2016-09-12 - PSEUDO-DARKLEECH NEUTRINO EK FROM 74.208.193.214 SENDS CRYPMIC RANSOMWARE

ASSOCIATED FILES:

• ZIP archive of the pcap:  2016-09-12-pseudoDarkleech-Neutrino-EK-sends-CrypMIC-both-pcaps.zip   490.5 kB (490,537 bytes)

• 2016-09-12-pseudoDarkleech-Neutrino-EK-sends-CrypMIC-1-of-2.pcap   (497,423 bytes)
• 2016-09-12-pseudoDarkleech-Neutrino-EK-sends-CrypMIC-2-of-2.pcap   (525,645 bytes)

• ZIP archive of the malware:  2016-09-12-pseudoDarkleech-Neutrino-EK-sends-CrypMIC-malware-and-artifacts.zip   240.7 kB (240,683 bytes)

• 2016-09-12-page-from-foldacover.com-with-injected-script.txt   (35,145 bytes)
• 2016-09-12-page-from-steffensautomotive.com-with-injected-script.txt   (31,502 bytes)
• 2016-09-12-pseudoDarkleech-CrypMIC-decrypt-instructions.txt   (1,656 bytes)
• 2016-09-12-pseudoDarkleech-Neutrino-EK-flash-exploit-second-infection.swf   (80,445 bytes)
• 2016-09-12-pseudoDarkleech-Neutrino-EK-landing-page-first-infection.txt   (2,344 bytes)
• 2016-09-12-pseudoDarkleech-Neutrino-EK-landing-page-second-infection.txt   (2,392 bytes)
• 2016-09-12-pseudoDarkleech-Neutrino-EK-payload-CrypMIC-sample-first-infection.dll   (120,832 bytes)
• 2016-09-12-pseudoDarkleech-Neutrino-EK-payload-CrypMIC-sample-second-infection.dll   (127,488 bytes)

 

NOTES:

• Thanks to Baber for informing me about today's compromised websites.  It took me a while, but I finally got around to looking at them.

 

BACKGROUND ON THE PSEUDO-DARKLEECH CAMPAIGN:

• Something I wrote on exploit kit (EK) fundamentals:  link
• 2016-03-22 - PaloAlto Networks Unit 42 blog:  Campaign Evolution: Darkleech to Pseudo-Darkleech and Beyond
• 2016-07-02 - SANS ISC diary:  Change in patterns for the pseudoDarkleech campaign

 

BACKGROUND ON CRYPMIC RANSOMWARE:

• 2016-07-06 - SANS ISC diary:  CryptXXX ransomware updated   [The date I first noticed this new branch of ransomware.]

• 2016-07-14 - From the Proofpoint blog [link]: "We believe that CryptXXX is in active development and possibly split off into two branches. The original branch is now up to version 5.001 (we wrote about the upgrade to version 3.100 near the end of May), while the new branch uses a different format for versioning and will require further analysis."

• 2016-07-20 - TrendLabs Security Intelligence Blog - CrypMIC Ransomware Wants to Follow CryptXXX's Footsteps   [TrendLabs analyzes the new branch and names it.]

 

Shown above:  Flowchart for this infection traffic.

 

TRAFFIC

Shown above:  Injected script from the pseudoDarkleech campaign in page from the first compromised site.

 

Shown above:  Traffic from the first pcap filtered in Wireshark.   Wireshark filter: http.request or (!(tcp.port eq 80) and tcp.flags eq 0x0002)

 

Shown above:  Injected script from the pseudoDarkleech campaign in page from the second compromised site.

 

Shown above:  Traffic from the second pcap filtered in Wireshark.   Wireshark filter: http.request or (!(tcp.port eq 80) and tcp.flags eq 0x0002)

 

ASSOCIATED DOMAINS:

• www.steffensautomotive.com - Compromised site (first infection)
• www.foldacover.com - Compromised site (second infection)
• 74.208.193.214 port 80 - tuberkle.orlandothemeparkexperts.com - Neutrino EK (first infection)
• 74.208.193.214 port 80 - aivotoimintoja.scaffoldsignage.com - Neutrino EK (second infection)
• 46.165.246.9 port 443 - post-infection CrypMIC callback, custom encoded and clear text, not HTTPS/SSL/TLS (both infections)

DOMAINS FROM THE DECRYPT INSTRUCTIONS:

• ccjlwb22w6c22p2k.onion.to
• ccjlwb22w6c22p2k.onion.city

 

FILE HASHES

FLASH EXPLOIT:

• SHA256 hash:  1f0aba97f22e30f9bce8a2c4b7bde949846bd56b380cd36865aa22c06bb1244a
  File name:  2016-09-12-pseudoDarkleech-Neutrino-EK-flash-exploit-second-infection.swf

PAYLOADS:

• SHA256 hash:  8e376295b77603af48222cd96e96113f18f26767b9fbd40655f6879a150a0c1c
  File name:  2016-09-12-pseudoDarkleech-Neutrino-EK-payload-CrypMIC-sample-first-infection.dll

• SHA256 hash:  59d9f3bc202c9d243cc9f030894057df9c0658b1263c18c022b7bf254e19b3db
  File name:  2016-09-12-pseudoDarkleech-Neutrino-EK-payload-CrypMIC-sample-second-infection.dll

 

IMAGES

Shown above:  Desktop of an infected Windows host after rebooting (second infection).

 

FINAL NOTES

Once again, here are the associated files:

• ZIP archive of the pcap:  2016-09-12-pseudoDarkleech-Neutrino-EK-sends-CrypMIC-both-pcaps.zip   490.5 kB (490,537 bytes)
• ZIP archive of the malware:  2016-09-12-pseudoDarkleech-Neutrino-EK-sends-CrypMIC-malware-and-artifacts.zip   240.7 kB (240,683 bytes)

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.