Malware-Traffic-Analysis.net - 2016-08-18 - Afraidgate Neutrino EK from 176.31.223.167 sends Locky ransomware

2016-08-18 - AFRAIDGATE NEUTRINO EK FROM 176.31.223.167 SENDS LOCKY RANSOMWARE

ASSOCIATED FILES:

ZIP archive of the pcaps: 2016-08-18-Afraidgate-Neutrino-EK-sends-Locky.pcap.zip 373.5 kB (373,535 bytes)

2016-08-18-Afraidgate-Neutrino-EK-sends-Locky.pcap (414,073 bytes)

ZIP archive of the malware: 2016-08-18-Afraidgate-Neutrino-EK-sends-Locky-malware-and-artifacts.zip 316.0 kB (316,007 bytes)

2016-08-18-Afraidgate-Locky-decrypt-instructions.bmp (4,006,594 bytes)

2016-08-18-Afraidgate-Locky-decrypt-instructions.html (9,407 bytes)

2016-08-18-Afraidgate-Neutrino-EK-flash-exploit.swf (75,849 bytes)

2016-08-18-Afraidgate-Neutrino-EK-landing-page.txt (2,330 bytes)

2016-08-18-Afraidgate-Neutrino-EK-payload-Locky.exe (263,168 bytes)

2016-08-18-green.lasotras.cl-scripts-all.js.txt (206 bytes)

2016-08-18-page-from-lamaisondete.com-with-injected-script.txt (20,052 bytes)

NOTES:

Latest developments on the Afraidgate campaign can be found here.
Locky sent as today's malware payload is the Zepto variant.

Shown above: Flowchart for this infection traffic.

TRAFFIC

Shown above: Injected script in page from compromised site pointing to the Afraidgate URL.

Shown above: Afraidgate URL returns script with URL for Neutrino EK landing page.

Shown above: Traffic from the pcap filtered in Wireshark.

ASSOCIATED DOMAINS:

lamaisondete.com - [Compromised website]
138.197.128.173 port 80 - green.lasotras.cl - GET /scripts/all.js - [Afriadgate redirect]
176.31.223.167 port 80 - gjwqsjid.thatother.top - [Neutrino EK]

194.67.210.183 port 80 - 194.67.210.183 - POST /upload/_dispatch.php - [Locky post-infection traffic]

DOMAINS FROM THE DECRYPT INSTRUCTIONS:

zjfq4lnfbs7pncr5.tor2web.org
zjfq4lnfbs7pncr5.onion.to

NOTE: The above 2 domains from the decrypt instructions are the same ones I've seen from Afraidgate Locky since 2016-07-27.

FILE HASHES

FLASH EXPLOIT:

SHA256 hash: 9061c4b4d8c7f814add99ff60b626a52d3ee0eb391826b8dc21084145489ef4f
File name: 2016-08-18-Afraidgate-Neutrino-EK-flash-exploit.swf

PAYLOAD:

SHA256 hash: 64138ac3670ea7d3adacb5d3b90a473065fd5fad5d348a037b89640a00230208
File name: 2016-08-18-Afraidgate-Neutrino-EK-payload-Locky.exe

IMAGES

Shown above: Desktop of the infected Windows host.

Shown above: Encrypted file names showing this is the Zepto variant of Locky.

FINAL NOTES

Once again, here are the associated files:

ZIP archive of the pcaps: 2016-08-18-Afraidgate-Neutrino-EK-sends-Locky.pcap.zip 373.5 kB (373,535 bytes)
ZIP archive of the malware: 2016-08-18-Afraidgate-Neutrino-EK-sends-Locky-malware-and-artifacts.zip 316.0 kB (316,007 bytes)

ZIP files are password-protected with the standard password. If you don't know it, look at the "about" page of this website.

Click here to return to the main page.