2016-08-12 - PSEUDO-DARKLEECH NEUTRINO EK FROM 74.208.99.201 SENDS CRYPMIC RANSOMWARE
ASSOCIATED FILES:
- ZIP archive of the pcaps: 2016-08-12-pseudoDarkleech-Neutrino-EK-sends-CrypMIC.pcap.zip 207.3 kB (207,266 bytes)
- 2016-08-12-pseudoDarkleech-Neutrino-EK-sends-CrypMIC.pcap (438,329 bytes)
- ZIP archive of the malware: 2016-08-12-pseudoDarkleech-Neutrino-EK-sends-CrypMIC-malware-and-artifacts.zip 124.6 kB (124,595 bytes)
- 2016-08-12-page-from-dakarvoice.com-with-injected-script.txt (137,964 bytes)
- 2016-08-12-pseudoDarkleech-CrypMIC-decrypt-instructions.BMP (3,276,854 bytes)
- 2016-08-12-pseudoDarkleech-CrypMIC-decrypt-instructions.HTML (238,182 bytes)
- 2016-08-12-pseudoDarkleech-CrypMIC-decrypt-instructions.TXT (1,654 bytes)
- 2016-08-12-pseudoDarkleech-Neutrino-EK-landing-page-after-dakarvoice.com.txt (2,332 bytes)
- 2016-08-12-pseudoDarkleech-Neutrino-EK-payload-CrypMIC-after-dakarvoice.com.dll (67,584 bytes)
BACKGROUND ON THE PSEUDO-DARKLEECH CAMPAIGN::
- Something I wrote on exploit kit (EK) fundamentals: link
- 2016-03-22 - PaloAlto Networks Unit 42 blog: Campaign Evolution: Darkleech to Pseudo-Darkleech and Beyond
- 2016-07-02 - SANS ISC diary: Change in patterns for the pseudoDarkleech campaign
BACKGROUND ON CRYPMIC RANSOMWARE:
- 2016-07-06 - SANS ISC diary: CryptXXX ransomware updated [The date I first noticed this new branch of ransomware.]
- 2016-07-14 - From the Proofpoint blog [link]: "We believe that CryptXXX is in active development and possibly split off into two branches. The original branch is now up to version 5.001 (we wrote about the upgrade to version 3.100 near the end of May), while the new branch uses a different format for versioning and will require further analysis."
- 2016-07-20 - TrendLabs Security Intelligence Blog - CrypMIC Ransomware Wants to Follow CryptXXX's Footsteps [TrendLabs analyzes the new branch and names it.]
Shown above: Flowchart for this infection traffic.
TRAFFIC
Shown above: Injected script from the pseudoDarkleech campaign in same page from the compromised site.
Shown above: Traffic from the pcap filtered in Wireshark. Wireshark filter: http.request or (!(tcp.port eq 80) and tcp.flags eq 0x0002)
ASSOCIATED DOMAINS:
- dakarvoice.com - Compromised site
- 74.208.99.201 port 80 - arteriographicfinanzmasse.ucscarhire.co.uk - Neutrino EK
- 85.14.243.9 port 443 - Post-infection traffic caused by CrypMIC (custom encoded & clear text, not HTTPS/SSL)
DOMAINS FROM THE DECRYPT INSTRUCTIONS:
- ccjlwb22w6c22p2k.onion.to
- ccjlwb22w6c22p2k.onion.city
NOTE: The above 2 domains from the decrypt instructions are the same ones I've seen from CrypMIC since 2016-07-26.
FILE HASHES
PAYLOAD:
- SHA256 hash: 774718ae37f30b4791e860efb0b3ea464a056412eeed5b6c2a166adb53bbd8bd
File name: 2016-08-12-pseudoDarkleech-Neutrino-EK-payload-CrypMIC-after-dakarvoice.com.dll
IMAGES
Shown above: Desktop of an infected Windows host after rebooting.
FINAL NOTES
Once again, here are the associated files:
- ZIP archive of the pcaps: 2016-08-12-pseudoDarkleech-Neutrino-EK-sends-CrypMIC.pcap.zip 207.3 kB (207,266 bytes)
- ZIP archive of the malware: 2016-08-12-pseudoDarkleech-Neutrino-EK-sends-CrypMIC-malware-and-artifacts.zip 124.6 kB (124,595 bytes)
ZIP files are password-protected with the standard password. If you don't know it, look at the "about" page of this website.
Click here to return to the main page.