2016-08-18 - AFRAIDGATE NEUTRINO EK FROM 176.31.223.167 SENDS LOCKY RANSOMWARE
ASSOCIATED FILES:
- ZIP archive of the pcaps: 2016-08-18-Afraidgate-Neutrino-EK-sends-Locky.pcap.zip 373.5 kB (373,535 bytes)
- 2016-08-18-Afraidgate-Neutrino-EK-sends-Locky.pcap (414,073 bytes)
- ZIP archive of the malware: 2016-08-18-Afraidgate-Neutrino-EK-sends-Locky-malware-and-artifacts.zip 316.0 kB (316,007 bytes)
- 2016-08-18-Afraidgate-Locky-decrypt-instructions.bmp (4,006,594 bytes)
- 2016-08-18-Afraidgate-Locky-decrypt-instructions.html (9,407 bytes)
- 2016-08-18-Afraidgate-Neutrino-EK-flash-exploit.swf (75,849 bytes)
- 2016-08-18-Afraidgate-Neutrino-EK-landing-page.txt (2,330 bytes)
- 2016-08-18-Afraidgate-Neutrino-EK-payload-Locky.exe (263,168 bytes)
- 2016-08-18-green.lasotras.cl-scripts-all.js.txt (206 bytes)
- 2016-08-18-page-from-lamaisondete.com-with-injected-script.txt (20,052 bytes)
NOTES:
- Latest developments on the Afraidgate campaign can be found here.
- Locky sent as today's malware payload is the Zepto variant.
Shown above: Flowchart for this infection traffic.
TRAFFIC
Shown above: Injected script in page from compromised site pointing to the Afraidgate URL.
Shown above: Afraidgate URL returns script with URL for Neutrino EK landing page.
Shown above: Traffic from the pcap filtered in Wireshark.
ASSOCIATED DOMAINS:
- lamaisondete.com - [Compromised website]
- 138.197.128.173 port 80 - green.lasotras.cl - GET /scripts/all.js - [Afriadgate redirect]
- 176.31.223.167 port 80 - gjwqsjid.thatother.top - [Neutrino EK]
- 194.67.210.183 port 80 - 194.67.210.183 - POST /upload/_dispatch.php - [Locky post-infection traffic]
DOMAINS FROM THE DECRYPT INSTRUCTIONS:
- zjfq4lnfbs7pncr5.tor2web.org
- zjfq4lnfbs7pncr5.onion.to
NOTE: The above 2 domains from the decrypt instructions are the same ones I've seen from Afraidgate Locky since 2016-07-27.
FILE HASHES
FLASH EXPLOIT:
- SHA256 hash: 9061c4b4d8c7f814add99ff60b626a52d3ee0eb391826b8dc21084145489ef4f
File name: 2016-08-18-Afraidgate-Neutrino-EK-flash-exploit.swf
PAYLOAD:
- SHA256 hash: 64138ac3670ea7d3adacb5d3b90a473065fd5fad5d348a037b89640a00230208
File name: 2016-08-18-Afraidgate-Neutrino-EK-payload-Locky.exe
IMAGES
Shown above: Desktop of the infected Windows host.
Shown above: Encrypted file names showing this is the Zepto variant of Locky.
FINAL NOTES
Once again, here are the associated files:
- ZIP archive of the pcaps: 2016-08-18-Afraidgate-Neutrino-EK-sends-Locky.pcap.zip 373.5 kB (373,535 bytes)
- ZIP archive of the malware: 2016-08-18-Afraidgate-Neutrino-EK-sends-Locky-malware-and-artifacts.zip 316.0 kB (316,007 bytes)
ZIP files are password-protected with the standard password. If you don't know it, look at the "about" page of this website.
Click here to return to the main page.