIC-after-orthopet.net-second-run.pcap   (445,305 bytes)
• 2016-07-28-pseudoDarkleech-Neutrino-EK-sends-CrypMIC-after-orthopet.net-third-run.pcap   (426,931 bytes)

• ZIP archive of the malware:  2016-07-28-pseudoDarkleech-Neutrino-EK-CrypMIC-malware-and-artifacts.zip   388.2 kB (388,198 bytes)

• 2016-07-28-page-from-orthopet.net-with-injected-script-first-run.txt   (20,845 bytes)
• 2016-07-28-page-from-orthopet.net-with-injected-script-second-run.txt   (20,901 bytes)
• 2016-07-28-page-from-orthopet.net-with-injected-script-third-run.txt   (20,856 bytes)
• 2016-07-28-pseudoDarkleech-campaign-CrypMIC-decrypt-instructions.BMP   (3,276,854 bytes)
• 2016-07-28-pseudoDarkleech-campaign-CrypMIC-decrypt-instructions.HTML   (238,187 bytes)
• 2016-07-28-pseudoDarkleech-campaign-CrypMIC-decrypt-instructions.TXT   (1,659 bytes)
• 2016-07-28-pseudoDarkleech-Neutrino-EK-flash-exploit-second-run.swf   (77,984 bytes)
• 2016-07-28-pseudoDarkleech-Neutrino-EK-flash-exploit-third-run.swf   (77,357 bytes)
• 2016-07-28-pseudoDarkleech-Neutrino-EK-landing-page-first-run.txt   (2,446 bytes)
• 2016-07-28-pseudoDarkleech-Neutrino-EK-landing-page-second-run.txt   (2,380 bytes)
• 2016-07-28-pseudoDarkleech-Neutrino-EK-landing-page-third-run.txt   (2,352 bytes)
• 2016-07-28-pseudoDarkleech-Neutrino-EK-payload-CrypMIC-first-run.dll   (73,728 bytes)
• 2016-07-28-pseudoDarkleech-Neutrino-EK-payload-CrypMIC-second-run.dll   (73,728 bytes)
• 2016-07-28-pseudoDarkleech-Neutrino-EK-payload-CrypMIC-third-run.dll   (73,728 bytes)

 

BACKGROUND ON THE PSEUDO-DARKLEECH CAMPAIGN::

• Something I wrote on exploit kit (EK) fundamentals:  link
• 2016-03-22 - PaloAlto Networks Unit 42 blog:  Campaign Evolution: Darkleech to Pseudo-Darkleech and Beyond
• 2016-07-02 - SANS ISC diary:  Change in patterns for the pseudoDarkleech campaign

 

BACKGROUND ON CRYPMIC RANSOMWARE:

• 2016-07-06 - SANS ISC diary:  CryptXXX ransomware updated   [The date I first noticed this new branch of ransomware.]

• 2016-07-14 - From the Proofpoint blog [link]: "We believe that CryptXXX is in active development and possibly split off into two branches. The original branch is now up to version 5.001 (we wrote about the upgrade to version 3.100 near the end of May), while the new branch uses a different format for versioning and will require further analysis."

• 2016-07-20 - TrendLabs Security Intelligence Blog - CrypMIC Ransomware Wants to Follow CryptXXX's Footsteps   [TrendLabs analyzes the new branch and names it.]

Shown above:  One of my recent tweets.

 

Shown above:  Flowchart for this infection traffic.

 

TRAFFIC

Shown above:  Traffic from the first pcap filtered in Wireshark.   Wireshark filter: http.request or (!(tcp.port eq 80) and tcp.flags eq 0x0002)

Shown above:  Traffic from the second pcap filtered in Wireshark.

Shown above:  Traffic from the third pcap filtered in Wireshark.

 

ASSOCIATED DOMAINS:

• orthopet.net - Compromised site
• 207.244.95.137 port 80 - waterwijdinghexadentate.cladyoudid.co.uk - Neutrino EK, first run
• 69.64.80.148 port 80 - breighnertransvolga.procladpanels.co.uk - Neutrino EK, second run
• 178.33.6.108 port 80 - xtresourcelist-hdts.magnagen.co.uk - Neutrino EK, third run
• 193.111.140.100 port 443 - CrypMIC post-infection traffic (custom encoded and clear text, not SSL/HTTPS)

DOMAINS FROM THE DECRYPT INSTRUCTIONS:

• ccjlwb22w6c22p2k.onion.to
• ccjlwb22w6c22p2k.onion.city

NOTE: These are the same domains seen from CrypMIC samples two days ago on 2016-07-26.

 

FILE HASHES

FLASH EXPLOITS:

• SHA256 hash:  4d4e1db0f127a72461857fe42a436e0e00b173b697c359e13a12501e2a13f9cb
  File name:  2016-07-28-pseudoDarkleech-Neutrino-EK-flash-exploit-second-run.swf

• SHA256 hash:  6c953bae7cc5f34502577c34044eadf2bfa6c05e377e4210b3261469c95bb532
  File name:  2016-07-28-pseudoDarkleech-Neutrino-EK-flash-exploit-third-run.swf

PAYLOADS:

• SHA256 hash:  f49098abcf55904395e374335ebb749f9e2efed7444471fdcd84fdee6b24d601
  File name:  2016-07-28-pseudoDarkleech-Neutrino-EK-payload-CrypMIC-first-run.dll

• SHA256 hash:  2f913bd1dad8d4249cf08d4f38d3632d702a35beb76e6f452869ca076644eb57
  File name:  2016-07-28-pseudoDarkleech-Neutrino-EK-payload-CrypMIC-second-run.dll

• SHA256 hash:  6964a8d4d57be735517facac1e092665ae6c5228e5a5fe14af026f0c30794e57
  File name:  2016-07-28-pseudoDarkleech-Neutrino-EK-payload-CrypMIC-third-run.dll

 

IMAGES

Shown above:  Injected script in page from the compromised site, first run.

 

Shown above:  Injected script in page from the compromised site, second run.

 

Shown above:  Injected script in page from the compromised site, third run.

 

Shown above:  Desktop of the infected Windows host.

 

Shown above:  Two .KEY files in the user's AppData\Local\Temp directory.

 

Shown above:  Going to the decryption instructions site.

 

FINAL NOTES

Once again, here are the associated files:

• ZIP archive of the pcaps:  2016-07-28-pseudoDarkleech-Neutrino-EK-sends-CrypMIC-all-3-pcaps.zip   581.5 kB (581,543 bytes)
• ZIP archive of the malware:  2016-07-28-pseudoDarkleech-Neutrino-EK-CrypMIC-malware-and-artifacts.zip   388.2 kB (388,198 bytes)

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.